When you enable Identity Provider Federation in vCenter Server environments using enhanced linked mode, authentication and workflows continue to work as before.
If you use Enhanced Linked Mode configuration, note the following when logging in to vCenter Server using federated authentication.
- Users continue to see the same inventory, and can perform the same actions, based on the vCenter Server permissions and roles model.
- vCenter Server hosts in enhanced linked mode are not required to have access to each other's identity providers. For example, consider two vCenter Server systems A and B, and that use enhanced linked mode. After vCenter Server A authorizes a user, then the user is authorized on vCenter Server B as well.
The following illustration shows the authentication workflow with enhanced linked mode and vCenter Server Identity Provider Federation.
- Two vCenter Server nodes are deployed in Enhanced Linked Mode configuration.
- The AD FS setup has been configured on vCenter Server A using the Change Identity Provider wizard in the vSphere Client. Group memberships and permissions have also been established for AD FS users or groups.
- vCenter Server A replicates the AD FS configuration to vCenter Server B.
- All Redirect URIs for both vCenter Server nodes are added to the OAuth Application Group in AD FS. Only one OAuth Application Group is created.
- When a user logs into and is authorized by vCenter Server A, the user is also authorized on vCenter Server B. If the user logs in to vCenter Server B first, the same holds true.
vCenter Server enhanced linked mode supports the following configuration scenarios for identity provider federation. In this section, the terms "AD FS settings" and "AD FS configuration" refer to the settings that you configure in the
vSphere Client using the Change Identity Provider wizard, and any group memberships or permissions that you have established for AD FS users or groups.
- Enable AD FS on an existing Enhanced Linked Mode configuration
-
High-level steps:
- Deploy N vCenter Server nodes in Enhanced Linked Mode configuration.
- Configure AD FS on one of the linked vCenter Server nodes.
- The AD FS configuration is replicated to all other (N-1) vCenter Server nodes.
- Add all Redirect URIs for all N vCenter Server nodes to the configured OAuth Application Group in AD FS.
- Link a new vCenter Server to an existing Enhanced Linked Mode AD FS configuration
-
High-level Steps:
- (Prerequisite) Set up AD FS on a vCenter Server N-node Enhanced Linked Mode configuration.
- Deploy a new independent vCenter Server node.
- Repoint the new vCenter Server to the N-node AD FS enhanced linked mode domain, using one of the N nodes as its replication partner.
- All AD FS settings in the existing Enhanced Linked Mode configuration are replicated to the new vCenter Server.
The AD FS settings that are in the N-node AD FS enhanced linked mode domain overwrite any existing AD FS settings on the newly linked vCenter Server.
- Add all Redirect URIs for the new vCenter Server to the existing configured OAuth Application Group in AD FS.
- Unlink a vCenter Server from an Enhanced Linked Mode AD FS configuration
-
High-level steps:
- (Prerequisite) Set up AD FS on an N-node vCenter Server Enhanced Linked Mode configuration.
- Unregister one of the vCenter Server hosts in the N-node configuration and repoint it to a new domain to unlink it from the N-node configuration.
- The domain repointing process does not preserve SSO settings, so all AD FS settings on the unlinked vCenter Server node are reverted and lost. To continue using AD FS on this vCenter Server unlinked node, you must reconfigure AD FS from the beginning or you must relink the vCenter Server to an Enhanced Linked Mode configuration where AD FS is already set up.
