The logical design provides a high-level overview of the Identity and Access Management for VMware Cloud Foundation solution design.

vCenter Server

By default, the vCenter Single Sign-On built-in identity provider uses an embedded vsphere.local domain and supports local accounts. The vCenter Server instances in a VMware Cloud Foundation environment are joined to the built-in identity provider and are required to participate in an enhanced linked-mode configuration. Additional VMware Cloud Foundation instances may be joined to the same vCenter Single Sign-On identity provider during bring-up or brought online with a dedicated identity provider.

vSphere configuration limits apply to linked vCenter Server instances:

  • The number of linked vCenter Servers
  • The number of hosts in linked vCenter Servers
  • The number of powered-on virtual machines in linked vCenter Servers
  • The number of registered virtual machines in linked vCenter Servers

See VMware Configuration Maximums.

The vCenter Single Sign-On built-in identity provider can be configured to use Microsoft Active Directory as its identity source using LDAP over SSL (LDAPS). The configuration is applicable to all vCenter Server instances configured in enhanced linked mode. Active Directory security groups and/or users can be assigned to default or custom roles in vSphere with the scope of provisioned and managed permissions.

ESXi

This solution does not require ESXi hosts in a VMware Cloud Foundation system to join Active Directory. SDDC Manager manages the commissioning, configuration, and life cycle of the ESXi hosts.

If supplemental storage uses NFS version 4.1 with Kerberos authentication, you must join each ESXi host to an Active Directory domain. To ensure the default security group is not used, the default esxAdminsGroup group on each ESXi host can be configured to use a custom Active Directory security group.

NSX-T Data Center

To provide identity management services to NSX-T Data Center, NSX Manager instances in a VMware Cloud Foundation system are integrated with Workspace ONE Access. Active Directory security groups and/or users can be assigned to default or custom roles in NSX-T Data Center.

SDDC Manager

SDDC Manager inherits the identity provider configuration from all vCenter Server instances in enhanced linked-mode. Active Directory security groups and/or users can be assigned to default roles in SDDC Manager.

Standalone Workspace ONE Access Instance

To provide identity and access management services to NSX Manager instances in a VMware Cloud Foundation system, this solution uses a standalone Workspace ONE Access instance deployed in a virtual network segment in each region.

Workspace ONE Access provides:

  • Directory integration to authenticate users against an Identity Provider (IdP), such as Microsoft Active Directory over LDAP, Microsoft Active Directory Federation Services, or OpenLDAP.
  • Access policies to specify criteria that users must meet to authenticate.

Workspace ONE Access does not replace an organization's directory services. Workspace ONE Access integrates with a directory service as an identity provider to enable identity and access management services for integrated solution components.

In this validated solution, the standalone Workspace ONE Access instance is connected to an identity provider for an authentication source and provides identity and access management services to the NSX Manager instances in the VMware Cloud Foundation system.

Figure 1. Logical Design of Identity and Access Management for VMware Cloud Foundation
Table 1. Standalone Workspace ONE Access Logical Components

Single Region

Multiple Availability Zones

Multiple Regions

  • A single Workspace ONE Access appliance deployed on a virtual network segment in the management domain.

  • In the event of an ESXi host failure in the management domain, vSphere High Availability protects the Workspace ONE Access by restarting the appliance.

  • A single Workspace ONE Access appliance deployed on a virtual network segment in the management domain.

  • In the event of an ESXi host failure in the management domain, vSphere High Availability protects the Workspace ONE Access by restarting the appliance.

  • A DRS VM/Host rule ensures that the standalone Workspace ONE Access instance runs within the management domain ESXi host group for Availability Zone 1.

  • In each region, a Workspace ONE Access instance is deployed on a virtual network segment in the management domain.

  • In the event of an ESXi host failure in the management domain, vSphere High Availability protects the Workspace ONE Access by restarting the appliance.

Workspace ONE Access enables you to configure role-based access control (RBAC) using the users and groups synchronized from your organization's directory services. NSX Manager instances deployed within a VMware Cloud Foundation instance are integrated with the standalone Workspace ONE Access instance.