About Identity and Access Management for VMware Cloud Foundation

The Identity and Access Management for VMware Cloud Foundation validated solution provides detailed design, implementation, configuration, and operation guidance on the use of Active Directory as an identity provider and authentication source, and on the use of role-based access control (RBAC) in VMware Cloud Foundation™ SDDC Manager™, VMware vCenter Server^®, VMware ESXi™, and VMware NSX™ . This document also provides guidance on password management, password policies, and account lockout policies where applicable for the components of the solution.

A VMware validated solution is a well-architected and validated implementation, built and tested by VMware and VMware partners to help customers deliver common business use cases. VMware validated solutions are operational, cost-effective, reliable, and secure. Each solution contains a detailed design, implementation, and operational guidance.

Automation for This Design in VMware Cloud Foundation

VMware Cloud Foundation™ SDDC Manager^® automates the implementation tasks for some design decisions. For the rest of the design decisions, as noted in the design implications, you must perform the implementation steps manually.

To provide a fast and efficient path to automating the Identity and Access Management for VMware Cloud Foundation implementation, this document provides Microsoft PowerShell cmdlets using an open-source module as code-based alternatives to completing certain procedures in each SDDC component's user interface. You can directly reuse the PowerShell commands by replacing the provided sample values with values from your VMware Cloud Foundation Planning and Preparation Workbook.

Intended Audience

The Identity and Access Management for VMware Cloud Foundation documentation is intended for cloud architects and administrators who are familiar with and want to use VMware software and a role-based access control solution using a central identity provider for VMware Cloud Foundation.

Support Matrix

The Identity and Access Management for VMware Cloud Foundation validated solution is compatible with certain versions of the VMware products that are used for implementing the solution. Some of the solution-added products are in End of General Support (EOGS) lifecycle phase.

For more information on product version interoperability and lifecycle phase, see VMware Product Interoperability Matrix.

Table 1. Software Components in Identity and Access Management for VMware Cloud Foundation
VMware Cloud Foundation Version	Product Group	Component Versions
5.1.0	Products part of VMware Cloud Foundation	See VMware Cloud Foundation 5.1.0 Release Notes.
5.1.0	Solution-added products	Workspace ONE Access 3.3.7
5.0	Products part of VMware Cloud Foundation	See VMware Cloud Foundation 5.0 Release Notes.
5.0	Solution-added products	Workspace ONE Access 3.3.7
4.5.2	Products part of VMware Cloud Foundation	See VMware Cloud Foundation 4.5.2 Release Notes.
4.5.2	Solution-added products	Workspace ONE Access 3.3.7
4.5.1	Products part of VMware Cloud Foundation	See VMware Cloud Foundation 4.5.1 Release Notes.
4.5.1	Solution-added products	Workspace ONE Access 3.3.7
4.5.0	Products part of VMware Cloud Foundation	See VMware Cloud Foundation 4.5.0 Release Notes.
	Solution-added products	Workspace ONE Access 3.3.7
	Solution-added products	Workspace ONE Access 3.3.6 (EOGS)
4.4.1	Products part of VMware Cloud Foundation	See VMware Cloud Foundation 4.4.1 Release Notes.
	Solution-added products	Workspace ONE Access 3.3.7
	Solution-added products	Workspace ONE Access 3.3.6 (EOGS)
4.4.0	Products part of VMware Cloud Foundation	See VMware Cloud Foundation 4.4.0 Release Notes.
	Solution-added products	Workspace ONE Access 3.3.7
	Solution-added products	Workspace ONE Access 3.3.6 (EOGS)

Table 2. End of General Support Software Components in Identity and Access Management for VMware Cloud Foundation
VMware Cloud Foundation Version	Product Group	Component Versions
4.3.1	Products part of VMware Cloud Foundation	See VMware Cloud Foundation 4.3.1 Release Notes.
4.3.1	Solution-added products	Workspace ONE Access 3.3.5 (EOGS)
4.3.0	Products part of VMware Cloud Foundation	See VMware Cloud Foundation 4.3.0 Release Notes.
4.3.0	Solution-added products	Workspace ONE Access 3.3.5 (EOGS)
4.2.1	Products part of VMware Cloud Foundation	See VMware Cloud Foundation 4.2.1 Release Notes.
4.2.1	Solution-added products	Workspace ONE Access 3.3.4 (EOGS)
4.2.0	Products part of VMware Cloud Foundation	See VMware Cloud Foundation 4.2.0 Release Notes.
4.2.0	Solution-added products	Workspace ONE Access 3.3.4 (EOGS)

Note:

The software component versions in this table are in End of General Support (EOGS) phase and are no longer generally supported by VMware. At the time of initial release and during the General Support phase, the software component versions in this solution are actively implemented, tested, and validated by VMware and VMware partners. See VMware Lifecycle Policies.

Before You Apply This Guidance

To design and implement the Identity and Access Management for VMware Cloud Foundation validated solution, your environment must have a certain configuration.

