You can integrate NSX-T Data Center with VMware Identity Manager (vIDM), which provides identity management services.

The vIDM server should have a certificate signed by a certificate authority (CA). Otherwise, logging in to vIDM from NSX Manager might not work with certain browsers, such as Microsoft Edge or Internet Explorer 11. For information about installing a CA-signed certificate on vIDM, see the VMware Identity Manager documentation at https://docs.vmware.com/en/VMware-Identity-Manager/index.html.

When you register NSX Manager with vIDM, you specify a redirect URI that points to NSX Manager. You can provide either the fully qualified domain name (FQDN) or the IP address. It is important to remember whether you use the FQDN or the IP address. When you try to log in to NSX Manager through vIDM, you must specify the host name in the URL the same way, that is, if you use the FQDN when registering the manager with vIDM, you must use the FQDN in the URL, and if you use the IP address when registering the manager with vIDM, you must use the IP address in the URL. Otherwise, login will fail.
Note: NSX Managers and vIDM must be in the same time zone. The recommended way is to use UTC.

With vIDM enabled, you can still log in to NSX Manager with a local user account if you use the URL https://<nsx-manager-ip-address>/login.jsp?local=true.

If you use the UserPrincipalName (UPN) to log in to vIDM, authentication to NSX-T might fail. To avoid this issue, use a different type of credentials, for example, SAMAccountName.

If using NSX Cloud, you can log in to CSM separately using the URL https://<csm-ip-address>/login.jsp?local=true

Prerequisites

Procedure

  1. From your browser, log in with admin privileges to an NSX Manager at https://<nsx-manager-ip-address>.
  2. Select System > Users.
  3. Click the Configuration tab.
  4. Click Edit.
  5. To enable external load balancer integration, click the External Load Balancer Integration toggle.
    Note: If you have Virtual IP (VIP) set up (check System > Appliances > Virtual IP), you cannot use the External Load Balancer Integration even if you enable it. This is because you can either have VIP or the External Load Balancer while configuring vIDM but not both. Disable VIP if you want to use the External Load Balancer. See Configure a Virtual IP (VIP) Address for a Cluster in the NSX-T Data Center Installation Guide for details.
  6. To enable VMware Identity Manager integration, click the VMware Identity Manager Integration toggle.
  7. Provide the following information.
    Parameter Description
    VMware Identity Manager Appliance The fully qualified domain name (FQDN) of the vIDM host.
    OAuth Client ID The ID that is created when registering NSX Manager to the vIDM host.
    OAuth Client Secret The secret that is created when registering NSX Manager to the vIDM host.
    SSL Thumbprint The certificate thumbprint of the vIDM host.
    NSX Appliance The IP address or fully qualified domain name (FQDN) of NSX Manager. If you are using an NSX Manager cluster, use the load balancer FQDN or cluster VIP FQDN or IP address. If you specify a FQDN, you must access NSX Manager from a browser using the manager's FQDN in the URL, and if you specify an IP address, you must use the IP address in the URL. Alternatively, the vIDM administrator can configure the NSX Manager client so that you can connect using either the FQDN or the IP address.
  8. Click Save.
  9. If using NSX Cloud, repeat steps 1 through 8 from the CSM appliance by logging in to CSM instead of NSX Manager.