You can federate vCenter Server to Active Directory Federation Services (AD FS) as an external identity provider by using the vCenter Server Identity Providers functionality.
You can configure vCenter Server to federate with AD FS as an external identity provider.
Prerequisites
Active Directory Federation Services requirements:
- AD FS for Windows Server 2016 or later must already be deployed.
- AD FS must be connected to Active Directory.
- An Application Group for vCenter Server must be created in AD FS as part of the configuration process. See the VMware knowledge base article at https://kb.vmware.com/s/article/78029.
- An AD FS root CA certificate added to the Trusted Root Certificates Store (also called the VMware Certificate Store).
- You have created a vCenter Server administrators group in AD FS that contains the users you want to grant vCenter Server administrator privileges to.
For more information about configuring AD FS, see the Microsoft documentation.
vCenter Server and other requirements:
- vSphere 7.0 or later
- vCenter Server must be able to connect to the AD FS discovery endpoint, and the authorization, token, logout, JWKS, and any other endpoints advertised in the discovery endpoint metadata.
- You need the privilege to create, update, or delete a vCenter Server Identity Provider that is required for federated authentication. To limit a user to view the Identity Provider configuration information only, assign the privilege.
Procedure
- Authenticate to the vSphere Automation API endpoint and establish a session.
- Add your AD FS root CA certificate to the Trusted Root Certificates Store.
- Populate the oidc data structure by using the Application Group configuration from AD FS.
Parameter |
Description |
discovery_endpoint |
The OpenID address of the AD FS server. |
client_id |
The client identifier of the AD FS Application Group. |
client_secret |
The secret shared between the client and the provider. |
claim_map |
This parameter is required but not applicable to AD FS. Use an empty array []. |
- Populate the active_directory_over_ldap data structure.
Parameter |
Description |
user_name |
The user name of a user in the domain who has a minimum of read-only access to base Distinguished Name (DN) for users and groups. |
password |
The password of a user in the domain who has a minimum of read-only access to base DN for users and groups. |
users_base_dn |
The base DN for users in the Active Directory environment connected to AD FS that you want to be able to federate with vCenter Server. |
groups_base_dn |
The base DN for groups in the Active Directory environment connected to AD FS that you want to be able to federate with vCenter Server. |
server_endpoints |
Active directory server endpoints. At least one active directory server endpoint must be set. Use the format ldap://hostname:port or ldaps://hostname:port. The port is typically 389 for LDAP connections and 636 for LDAPS connections. For Active Directory multi-domain controller deployments, the port is typically 3268 for LDAP and 3269 for LDAPS. |
cert_chain |
The SSL certificate chain in base64 encoding. This parameter can be skipped only if all the active directory server endpoints use the LDAP (and not the LDAPS) protocol. |
- Populate the request body parameters.
Parameter |
Description |
config_tag |
The configuration type of the identity provider. The possible values are oauth2 and oidc. For AD FS federation, use oidc. |
name |
The user-friendly name for the identity provider. You must use the exact string Microsoft ADFS for proper configuration. |
upn_claim |
The name of the claim in the AD FS JWT token that contains the user principal name of the user that is logging in. You must use the same value that you used when you set up the AD FS Application Group. The procedure from the article in the prerequisites uses upn. If unset, the default value is acct. |
groups_claim |
The name of the claim in the AD FS JWT token that contains the group membership of the user that is logging in. You must use the same value that you used when you set up the AD FS Application Group. The procedure from the article in the prerequisites uses group. If unset, the groups for the subject consist of the groups in group_names and group_ids claims. |
is_default |
Set to true. Specifies whether the provider is the default provider. Setting is_default to true makes all other providers non-default. If unset, the provider is set as the default provider, if it is the first created provider, and if it is not, it is not set as the default provider. |
oidc |
Data structure for oidc. |
idm_protocol |
The communication protocol used to connect to AD FS to search for users and groups when assigning permissions in vCenter Server. You must use LDAP. If unset, no communication protocol is configured for the users and groups search. |
active_directory_over_ldap |
Data structure for active_directory_over_ldap. |
- Create the provider .
POST https://{server}/rest/vcenter/identity/providers
The operation returns the ID of the provider you created.
- Configure vCenter Server permissions for Active Directory users or groups in your AD FS environment.
You can do this in two ways:
Note:
In vSphere 7.0.x, you cannot configure permissions through the vSphere Automation API. Instead, you can use the vSphere Clientor the vSphere Web Services API. For more information, see the vSphere Authentication Guide or the vSphere Web Services SDK Programming Guide.
- (Optional) Copy the two redirect URIs from the Identity Provider Configuration page in the vSphere Client and add them to your AD FS Application Group.
Note:
You must do this step to enable logging in to vCenter Server through AD FS by using the vSphere Client.
Results
You configured vCenter Server to use AD FS as the identity provider.
What to do next
Use your AD FS user name and password to log in to vCenter Server.
