The Identity and Access Management for VMware Cloud Foundation validated solution provides detailed design, implementation, configuration, and operation guidance on the use of Active Directory as an identity provider and authentication source, and on the use of role-based access control (RBAC) in VMware Cloud Foundation™ SDDC Manager™, VMware vCenter Server®, VMware ESXi™, and VMware NSX-T™ Data Center. This document also provides guidance on password management, password policies, and account lockout policies where applicable for the components of the solution.

A VMware validated solution is a technical validated implementation that is built and tested by VMware and VMware partners to help customers resolve common business use cases. VMware validated solutions are operational, cost-effective, performant, reliable, and secure. Each solution contains a detailed design, implementation, and operational guidance.

Automation for This Design in VMware Cloud Foundation

The implementation tasks for some design decisions are automated by VMware Cloud Foundation™ SDDC Manager. You must perform the implementation manually for the rest of the design decisions as noted in the design implication.

To provide a fast and efficient path to automating the Identity and Access Management for VMware Cloud Foundation implementation, this document provides Microsoft PowerShell cmdlets as code-based alternatives to completing certain procedures in each SDDC component's user interface. You can directly reuse the PowerShell commands by replacing the provided sample values with values from your VMware Cloud Foundation Planning and Preparation Workbook.

Intended Audience

The Identity and Access Management for VMware Cloud Foundation documentation is intended for cloud architects and administrators who are familiar with and want to use VMware software and a role-based access control solution using a central identity provider for VMware Cloud Foundation.

Support Matrix

The Identity and Access Management for VMware Cloud Foundation validated solution is compatible with certain versions of the VMware products that are used for implementing the solution.

Table 1. Software Components in Identity and Access Management for VMware Cloud Foundation

VMware Cloud Foundation Version

Product Group

Component Versions

4.5.0

Products part of VMware Cloud Foundation

See VMware Cloud Foundation 4.5 Release Notes.

Solution-added products

Workspace ONE Access 3.3.6

4.4.1

Products part of VMware Cloud Foundation

See VMware Cloud Foundation 4.4.1 Release Notes.

Solution-added products

Workspace ONE Access 3.3.6

4.4.0

Products part of VMware Cloud Foundation

See VMware Cloud Foundation 4.4 Release Notes.

Solution-added products

Workspace ONE Access 3.3.6

4.3.1

Products part of VMware Cloud Foundation

See VMware Cloud Foundation 4.3.1 Release Notes.

Solution-added products

Workspace ONE Access 3.3.5

4.3.0

Products part of VMware Cloud Foundation

See VMware Cloud Foundation 4.3 Release Notes.

Solution-added products

Workspace ONE Access 3.3.5

4.2.1

Products part of VMware Cloud Foundation

See VMware Cloud Foundation 4.2.1 Release Notes.

Solution-added products

Workspace ONE Access 3.3.4

4.2.0

Products part of VMware Cloud Foundation

See VMware Cloud Foundation 4.2 Release Notes.

Solution-added products

Workspace ONE Access 3.3.4

Before You Apply This Guidance

To design and implement the Identity and Access Management for VMware Cloud Foundation validated solution, your environment must have a certain configuration.

Table 2. Supported VMware Cloud Foundation Deployment

Workload Domain

Deployment Details

Management domain

  • Automated deployment using VMware Cloud Builder™

  • Availability of overlay-backed or VLAN-backed NSX segments in NSX-T Data Center for traffic in the same VMware Cloud Foundation instance and between VMware Cloud Foundation instances not required.

See the following VMware Cloud Foundation Documentation:

  • For information on designing the management domain, see VMware Cloud Foundation Design Guide for the Management Domain.

  • For information on deploying the management domain, see VMware Cloud Foundation Getting Started Guide and VMware Cloud Foundation Deployment Guide.

(Optional) One or more virtual infrastructure workload domains

Automated deployment using SDDC Manager.

See the following VMware Cloud Foundation Documentation:

  • For information on designing the VI workload domain, see VMware Cloud Foundation Design Guide for a Virtual Infrastructure Workload Domain.

