About Identity and Access Management for VMware Cloud Foundation

The Identity and Access Management for VMware Cloud Foundation validated solution provides detailed design, implementation, configuration, and operation guidance on the use of Active Directory as an identity provider and authentication source, and on the use of role-based access control (RBAC) in VMware Cloud Foundation™ SDDC Manager™, VMware vCenter Server^®, VMware ESXi™, and VMware NSX™ . This document also provides guidance on password management, password policies, and account lockout policies where applicable for the components of the solution.

A VMware by Broadcom validated solution is a well-architected and validated implementation, built and tested by VMware to help customers deliver common business use cases. VMware validated solutions are operational, cost-effective, reliable, and secure. Each solution contains a detailed design, implementation, and operational guidance.

Automation for This Design in VMware Cloud Foundation

VMware Cloud Foundation™ SDDC Manager^® automates the implementation tasks for some design decisions. For the rest of the design decisions, as noted in the design implications, you must perform the implementation steps manually.

To provide a fast and efficient path to automating the Identity and Access Management for VMware Cloud Foundation implementation, this document provides Microsoft PowerShell cmdlets using an open-source module as code-based alternatives to completing certain procedures in each SDDC component's user interface.

For additional information, see PowerShell Module for VMware Validated Solutions.

Intended Audience

The Identity and Access Management for VMware Cloud Foundation documentation is intended for cloud architects and administrators who are familiar with and want to use VMware software and a role-based access control solution using a central identity provider for VMware Cloud Foundation.

Support Matrix

The Identity and Access Management for VMware Cloud Foundation validated solution is compatible with certain versions of the VMware products that are used for implementing the solution. Some of the solution-added products are in End of General Support (EOGS) lifecycle phase.

For more information on product version interoperability and lifecycle phase, see VMware Product Interoperability Matrix.

Table 1. Software Components in Identity and Access Management for VMware Cloud Foundation
VMware Cloud Foundation Version	Product Group	Component Versions
5.2.1	Products part of VMware Cloud Foundation	See VMware Cloud Foundation 5.2.1 Release Notes.
5.2.1	Solution-added products	None
5.2.0	Products part of VMware Cloud Foundation	See VMware Cloud Foundation 5.2.0 Release Notes.
5.2.0	Solution-added products	None
5.1.1	Products part of VMware Cloud Foundation	See VMware Cloud Foundation 5.1.1 Release Notes.
5.1.1	Solution-added products	None
5.1.0	Products part of VMware Cloud Foundation	See VMware Cloud Foundation 5.1.0 Release Notes.
5.1.0	Solution-added products	None

Table 2. End of General Support Software Components in Identity and Access Management for VMware Cloud Foundation
VMware Cloud Foundation Version	Product Group	Component Versions
5.0	Products part of VMware Cloud Foundation	See VMware Cloud Foundation 5.0 Release Notes. VMware Aria Suite Lifecycle 8.10.0 (EOGS)
5.0	Solution-added products	None
4.5.2	Products part of VMware Cloud Foundation	See VMware Cloud Foundation 4.5.2 Release Notes. VMware Aria Suite Lifecycle 8.10.0 (EOGS)
4.5.2	Solution-added products	None
4.5.1	Products part of VMware Cloud Foundation	See VMware Cloud Foundation 4.5.1 Release Notes. vRealize Suite Lifecycle Manager 8.8.2 (EOGS)
4.5.1	Solution-added products	None
4.5.0	Products part of VMware Cloud Foundation	See VMware Cloud Foundation 4.5.0 Release Notes. vRealize Suite Lifecycle Manager 8.8.2 (EOGS)
4.5.0	Solution-added products	Workspace ONE Access 3.3.7
4.4.1	Products part of VMware Cloud Foundation	See VMware Cloud Foundation 4.4.1 Release Notes. vRealize Suite Lifecycle Manager 8.6.2 (EOGS)
4.4.1	Solution-added products	Workspace ONE Access 3.3.7
4.4.0	Products part of VMware Cloud Foundation	See VMware Cloud Foundation 4.4.0 Release Notes. vRealize Suite Lifecycle Manager 8.6.2 (EOGS)
4.4.0	Solution-added products	Workspace ONE Access 3.3.7
4.3.1	Products part of VMware Cloud Foundation	See VMware Cloud Foundation 4.3.1 Release Notes.
4.3.1	Solution-added products	Workspace ONE Access 3.3.5 (EOGS)
4.3.0	Products part of VMware Cloud Foundation	See VMware Cloud Foundation 4.3.0 Release Notes.
4.3.0	Solution-added products	Workspace ONE Access 3.3.5 (EOGS)
4.2.1	Products part of VMware Cloud Foundation	See VMware Cloud Foundation 4.2.1 Release Notes.
4.2.1	Solution-added products	Workspace ONE Access 3.3.4 (EOGS)
4.2.0	Products part of VMware Cloud Foundation	See VMware Cloud Foundation 4.2.0 Release Notes.
4.2.0	Solution-added products	Workspace ONE Access 3.3.4 (EOGS)

Note:

The software component versions in this table are in End of General Support (EOGS) phase and are no longer generally supported by VMware. At the time of initial release and during the General Support phase, the software component versions in this solution are actively implemented, tested, and validated by VMware and VMware partners. See VMware Lifecycle Policies.

