After installing or upgrading to vSphere 8.0 Update 3, you can configure vCenter Server Identity Provider Federation for PingFederate as an external identity provider.

vCenter Server supports only one configured external identity provider (one source), and the vsphere.local identity source (local source). You cannot use multiple external identity providers. vCenter Server Identity Provider Federation uses OpenID Connect (OIDC) for user login to vCenter Server.

You can configure privileges using PingFederate groups and users through global or object permissions in vCenter Server. See the vSphere Security documentation for details about adding permissions.

Prerequisites

Complete the following tasks:
Ensure that you have the following information from the PingFederate OpenID Connect application:
  • Client Identifier
  • Client secret (shown as Shared secret in the vSphere Client)
  • Active Directory domain information, or PingFederate domain information if you are not running Active Directory

Procedure

  1. To create the identity provider on vCenter Server:
    1. Use the vSphere Client to log in as an administrator to vCenter Server.
    2. Go to Home > Administration > Single Sign On > Configuration.
    3. Click Change Provider and select PingFederate.
      The Configure Main Identity Provider wizard opens.
    4. In the Prerequisites panel, review the PingFederate and the vCenter Server and other requirements.
    5. Click Run Prechecks.
      If the precheck finds errors, click View Details and take steps to resolve the errors as indicated.
    6. When the Precheck passes, click the confirmation checkbox then click Next.
    7. In the Directory Information panel, enter the following information.
      • Directory Name: Name of the local directory to create on vCenter Server that stores the users and groups pushed from PingFederate. For example, vcenter-PingFederate-directory.
      • Domain Name(s): Enter the PingFederate domain names that contain the PingFederate users and groups you want to synchronize with vCenter Server.

        After you enter your PingFederate domain name, click the Plus icon (+) to add it. If you enter multiple domain names, specify the default domain.

    8. Click Next.
    9. In the OpenID Connect panel, enter the following information.
      • Redirect UI: Filled in automatically. This redirect UI must match what you use in creating the OpenID Connect application in PingFederate.
      • Identity Provider Name: Filled in automatically as PingFederate.
      • Client Identifier: Obtained when you created the OpenID Connect application. (PingFederate refers to Client Identifier as the Client ID.)
      • Shared Secret: Obtained when you created the OpenID Connect application in PingFederate. (PingFederate refers to Shared Secret as the Client Secret.)
      • OpenID Address: Takes the form https://PingFederate_domain_space/idp/.well-known/openid-configuration.

        For example, if your PingFederate domain space is example.PingFederate.com, then the OpenID Address is: https://example.PingFederate.com/idp/.well-known/openid-config

      • SSL Certificate: Optionally, browse for the PingFederate SSL certificate, or certificate chain, if this certificate was not issued by a well-known, public Certificate Authority, to upload to vCenter Server. To export the PingFederate SSL certificate, in the Admin Console, go to Security > SSL Server Certificates, select the default certificate, and select Export from the Select Action drop-down. For more information, see the article, Exporting a certificate, at https://docs.pingidentity.com/r/en-us/pingfederate-111/nfv1585678806463. You can export the PingFederate SSL certificate without the private key, as it is not needed for the vCenter Server configuration.
    10. Click Next.
    11. Review the information and click Finish.
      vCenter Server creates the PingFederate identity provider and displays the configuration information.
  2. Under User Provisioning, click Generate to create the secret token, select the token lifespan from the drop-down, then click Copy to Clipboard. Save the token to a secure location.
    When you create the PingFederate SP Connection (SCIM application), you use the token to synchronize the PingFederate users and groups into VMware Identity Services.

What to do next

Continue with Create the SCIM Application (SP Connection).