When managing the life cycle of vCenter Server Identity Provider Federation, there are some specific considerations.
You can manage your vCenter Server Identity Provider Federation life cycle in the following ways.
Migrating from Using Active Directory to AD FS
If you are using Active Directory as your identity source for vCenter Server, migrating to using AD FS is straight forward. If your Active Directory groups and roles match your AD FS groups and roles, you do not need to take any additional action. When the groups and roles do not match, then you must perform some additional work. If vCenter Server is a domain member, consider removing it from the domain as it is not needed or used for identity federation.
Cross-Domain Repointing and Migration
vCenter Server Identity Provider Federation supports cross-domain repointing, that is, moving a vCenter Server from one vSphere SSO domain to another. The repointed vCenter Server receives the replicated AD FS configuration from the vCenter Server system, or systems, to which it was pointed.
In general, you do not need to perform any additional AD FS reconfiguration for a cross-domain repoint, unless one of the following is true.
- The AD FS configuration of the repointed vCenter Server differs from the AD FS configuration of the vCenter Server to which it was pointed.
- This is the first time the repointed vCenter Server is receiving an AD FS configuration.
In these cases, you must add the vCenter Server system's Redirect URIs to the corresponding Application Group on the AD FS server. For example, if vCenter Server 1 with AD FS Application Group A (or no AD FS configuration) is repointed to vCenter Server 2 with AD FS Application Group B, you must add the Redirect URIs of vCenter Server 1 to Application Group B.