Before You Apply This Guidance

To design and implement the Identity and Access Management for VMware Cloud Foundation validated solution, your environment must have a certain configuration.

Table 3. Supported VMware Cloud Foundation Deployment
Workload Domain	Deployment Details
Management domain	Automated deployment using VMware Cloud Builder™ See the following VMware Cloud Foundation Documentation: For information on designing the management domain, see VMware Cloud Foundation Design Guide. For information on deploying the management domain, see Getting Started with VMware Cloud Foundation and VMware Cloud Foundation Deployment Guide. For information on operating the management domain, see VMware Cloud Foundation Administration Guide and VMware Cloud Foundation Operations Guide.
(Optional) One or more virtual infrastructure workload domains	Automated deployment using SDDC Manager. See the following VMware Cloud Foundation Documentation: For information on designing a VI workload domain, see VMware Cloud Foundation Design Guide. For information on deploying the VI workload domains, see Getting Started with VMware Cloud Foundation and VMware Cloud Foundation Administration Guide. For information on operating the VI Workload domain, see VMware Cloud Foundation Operations Guide.

Overview of Identity and Access Management for VMware Cloud Foundation

By applying the Identity and Access Management for VMware Cloud Foundation validated solution, you implement centralized RBAC for the management components of VMware Cloud Foundation, and configure password policies according to security best practices.

Table 4. Implementation Overview of Identity and Access Management for VMware Cloud Foundation
Stage	Steps
1. Plan and prepare the VMware Cloud Foundation environment	Work with the technology team of your organization on configuring the physical servers, network, and storage in the data center. Collect the environment details and write them down in the VMware Cloud Foundation Planning and Preparation Workbook.
2. Activate role-based access control on vCenter Server and SDDC Manager	Connect the management domain vCenter Server to Active Directory. Grant the required roles and permissions to Active Directory security groups and service accounts. Configure password rotation and lockout policy for the local and service accounts where applicable.
3. Activate role-based access control on NSX	Connect each workload domain NSX Manager to Active Directory. Grant the required roles and permissions to Active Directory security groups and service accounts. Configure password rotation and lockout policy for local and service accounts where applicable. Reconfigure the integration between NSX and vSphere to limit privileges and scope of access of the NSX service accounts in the vCenter Server Single Sign-On.

Frequently Asked Questions

For additional questions, see VMware Validated Solutions Frequently Asked Questions.

Update History

The Identity and Access Management for VMware Cloud Foundation validated solution is updated when necessary.