  • For information on deploying the VI workload domain, see VMware Cloud Foundation Getting Started Guide and VMware Cloud Foundation Operations and Administration Guide.

Overview of Identity and Access Management for VMware Cloud Foundation

By applying the Identity and Access Management for VMware Cloud Foundation validated solution, you implement centralized RBAC for the management components of VMware Cloud Foundation, and configure password policies according to security best practices.

Table 3. Implementation Overview of Identity and Access Management for VMware Cloud Foundation

Stage

Steps

1. Plan and prepare the VMware Cloud Foundation environment

Work with the technology team of your organization on configuring the physical servers, network, and storage in the data center. Collect the environment details and write them down in the VMware Cloud Foundation Planning and Preparation Workbook.

2. Activate role-based access control on vCenter Server and SDDC Manager

  1. Connect the management domain vCenter Server to Active Directory.

  2. Grant the required roles and permissions to Active Directory security groups and service accounts.

  3. Configure password rotation and lockout policy for the local and service accounts where applicable.

3. Activate role-based access control on NSX-T Data Center

  1. Deploy a standalone VMware Workspace ONE® Access™ instance for local use in the VMware Cloud Foundation instance.

  2. Connect the standalone Workspace ONE Access instance to Active Directory.

  3. Grant the Active Directory security groups and service accounts default or custom roles that are required to manage the standalone Workspace ONE Access instance.

  4. Configure password rotation and lockout policy in the standalone Workspace ONE Access instance for the user and service accounts where applicable.

  5. Connect the NSX Manager instances for the management and workload domains to the standalone Workspace ONE Access instance.

  6. Grant the Active Directory security groups and service accounts that require to access manage or interact with NSX Manager

  7. Configure password rotation and lockout policy in NSX-T Data Center for the user and service accounts where applicable.

  8. Reconfigure the integration between NSX-T Data Center and vSphere to limit privileges and scope of access of the NSX service accounts in the vCenter Server Single Sign-On.

Update History

The Identity and Access Management for VMware Cloud Foundation validated solution is updated when necessary.

Revision

Description

28 MAR 2023

The PowerValidatedSolutions PowerShell module is now version 2.1.0.

28 FEB 2023

The PowerValidatedSolutions PowerShell module is now version 2.0.1.

31 JAN 2023

29 NOV 2022

  • The VMware.PowerCLI PowerShell module is now version 12.7.0.

  • The VMware.vSphere.SsoAdmin PowerShell module is now version 1.3.8.

  • The PowerValidatedSolutions PowerShell module is now version 1.10.0.

25 OCT 2022

  • This validated solution now supports VMware Cloud Foundation 4.5.0.

  • The PowerValidatedSolutions PowerShell module is now version 1.9.0.

27 SEPT 2022

31 MAY 2022

  • This validated solution now supports VMware Cloud Foundation 4.4.1.

  • The PowerVCF PowerShell module is now version 2.2.0.

  • The PowerValidatedSolutions PowerShell module is now version 1.7.0.

28 APR 2022

29 MAR 2022

22 FEB 2022

  • This validated solution now supports VMware Cloud Foundation 4.4.0.

  • This validated solution now requires installation of the ImportExcel PowerShell module.

  • The PowerValidatedSolutions PowerShell module is now version 1.4.0.

  • The VMware.PowerCLI PowerShell module is now version 12.4.1.

  • Adding a procedure for configuring a Ping adapter for the standalone Workspace ONE Access. See Add Ping Adapter for the Standalone Workspace ONE Access Instance.

25 JAN 2022

30 NOV 2021

  • The PowerValidatedSolutions PowerShell module is now version 1.2.0.

  • The PowerVCF PowerShell module is now version 2.1.7.

26 OCT 2021

05 OCT 2021

Added support:

  • VMware Cloud Foundation 4.3.1 is now supported.

  • VxRail is now supported.

24 AUG 2021

Initial release.