To configure vCenter Server Identity Provider Federation effectively, you must understand the communication flows that take place.
vCenter Server Identity Provider Federation Configuration Process Flow
The following figure shows the process flow that occurs when configuring vCenter Server Identity Provider Federation.
vCenter Server, AD FS, and Active Directory interact as follows.
- The AD FS administrator configures an AD FS OAuth Application for vCenter Server.
- The vCenter Server administrator logs in to the vCenter Server using the vSphere Client.
- The vCenter Server administrator adds an AD FS identity provider to vCenter Server, and also enters information about the Active Directory domain.
vCenter Server needs this information to make an LDAP connection to the Active Directory domain of the AD FS server. Using this connection, vCenter Server searches for users and groups, and adds them to vCenter Server local groups in the next step. See the section titled "Searching the Active Directory Domain" that follows for more information.
- The vCenter Server administrator configures authorization permissions in vCenter Server for AD FS users.
- The AD FS Provider queries the VcIdentityProviders API to get the LDAP connection information for the Active Directory source.
- The AD FS Provider searches Active Directory for the queried users or groups to finish the Authorization configuration.
Searching the Active Directory Domain
You configure AD FS as the external identity provider in vCenter Server by using the Configure Main Identity Provider wizard in the vSphere Client. As part of the configuration process, you must enter information about your Active Directory domain, including user and group distinguished name information. Configuration of AD FS for authentication requires this Active Directory connection information. This connection is necessary to search for and map Active Directory user names and groups to roles and permissions in vCenter Server, whereas AD FS is used for the authentication of the user. This step of the Configure Main Identity Provider wizard does not create an Active Directory Over LDAP identity source. Rather, vCenter Server uses this information to establish a valid search-capable connection to your Active Directory domain to find users and groups there.
Consider an example using the following distinguished name entries:
- Base distinguished name for users: cn=Users,dc=corp,dc=local
- Base distinguished name for groups: dc=corp,dc=local
- User name: cn=Administrator,cn=Users,dc=corp,dc=local
If the AdfsUser@corp.local user is a member of the ADGroup@corp.local group, entering this information in the wizard allows a vCenter Server administrator to search for and find the ADGroup@corp.local group and add it to the vCenter Server Administrators@vsphere.local group. As a result, the AdfsUser@corp.local user is granted administrative privileges in vCenter Server upon logging in.
vCenter Server also uses this search process when you configure global permissions for Active Directory users and groups. In both cases, either configuring global permissions, or adding a user or group, you select the domain you entered for your AD FS identify provider from the Domain drop-down menu to search for and select users and groups from your Active Directory domain.