After installing or upgrading to vSphere 7.0, you can configure vCenter Server Identity Provider Federation. Currently, vCenter Server supports only Active Directory Federation Services (AD FS) as an external identity provider.

vCenter Server supports only one external identity provider (one AD FS source), and the vsphere.local identity source. You cannot use multiple external identity providers. vCenter Server Identity Provider Federation uses OpenID Connect (OIDC) for user login to vCenter Server.

Caution: If you use an Active Directory identity source that you previously added to vCenter Server for your AD FS identity source, do not delete that existing identity source from vCenter Server. Doing so causes a regression with previously assigned roles and group memberships. Both the AD FS user with global permissions and users that were added to the Administrators group will not be able to log in.

Workaround: If you do not need the previously assigned roles and group memberships, and want to remove the previous Active Directory identity source, remove the identity source before creating the AD FS provider and configuring group memberships in vCenter Server.

Prerequisites

Active Directory Federation Services requirements:

For more information about configuring AD FS, see the Microsoft documentation.

vCenter Server and other requirements:

  • vSphere 7.0
  • vCenter Server must be able to connect to the AD FS discovery endpoint, and the authorization, token, logout, JWKS, and any other endpoints advertised in the discovery endpoint metadata.
  • You need the VcIdentityProviders.Manage privilege to create, update, or delete a vCenter Server Identity Provider that is required for federated authentication. To limit a user to view the Identity Provider configuration information only, assign the VcIdentityProviders.Read privilege.

Procedure

  1. Log in with the vSphere Client to the vCenter Server.
  2. Navigate to the Configuration UI.
    1. From the Home menu, select Administration.
    2. Under Single Sign On, click Configuration.
  3. Select the Identity Provider tab and obtain the Redirect URIs.
    1. Click the informational “i” icon next to the “Change identity provider” link.
      Two Redirect URIs are displayed in the pop-up banner.
    2. Copy both URIs to a file or write them down for later use in subsequent steps to configure the AD FS server.
    3. Close the pop-up banner.
  4. Create an OpenID Connect configuration in AD FS and configure it for vCenter Server.
    To establish a relying party trust between vCenter Server and an identity provider, you must establish the identifying information and a shared secret between them. In AD FS, you do so by creating an OpenID Connect configuration known as an Application Group, which consists of a Server application and a Web API. The two components specify the information that vCenter Server uses to trust and communicate with the AD FS server. To enable OpenID Connect in AD FS, see the VMware knowledge base article at https://kb.vmware.com/s/article/78029.

    Note the following when you create the AD FS Application Group.

    • You need the two Redirect URIs you obtained and saved from the prior step.
    • Copy the following information to a file or write it down for use when configuring the vCenter Server Identity Provider in the next step.
      • Client Identifier
      • Shared secret
      • OpenID address of the AD FS server
  5. Create an identity provider on vCenter Server.
    1. Return to the Identity Provider tab in the vSphere Client.
    2. Click the "Change identity provider" link.
      The Configure Main Identity Provider wizard opens.
    3. Select Microsoft ADFS and click Next.
      Enter the information that you have gathered previously for the following text boxes:
      • Client Identifier
      • Shared Secret
      • OpenID Address of the AD FS server
    4. Click Next.
    5. Enter user and group information for the Active Directory over LDAP connection to search for users and groups.
      Option Description
      Base distinguished name for users Base Distinguished Name for users.
      Base distinguished name for groups The base Distinguished Name for groups.
      Username ID of a user in the domain who has a minimum of read-only access to Base DN for users and groups.
      Password ID of a user in the domain who has a minimum of read-only access to Base DN for users and groups.
      Primary server URL Primary domain controller LDAP server for the domain.

      Use the format ldap://hostname:port or ldaps://hostname:port. The port is typically 389 for LDAP connections and 636 for LDAPS connections. For Active Directory multi-domain controller deployments, the port is typically 3268 for LDAP and 3269 for LDAPS.

      A certificate that establishes trust for the LDAPS endpoint of the Active Directory server is required when you use ldaps:// in the primary or secondary LDAP URL.

      Secondary server URL Address of a secondary domain controller LDAP server that is used for failover.
      SSL certificates If you want to use LDAPS with your Active Directory LDAP Server or OpenLDAP Server identity source, click Browse to select a certificate.
    6. Click Next, review the information, and click Finish to complete the wizard.
  6. Navigate to the vCenter Single Sign-On user configuration UI.
    1. From the Home menu, select Administration.
    2. Under Single Sign On, click Users and Groups.
  7. Configure group memberships or privileges through global or object permissions in vCenter Server for AD FS Authorization.
    1. Click the Groups tab.
    2. Click the Administrators group and click Add Members.
    3. Select Microsoft ADFS from the drop-down menu.
    4. In the text box below the drop-down menu, enter vcenter and wait for the drop-down selection to appear.
      It might take several seconds for the selection to appear as vCenter Server establishes the connection to and searches Active Directory.
    5. Select VCenterAdmins and add it to the group.
    6. Click Save.
  8. Verify logging in to vCenter Server with an Active Directory user.