The logical design provides a high-level overview of the Identity and Access Management for VMware Cloud Foundation solution design.
By default, the vCenter Single Sign-On built-in identity provider uses an embedded vsphere.local domain and supports local accounts. The vCenter Server instances in a VMware Cloud Foundation environment are joined to the built-in identity provider and are required to participate in an enhanced linked-mode configuration. Additional VMware Cloud Foundation instances may be joined to the same vCenter Single Sign-On identity provider during bring-up or brought online with a dedicated identity provider.
vSphere configuration limits apply to linked vCenter Server instances:
- The number of linked vCenter Servers
- The number of hosts in linked vCenter Servers
- The number of powered-on virtual machines in linked vCenter Servers
- The number of registered virtual machines in linked vCenter Servers
The vCenter Single Sign-On built-in identity provider can be configured to use Microsoft Active Directory as its identity source using LDAP over SSL (LDAPS). The configuration is applicable to all vCenter Server instances configured in enhanced linked mode. Active Directory security groups and/or users can be assigned to default or custom roles in vSphere with the scope of provisioned and managed permissions.
This solution does not require ESXi hosts in a VMware Cloud Foundation system to join Active Directory. SDDC Manager manages the commissioning, configuration, and life cycle of the ESXi hosts.
If supplemental storage uses NFS version 4.1 with Kerberos authentication, you must join each ESXi host to an Active Directory domain. To ensure the default security group is not used, the default esxAdminsGroup group on each ESXi host can be configured to use a custom Active Directory security group.
NSX-T Data Center
To provide identity management services to NSX-T Data Center, NSX Manager instances in a VMware Cloud Foundation system are integrated with Workspace ONE Access. Active Directory security groups and/or users can be assigned to default or custom roles in NSX-T Data Center.
SDDC Manager inherits the identity provider configuration from all vCenter Server instances in enhanced linked-mode. Active Directory security groups and/or users can be assigned to default roles in SDDC Manager.
Standalone Workspace ONE Access Instance
To provide identity and access management services to NSX Manager instances in a VMware Cloud Foundation system, this solution uses a standalone Workspace ONE Access instance deployed in a virtual network segment in each region.
Workspace ONE Access provides:
- Directory integration to authenticate users against an Identity Provider (IdP), such as Microsoft Active Directory over LDAP, Microsoft Active Directory Federation Services, or OpenLDAP.
- Access policies to specify criteria that users must meet to authenticate.
Workspace ONE Access does not replace an organization's directory services. Workspace ONE Access integrates with a directory service as an identity provider to enable identity and access management services for integrated solution components.
In this validated solution, the standalone Workspace ONE Access instance is connected to an identity provider for an authentication source and provides identity and access management services to the NSX Manager instances in the VMware Cloud Foundation system.
Multiple Availability Zones