Revision	Description
09 OCT 2024	This validated solution now supports VMware Cloud Foundation 5.2.1. The PowerValidatedSolutions PowerShell module is now version 2.12.0. The VMware.PowerCLI PowerShell module is now version 13.3.0. The ImportExcel PowerShell module is now version 7.8.9.
23 JUL 2024	This validated solution now supports VMware Cloud Foundation 5.2.0. This validated solution now uses the PowerValidatedSolutions PowerShell module to obtain the Microsoft CA root certificate. See Obtain the Active Directory Root Certificate for Identity and Access Management for VMware Cloud Foundation The PowerValidatedSolutions PowerShell module is now version 2.11.0.
28 MAY 2024	This validated solution now provides a single procedure for PowerShell automation. See Automated PowerShell Implementation of Identity and Access Management The PowerValidatedSolutions PowerShell module is now version 2.10.0.
26 MAR 2024	This validated solution now supports VMware Cloud Foundation 5.1.1. The PowerValidatedSolutions PowerShell module is now version 2.9.0. The VMware.PowerCLI PowerShell module is now version 13.2.1.
30 JAN 2024	This validated solution now updates the design, the implementation, and the operational guidance for the use of Active Directory over LDAP instead of Workspace ONE Access for the authentication provider in NSX. See the following: Note: If you previously deployed this validated solution using Workspace ONE Access for authentication, to reconfigure the authentication provider, see Authentication Transition for Identity and Access Management for VMware Cloud Foundation. Information Security and Access of Identity and Access Management for VMware Cloud Foundation Configure NSX Manager for Identity and Access Management for VMware Cloud Foundation Operational Verification of NSX for Identity and Access Management for VMware Cloud Foundation The PowerValidatedSolutions PowerShell module is now version 2.8.0.
07 NOV 2023	This validated solution now supports VMware Cloud Foundation 5.1.0, providing support for password rotation for the NSX Manager audit account. See Information Security and Access for NSX for Identity and Access Management for VMware Cloud Foundation This validated solution now provides guidance on using the VMware.CloudFoundation.PasswordManagement PowerShell module for performing password management. See the following updated sections: Password Management for Identity and Access Management for VMware Cloud Foundation Password Policy Configuration with PowerShell for Identity and Access Management for VMware Cloud Foundation The PowerValidatedSolutions PowerShell module is now version 2.7.0. The PowerVCF PowerShell module is now version 2.4.0. The following solution-added product names are changing: VMware vRealize Log Insight is now VMware Aria Operations for Logs VMware vRealize Operations is now VMware Aria Operations For more information on the VMware Aria rebranding, see Multi-Cloud Management and VMware Aria.
29 AUG 2023	This validated solution now includes Appendix: Default Password Policy Settings for Identity and Access Management for VMware Cloud Foundation for quick reference. This validated solution now supports VMware Cloud Foundation 4.5.2. The VMware.PowerCLI PowerShell module is now version 13.1.0. The ImportExcel PowerShell module is now version 7.8.5. The PowerValidatedSolutions PowerShell module is now version 2.6.0.
25 JUL 2023	The PowerValidatedSolutions PowerShell module is now version 2.5.0.
27 JUN 2023	This validated solution now supports VMware Cloud Foundation 5.0. The PowerValidatedSolutions PowerShell module is now version 2.4.0.
30 MAY 2023	This validated solution now supports VMware Cloud Foundation 4.5.1 and Workspace ONE Access 3.3.7. The PowerValidatedSolutions PowerShell module is now version 2.3.0.
25 APR 2023	This validated solution now updates the password policy configuration guidance, providing a new VMware.CloudFoundation.PasswordManagement PowerShell module. See Password Management for Identity and Access Management for VMware Cloud Foundation The VMware.PowerCLI PowerShell module is now version 13.0.0. The VMware.vSphere.SsoAdmin PowerShell module is now version 1.3.9. The ImportExcel PowerShell module is now version 7.8.4. The PowerVCF PowerShell module is now version 2.3.0 The PowerValidatedSolutions PowerShell module is now version 2.2.0.
28 MAR 2023	The PowerValidatedSolutions PowerShell module is now version 2.1.0.
28 FEB 2023	The PowerValidatedSolutions PowerShell module is now version 2.0.1.
31 JAN 2023	This validated solution now updates the password policy management design. See Information Security and Access of Identity and Access Management for VMware Cloud Foundation. This validated solution now provides guidance on password policy management by product for the following procedures. Configuring Password Expiration for Identity and Access Management for VMware Cloud Foundation Configuring Password Complexity Policies for Identity and Access Management for VMware Cloud Foundation Configuring Account Lockout Policies for Identity and Access Management for VMware Cloud Foundation Password Rotation and Remediation for Identity and Access Management for VMware Cloud Foundation The PowerValidatedSolutions PowerShell module is now version 2.0.0, adding support for the following procedure. Password Policy Configuration with PowerShell for Identity and Access Management for VMware Cloud Foundation
29 NOV 2022	The VMware.PowerCLI PowerShell module is now version 12.7.0. The VMware.vSphere.SsoAdmin PowerShell module is now version 1.3.8. The PowerValidatedSolutions PowerShell module is now version 1.10.0.
25 OCT 2022	This validated solution now supports VMware Cloud Foundation 4.5.0. The PowerValidatedSolutions PowerShell module is now version 1.9.0.
27 SEPT 2022	This validated solution now provides guidance on automated password policy management for specific SDDC components. See Password Policy Configuration with PowerShell for Identity and Access Management for VMware Cloud Foundation. The PowerValidatedSolutions PowerShell module is now version 1.8.0.
31 MAY 2022	This validated solution now supports VMware Cloud Foundation 4.4.1. The PowerVCF PowerShell module is now version 2.2.0. The PowerValidatedSolutions PowerShell module is now version 1.7.0.
28 APR 2022	The PowerValidatedSolutions PowerShell module is now version 1.6.0.
29 MAR 2022	The PowerValidatedSolutions PowerShell module is now version 1.5.0. Removing the procedure Configure the vRealize Log Insight Agent on the Standalone Workspace ONE Access Appliance.
22 FEB 2022	This validated solution now supports VMware Cloud Foundation 4.4.0. This validated solution now requires installation of the ImportExcel PowerShell module. The PowerValidatedSolutions PowerShell module is now version 1.4.0. The VMware.PowerCLI PowerShell module is now version 12.4.1.
25 JAN 2022	The VMware.vSphere.SsoAdmin PowerShell module is now version 1.3.7. The PowerValidatedSolutions PowerShell module is now version 1.3.0, adding support for the following implementation procedures. Assign NSX Manager Roles to Active Directory Groups for Identity and Access Management for VMware Cloud Foundation
30 NOV 2021	The PowerValidatedSolutions PowerShell module is now version 1.2.0. The PowerVCF PowerShell module is now version 2.1.7.
26 OCT 2021	The PowerValidatedSolutions PowerShell module is now version 1.1.0, adding support for the Reconfigure the vSphere Role and Permissions Scope for NSX Service Accounts for Identity and Access Management for VMware Cloud Foundation mplementation procedure.
05 OCT 2021	Added support: VMware Cloud Foundation 4.3.1 is now supported. VxRail is now supported.
24 AUG 2021	Initial release.