Table 3. Supported VMware Cloud Foundation Deployment
Workload Domain	Deployment Details
Management domain	Automated deployment using VMware Cloud Builder™ Availability of overlay-backed or VLAN-backed NSX segments in NSX for traffic in the same VMware Cloud Foundation instance and between VMware Cloud Foundation instances not required. See the following VMware Cloud Foundation Documentation: For information on designing the management domain, see VMware Cloud Foundation Design Guide. For information on deploying the management domain, see Getting Started with VMware Cloud Foundation and VMware Cloud Foundation Deployment Guide. For information on operating the management domain, see VMware Cloud Foundation Administration Guide and VMware Cloud Foundation Operations Guide.
(Optional) One or more virtual infrastructure workload domains	Automated deployment using SDDC Manager. See the following VMware Cloud Foundation Documentation: For information on designing a VI workload domain, see VMware Cloud Foundation Design Guide. For information on deploying the VI workload domains, see Getting Started with VMware Cloud Foundation and VMware Cloud Foundation Administration Guide. For information on operating the VI Workload domain, see VMware Cloud Foundation Operations Guide.

Overview of Identity and Access Management for VMware Cloud Foundation

By applying the Identity and Access Management for VMware Cloud Foundation validated solution, you implement centralized RBAC for the management components of VMware Cloud Foundation, and configure password policies according to security best practices.

Table 4. Implementation Overview of Identity and Access Management for VMware Cloud Foundation
Stage	Steps
1. Plan and prepare the VMware Cloud Foundation environment	Work with the technology team of your organization on configuring the physical servers, network, and storage in the data center. Collect the environment details and write them down in the VMware Cloud Foundation Planning and Preparation Workbook.
2. Activate role-based access control on vCenter Server and SDDC Manager	Connect the management domain vCenter Server to Active Directory. Grant the required roles and permissions to Active Directory security groups and service accounts. Configure password rotation and lockout policy for the local and service accounts where applicable.
3. Activate role-based access control on NSX	Deploy a standalone VMware Workspace ONE^® Access™ instance for local use in the VMware Cloud Foundation instance. Connect the standalone Workspace ONE Access instance to Active Directory. Grant the Active Directory security groups and service accounts default or custom roles that are required to manage the standalone Workspace ONE Access instance. Configure password rotation and lockout policy in the standalone Workspace ONE Access instance for the user and service accounts where applicable. Connect the NSX Manager instances for the management and workload domains to the standalone Workspace ONE Access instance. Grant the Active Directory security groups and service accounts that require to access manage or interact with NSX Manager Configure password rotation and lockout policy in NSX for the user and service accounts where applicable. Reconfigure the integration between NSX and vSphere to limit privileges and scope of access of the NSX service accounts in the vCenter Server Single Sign-On.

Update History

The Identity and Access Management for VMware Cloud Foundation validated solution is updated when necessary.


