When you configure VMware Cloud Director to function as an OIDC identity provider proxy, VMware Cloud Director generates a pair of OIDC keys with which it signs the JWT tokens that it issues.

When configured as an identity provider proxy server, VMware Cloud Director automatically generates a single built-in 2048-bit RSA signing key, which the system administrator can choose to use or to discard. Any new keys must comply with the minimum key size and the other VMware Cloud Director cryptographic requirements.
Tip: To view the VMware Cloud Director key requirements, navigate to Administration Settings > Settings > SSL.

The relying parties that are using VMware Cloud Director as an OIDC proxy server can retrieve the provider configuration values, including the list of available public keys from the JWKS endpoint listed at {{hostname}}/oidc/.well-known/openid-configuration.

Prerequisites

Verify that your role includes the OIDC Server: Manage Settings right.

Add an OIDC Proxy Key Set Using Your VMware Cloud Director

You can manually add an OIDC proxy key set to VMware Cloud Director.

Procedure

  1. In the top navigation bar, click Administration.
  2. In the left panel, under Settings, click OIDC Proxy.
  3. Click Keys.
  4. To manually upload a new OIDC proxy key set, click New.
  5. Enter a description for the OIDC proxy key.
    You can edit the key description later, if necessary.
  6. Under Public Key, click Browse Files, navigate to the public key PEM file and upload it.
  7. Under Private Key, click Browse Files, navigate to the private key PEM file and upload it.
  8. Enter the private key passphrase.
  9. Click Save.

Set a New OIDC Proxy Key Set As Active Using Your VMware Cloud Director

You can use the VMware Cloud Director UI to select a new active OIDC proxy key.

Prerequisites

  • Verify that your role includes the OIDC Server: Manage Settings right.
  • Verify that you uploaded the key set that you want to make active.

Procedure

  1. In the top navigation bar, click Administration.
  2. In the left panel, under Settings, click OIDC Proxy.
  3. Click Keys
    A list of the available key sets displays with the currently used key labeled as Active.
  4. Select the new key set and click Make Active.

Delete an OIDC Proxy Key Set From Your VMware Cloud Director

If an OIDC key set is no longer in use, you can delete it.

Prerequisites

  • Verify that your role includes the OIDC Server: Manage Settings right.

Procedure

  1. In the top navigation bar, click Administration.
  2. In the left panel, under Settings, click OIDC Proxy.
  3. Click Keys
    A list of the available key sets displays with the currently used key labeled as Active.
  4. Select the key set that you want to remove, and click Delete.