The Identity and Access Management for VMware Cloud Foundation validated solution provides detailed design, implementation, configuration, and operation guidance on the use of Active Directory as an identity provider and authentication source, and on the use of role-based access control (RBAC) in VMware Cloud Foundation™ SDDC Manager™, VMware vCenter Server®, VMware ESXi™, and VMware NSX™ . This document also provides guidance on password management, password policies, and account lockout policies where applicable for the components of the solution.

A VMware by Broadcom validated solution is a well-architected and validated implementation, built and tested by VMware to help customers deliver common business use cases. VMware validated solutions are operational, cost-effective, reliable, and secure. Each solution contains a detailed design, implementation, and operational guidance.

Automation for This Design in VMware Cloud Foundation

VMware Cloud Foundation™ SDDC Manager® automates the implementation tasks for some design decisions. For the rest of the design decisions, as noted in the design implications, you must perform the implementation steps manually.

To provide a fast and efficient path to automating the Identity and Access Management for VMware Cloud Foundation implementation, this document provides Microsoft PowerShell cmdlets using an open-source module as code-based alternatives to completing certain procedures in each SDDC component's user interface. You can directly reuse the PowerShell commands by replacing the provided sample values with values from your VMware Cloud Foundation Planning and Preparation Workbook.

For additional information, see PowerShell Module for VMware Validated Solutions.

Intended Audience

The Identity and Access Management for VMware Cloud Foundation documentation is intended for cloud architects and administrators who are familiar with and want to use VMware software and a role-based access control solution using a central identity provider for VMware Cloud Foundation.

Support Matrix

The Identity and Access Management for VMware Cloud Foundation validated solution is compatible with certain versions of the VMware products that are used for implementing the solution. Some of the solution-added products are in End of General Support (EOGS) lifecycle phase.

For more information on product version interoperability and lifecycle phase, see VMware Product Interoperability Matrix.

Table 1. Software Components in Identity and Access Management for VMware Cloud Foundation
VMware Cloud Foundation Version Product Group Component Versions

5.1.1

Products part of VMware Cloud Foundation

See VMware Cloud Foundation 5.1.1 Release Notes.

5.1.0

Products part of VMware Cloud Foundation

See VMware Cloud Foundation 5.1.0 Release Notes.

5.0

Products part of VMware Cloud Foundation

See VMware Cloud Foundation 5.0 Release Notes.

4.5.2 Products part of VMware Cloud Foundation See VMware Cloud Foundation 4.5.2 Release Notes.

4.5.1

Products part of VMware Cloud Foundation

See VMware Cloud Foundation 4.5.1 Release Notes.

4.5.0

Products part of VMware Cloud Foundation

See VMware Cloud Foundation 4.5.0 Release Notes.

4.4.1

Products part of VMware Cloud Foundation

See VMware Cloud Foundation 4.4.1 Release Notes.

4.4.0

Products part of VMware Cloud Foundation

See VMware Cloud Foundation 4.4.0 Release Notes.

Table 2. End of General Support Software Components in Identity and Access Management for VMware Cloud Foundation

VMware Cloud Foundation Version

Product Group

Component Versions

4.3.1

Products part of VMware Cloud Foundation

See VMware Cloud Foundation 4.3.1 Release Notes.

Solution-added products

Workspace ONE Access 3.3.5 (EOGS)
4.3.0

Products part of VMware Cloud Foundation

See VMware Cloud Foundation 4.3.0 Release Notes.

Solution-added products

Workspace ONE Access 3.3.5 (EOGS)

4.2.1

Products part of VMware Cloud Foundation

See VMware Cloud Foundation 4.2.1 Release Notes.

Solution-added products

Workspace ONE Access 3.3.4 (EOGS)

4.2.0

Products part of VMware Cloud Foundation

See VMware Cloud Foundation 4.2.0 Release Notes.

Solution-added products

Workspace ONE Access 3.3.4 (EOGS)

Note:

The software component versions in this table are in End of General Support (EOGS) phase and are no longer generally supported by VMware. At the time of initial release and during the General Support phase, the software component versions in this solution are actively implemented, tested, and validated by VMware and VMware partners. See VMware Lifecycle Policies.

Before You Apply This Guidance

To design and implement the Identity and Access Management for VMware Cloud Foundation validated solution, your environment must have a certain configuration.

Table 3. Supported VMware Cloud Foundation Deployment
Workload Domain Deployment Details
Management domain

Automated deployment using VMware Cloud Builder™

See the following VMware Cloud Foundation Documentation:
(Optional) One or more virtual infrastructure workload domains

Automated deployment using SDDC Manager.

See the following VMware Cloud Foundation Documentation:

Overview of Identity and Access Management for VMware Cloud Foundation

By applying the Identity and Access Management for VMware Cloud Foundation validated solution, you implement centralized RBAC for the management components of VMware Cloud Foundation, and configure password policies according to security best practices.