Revision	Description
07 NOV 2023	This validated solution now supports VMware Cloud Foundation 5.1.0, providing support for password rotation for the NSX Manager audit account. See Information Security and Access for NSX for Identity and Access Management for VMware Cloud Foundation This validated solution now provides guidance on using the VMware.CloudFoundation.PasswordManagement PowerShell module for performing password management. See the following updated sections: Password Management for Identity and Access Management for VMware Cloud Foundation Password Policy Configuration with PowerShell for Identity and Access Management for VMware Cloud Foundation The PowerValidatedSolutions PowerShell module is now version 2.7.0. The PowerVCF PowerShell module is now version 2.4.0. The following solution-added product names are changing: VMware vRealize Log Insight is now VMware Aria Operations for Logs VMware vRealize Operations is now VMware Aria Operations For more information on the VMware Aria rebranding, see Multi-Cloud Management and VMware Aria.
29 AUG 2023	This validated solution now includes Appendix: Default Password Policy Settings for Identity and Access Management for VMware Cloud Foundation for quick reference. This validated solution now supports VMware Cloud Foundation 4.5.2. The VMware.PowerCLI PowerShell module is now version 13.1.0. The ImportExcel PowerShell module is now version 7.8.5. The PowerValidatedSolutions PowerShell module is now version 2.6.0.
25 JUL 2023	The PowerValidatedSolutions PowerShell module is now version 2.5.0.
27 JUN 2023	This validated solution now supports VMware Cloud Foundation 5.0. The PowerValidatedSolutions PowerShell module is now version 2.4.0.
30 MAY 2023	This validated solution now supports VMware Cloud Foundation 4.5.1 and Workspace ONE Access 3.3.7. The PowerValidatedSolutions PowerShell module is now version 2.3.0.
25 APR 2023	This validated solution now updates the password policy configuration guidance, providing a new VMware.CloudFoundation.PasswordManagement PowerShell module. See Password Management for Identity and Access Management for VMware Cloud Foundation The VMware.PowerCLI PowerShell module is now version 13.0.0. The VMware.vSphere.SsoAdmin PowerShell module is now version 1.3.9. The ImportExcel PowerShell module is now version 7.8.4. The PowerVCF PowerShell module is now version 2.3.0 The PowerValidatedSolutions PowerShell module is now version 2.2.0.
28 MAR 2023	The PowerValidatedSolutions PowerShell module is now version 2.1.0.
28 FEB 2023	The PowerValidatedSolutions PowerShell module is now version 2.0.1.
31 JAN 2023	This validated solution now updates the password policy management design. See Information Security and Access of Identity and Access Management for VMware Cloud Foundation. This validated solution now provides guidance on password policy management by product for the following procedures. Configuring Password Expiration for Identity and Access Management for VMware Cloud Foundation Configuring Password Complexity Policies for Identity and Access Management for VMware Cloud Foundation Configuring Account Lockout Policies for Identity and Access Management for VMware Cloud Foundation Password Rotation and Remediation for Identity and Access Management for VMware Cloud Foundation The PowerValidatedSolutions PowerShell module is now version 2.0.0, adding support for the following procedure. Password Policy Configuration with PowerShell for Identity and Access Management for VMware Cloud Foundation
29 NOV 2022	The VMware.PowerCLI PowerShell module is now version 12.7.0. The VMware.vSphere.SsoAdmin PowerShell module is now version 1.3.8. The PowerValidatedSolutions PowerShell module is now version 1.10.0.
25 OCT 2022	This validated solution now supports VMware Cloud Foundation 4.5.0. The PowerValidatedSolutions PowerShell module is now version 1.9.0.
27 SEPT 2022	This validated solution now provides guidance on automated password policy management for specific SDDC components. See Password Policy Configuration with PowerShell for Identity and Access Management for VMware Cloud Foundation. The PowerValidatedSolutions PowerShell module is now version 1.8.0.
31 MAY 2022	This validated solution now supports VMware Cloud Foundation 4.4.1. The PowerVCF PowerShell module is now version 2.2.0. The PowerValidatedSolutions PowerShell module is now version 1.7.0.
28 APR 2022	The PowerValidatedSolutions PowerShell module is now version 1.6.0, adding support for the following implementation procedures. Add a VMware Identity Manager Adapter for the Standalone Workspace ONE Access Instance for Identity and Access Management for VMware Cloud Foundation
29 MAR 2022	The PowerValidatedSolutions PowerShell module is now version 1.5.0, adding support for the following implementation procedures. Install and Configure the VMware Aria Operations for Logs Agent on the Standalone Workspace ONE Access Appliance for Identity and Access Management for VMware Cloud Foundation Create a VMware Aria Operations for Logs Identity Manager Agent Group for the Standalone Workspace ONE Access for Identity and Access Management for VMware Cloud Foundation Create a VMware Aria Operations for Logs Photon OS Agent Group for the Standalone Workspace ONE Access for Identity and Access Management for VMware Cloud Foundation Removing the procedure Configure the vRealize Log Insight Agent on the Standalone Workspace ONE Access Appliance. This design now includes a design decision IAM-WSA-LOG-003 for configuring a dedicated Identity Manager Agent group for the standalone Workspace ONE Access instance. See Logging for Identity and Access Management for VMware Cloud Foundation. This design now includes a design decision IAM-WSA-LOG-004 for configuring a dedicated Photon OS agent group for the standalone Workspace ONE Access instance. See Logging for Identity and Access Management for VMware Cloud Foundation.
22 FEB 2022	This validated solution now supports VMware Cloud Foundation 4.4.0. This validated solution now requires installation of the ImportExcel PowerShell module. The PowerValidatedSolutions PowerShell module is now version 1.4.0. The VMware.PowerCLI PowerShell module is now version 12.4.1. Adding a procedure for configuring a Ping adapter for the standalone Workspace ONE Access. See Add Ping Adapter for the Standalone Workspace ONE Access Instance for Identity and Access Management for VMware Cloud Foundation.
25 JAN 2022	The VMware.vSphere.SsoAdmin PowerShell module is now version 1.3.7. The PowerValidatedSolutions PowerShell module is now version 1.3.0, adding support for the following implementation procedures. Assign NSX Manager Roles to Active Directory Groups for Identity and Access Management for VMware Cloud Foundation
30 NOV 2021	The PowerValidatedSolutions PowerShell module is now version 1.2.0. The PowerVCF PowerShell module is now version 2.1.7.
26 OCT 2021	The PowerValidatedSolutions PowerShell module is now version 1.1.0, adding support for the following implementation procedures. Reconfigure the vSphere Role and Permissions Scope for NSX Service Accounts for Identity and Access Management for VMware Cloud Foundation Create a VM Group for the Standalone Workspace ONE Access Instance for Identity and Access Management for VMware Cloud Foundation The operational guidance now includes shutdown and startup procedures for the solution components. See Shutdown and Startup of Identity and Access Management for VMware Cloud Foundation.
05 OCT 2021	Added support: VMware Cloud Foundation 4.3.1 is now supported. VxRail is now supported.
24 AUG 2021	Initial release.