vCenter Server Identity Provider Federation Basics

Starting in vSphere 7.0, vCenter Server supports federated authentication. In this scenario, when a user logs in to vCenter Server, vCenter Server redirects the user login to the external identity provider. The user credentials are no longer provided to vCenter Server directly. Instead, the user provides credentials to the external identity provider. vCenter Server trusts the external identity provider to perform the authentication. In the federation model, users never provide credentials directly to any service or application but only to the identity provider. As a result, you "federate" your applications and services, such as vCenter Server, with your identity provider.

vCenter Server Identity Provider Federation Benefits

vCenter Server Identity Provider Federation provides the following benefits.

• You can use Single Sign-On with existing federated infrastructure and applications.
• You can improve data center security because vCenter Server never handles the user’s credentials.
• You can use the authentication mechanisms, such as multi-factor authentication, supported by the external identity provider.

vCenter Server Identity Provider Federation Components

The following components comprise a vCenter Server Identity Provider Federation configuration that uses Microsoft Active Directory Federation Services (AD FS):

• A vCenter Server
• An identity provider service configured on the vCenter Server
• An AD FS server and associated Microsoft Active Directory domain
• An AD FS Application Group
• Active Directory groups and users that map to vCenter Server groups and users

vCenter Server Identity Provider Federation Architecture

In vCenter Server Identity Provider Federation, vCenter Server uses the OpenID Connect (OIDC) protocol to receive an identity token that authenticates the user with vCenter Server.

To establish a relying party trust between vCenter Server and an identity provider, you must establish the identifying information and a shared secret between them. In AD FS, you do so by creating an OIDC configuration known as an Application Group, which consists of a Server application and a Web API. The two components specify the information that vCenter Server uses to trust and communicate with the AD FS server. You also create a corresponding identity provider in vCenter Server. Finally, you configure group memberships in vCenter Server to authorize logins from users in the AD FS domain.

The AD FS administrator must provide the following information to create the vCenter Server identity provider configuration:

• Client Identifier: The UUID string that is generated by the AD FS Application Group wizard and that identifies the Application Group itself.
• Shared Secret: The secret that is generated by the AD FS Application Group wizard and that is used to authenticate vCenter Server with AD FS.
• OpenID Address: The OpenID Provider Discovery endpoint URL of the AD FS server, specifying a well-known address that is typically the issuer endpoint concatenated with the path “/.well-known/openid-configuration”. For example: https://webserver.example.com/adfs/.well-known/openid-configuration.