Table 4. Implementation Overview of Identity and Access Management for VMware Cloud Foundation

Stage

Steps

1. Plan and prepare the VMware Cloud Foundation environment

Work with the technology team of your organization on configuring the physical servers, network, and storage in the data center. Collect the environment details and write them down in the VMware Cloud Foundation Planning and Preparation Workbook.

2. Activate role-based access control on vCenter Server and SDDC Manager

  1. Connect the management domain vCenter Server to Active Directory.

  2. Grant the required roles and permissions to Active Directory security groups and service accounts.

  3. Configure password rotation and lockout policy for the local and service accounts where applicable.

3. Activate role-based access control on NSX

  1. Connect each workload domain NSX Manager to Active Directory.

  2. Grant the required roles and permissions to Active Directory security groups and service accounts.

  3. Configure password rotation and lockout policy for local and service accounts where applicable.

  4. Reconfigure the integration between NSX and vSphere to limit privileges and scope of access of the NSX service accounts in the vCenter Server Single Sign-On.

Frequently Asked Questions

For additional questions, see VMware Validated Solutions Frequently Asked Questions.

Update History

The Identity and Access Management for VMware Cloud Foundation validated solution is updated when necessary.
Revision Description

28 MAY 2024

26 MAR 2024

  • This validated solution now supports VMware Cloud Foundation 5.1.1.

  • The PowerValidatedSolutions PowerShell module is now version 2.9.0.

  • The VMware.PowerCLI PowerShell module is now version 13.2.1.

30 JAN 2024

07 NOV 2023

For more information on the VMware Aria rebranding, see Multi-Cloud Management and VMware Aria.

29 AUG 2023
25 JUL 2023 The PowerValidatedSolutions PowerShell module is now version 2.5.0.
27 JUN 2023
  • This validated solution now supports VMware Cloud Foundation 5.0.
  • The PowerValidatedSolutions PowerShell module is now version 2.4.0.

30 MAY 2023

  • This validated solution now supports VMware Cloud Foundation 4.5.1 and Workspace ONE Access 3.3.7.

  • The PowerValidatedSolutions PowerShell module is now version 2.3.0.

25 APR 2023

  • This validated solution now updates the password policy configuration guidance, providing a new VMware.CloudFoundation.PasswordManagement PowerShell module. See Password Management for Identity and Access Management for VMware Cloud Foundation

  • The VMware.PowerCLI PowerShell module is now version 13.0.0.

  • The VMware.vSphere.SsoAdmin PowerShell module is now version 1.3.9.

  • The ImportExcel PowerShell module is now version 7.8.4.

  • The PowerVCF PowerShell module is now version 2.3.0

  • The PowerValidatedSolutions PowerShell module is now version 2.2.0.

28 MAR 2023

The PowerValidatedSolutions PowerShell module is now version 2.1.0.

28 FEB 2023

The PowerValidatedSolutions PowerShell module is now version 2.0.1.

31 JAN 2023

29 NOV 2022

  • The VMware.PowerCLI PowerShell module is now version 12.7.0.

  • The VMware.vSphere.SsoAdmin PowerShell module is now version 1.3.8.

  • The PowerValidatedSolutions PowerShell module is now version 1.10.0.

25 OCT 2022

  • This validated solution now supports VMware Cloud Foundation 4.5.0.

  • The PowerValidatedSolutions PowerShell module is now version 1.9.0.

27 SEPT 2022

31 MAY 2022

  • This validated solution now supports VMware Cloud Foundation 4.4.1.

  • The PowerVCF PowerShell module is now version 2.2.0.

  • The PowerValidatedSolutions PowerShell module is now version 1.7.0.

28 APR 2022

  • The PowerValidatedSolutions PowerShell module is now version 1.6.0.

29 MAR 2022

  • The PowerValidatedSolutions PowerShell module is now version 1.5.0.

  • Removing the procedure Configure the vRealize Log Insight Agent on the Standalone Workspace ONE Access Appliance.

22 FEB 2022

  • This validated solution now supports VMware Cloud Foundation 4.4.0.

  • This validated solution now requires installation of the ImportExcel PowerShell module.

  • The PowerValidatedSolutions PowerShell module is now version 1.4.0.

  • The VMware.PowerCLI PowerShell module is now version 12.4.1.

25 JAN 2022

30 NOV 2021

  • The PowerValidatedSolutions PowerShell module is now version 1.2.0.

  • The PowerVCF PowerShell module is now version 2.1.7.

26 OCT 2021

05 OCT 2021

Added support:

  • VMware Cloud Foundation 4.3.1 is now supported.

  • VxRail is now supported.

24 AUG 2021

Initial release.