After installing or upgrading to vSphere 7.0 or later, you can configure vCenter Server Identity Provider Federation for AD FS as an external identity provider.

Note: These instructions are for vSphere 8.0 Update 1 and later. For vSphere 8.0, see the topic about configuring vCenter Server identity provider federation for AD FS in the vSphere Authentication documentation at https://docs.vmware.com/en/VMware-vSphere/8.0/vsphere-documentation-80.zip.

vCenter Server supports only one configured external identity provider (one source), and the vsphere.local identity source. You cannot use multiple external identity providers. vCenter Server Identity Provider Federation uses OpenID Connect (OIDC) for user login to vCenter Server.

This task describes how to add an AD FS group to the vSphere Administrators group as the way to control permissions. You can also configure privileges using AD FS Authorization through global or object permissions in vCenter Server. See the vSphere Security documentation for details about adding permissions.

Caution:

If you use an Active Directory identity source that you previously added to vCenter Server for your AD FS identity source, do not delete that existing identity source from vCenter Server. Doing so causes a regression with previously assigned roles and group memberships. Both the AD FS user with global permissions and users that were added to the Administrators group will not be able to log in.

Workaround: If you do not need the previously assigned roles and group memberships, and want to remove the previous Active Directory identity source, remove the identity source before creating the AD FS provider and configuring group memberships in vCenter Server.

Prerequisites

Note: This process of configuring an AD FS identity provider requires that you have administrative access to both your vCenter Server and your AD FS server. During the configuration process, you enter information first in your vCenter Server, then in your AD FS server, then in your vCenter Server.

Active Directory Federation Services requirements:

  • AD FS for Windows Server 2016 or later must already be deployed.
  • AD FS must be connected to Active Directory.
  • An Application Group for vCenter Server must be created in AD FS as part of the configuration process. See the VMware knowledge base article at https://kb.vmware.com/s/article/78029.
  • An AD FS server certificate (or a CA or intermediate certificate that signed the AD FS server certificate) that you add to the Trusted Root Certificates Store.
  • You have created a vCenter Server administrators group in AD FS that contains the users you want to grant vCenter Server administrator privileges to.

For more information about configuring AD FS, see the Microsoft documentation.

vCenter Server and other requirements:

  • vSphere 7.0 or later
  • vCenter Server must be able to connect to the AD FS discovery endpoint, and the authorization, token, logout, JWKS, and any other endpoints advertised in the discovery endpoint metadata.
  • You need the VcIdentityProviders.Manage privilege to create, update, or delete a vCenter Server Identity Provider that is required for federated authentication. To limit a user to view the Identity Provider configuration information only, assign the VcIdentityProviders.Read privilege.

Procedure

  1. Log in with the vSphere Client to the vCenter Server.
  2. Add your AD FS server certificate (or a CA or intermediate certificate that signed the AD FS server certificate) to the Trusted Root Certificates Store.
    Note: To learn more, see Add a Trusted Root Certificate to the Certificate Store Using the vSphere Client.
    1. Navigate to Administration > Certificates > Certificate Management.
    2. Next to Trusted Root Store, click Add.
    3. Browse for the AD FS certificate and click Add.
      The certificate is added in a panel under Trusted Root Certificates.
  3. Start to create the identity provider on vCenter Server.
    1. Use the vSphere Client to log in as an administrator to vCenter Server.
    2. Navigate to Home > Administration > Single Sign On > Configuration.
    3. Click Change Provider and select ADFS.
      The Configure Main Identity Provider wizard opens.
    4. In the Prerequisites panel, review the AD FS and the vCenter Server requirements.
    5. Click Run Prechecks.
      If the precheck finds errors, click View Details and take steps to resolve the errors as indicated.
    6. When the Precheck passes, click the confirmation check box then click Next.
    7. In the Users and Groups panel, enter user and group information for the Active Directory over LDAP connection to search for users and groups.
      vCenter Server derives the AD domain to use for authorization and permissions from the Base Distinguished Name for users. You can add permissions on vSphere objects only for users and groups from this AD domain. Users or groups from AD child domains or other domains in the AD forest are not supported by vCenter Server Identity Provider Federation.
      Option Description
      Base distinguished name for users Base Distinguished Name for users.
      Base distinguished name for groups The base Distinguished Name for groups.
      Username ID of a user in the domain who has a minimum of read-only access to Base DN for users and groups.
      Password ID of a user in the domain who has a minimum of read-only access to Base DN for users and groups.
      Primary server URL Primary domain controller LDAP server for the domain.

      Use the format ldap://hostname:port or ldaps://hostname:port. The port is typically 389 for LDAP connections and 636 for LDAPS connections. For Active Directory multi-domain controller deployments, the port is typically 3268 for LDAP and 3269 for LDAPS.

      A certificate that establishes trust for the LDAPS endpoint of the Active Directory server is required when you use ldaps:// in the primary or secondary LDAP URL.

      Secondary server URL Address of a secondary domain controller LDAP server that is used for failover.
      SSL certificates If you want to use LDAPS with your Active Directory LDAP Server or OpenLDAP Server identity source, click Browse to select a certificate.
    8. Click Next.
    9. In the OpenID Connect panel, copy the Redirect URI and the Log-out Redirect URI.
      Leave the other fields blank for now. You return to the OpenID Connect panel after creating the OpenID Connection configuration in the next step.
  4. Create an OpenID Connect configuration in AD FS and configure it for vCenter Server.
    To establish a relying party trust between vCenter Server and an identity provider, you must establish the identifying information and a shared secret between them. In AD FS, you do so by creating an OpenID Connect configuration known as an Application Group, which consists of a Server application and a Web API. The two components specify the information that vCenter Server uses to trust and communicate with the AD FS server. To enable OpenID Connect in AD FS, see the VMware knowledge base article at https://kb.vmware.com/s/article/78029.

    Note the following when you create the AD FS Application Group.

    • You need the two vCenter Server Redirect URIs obtained in the preceding step.
    • Copy the following information from the AD FS Application Group to a file or write it down for use when finishing the creation of the vCenter Server identity provider in the next step.
      • Client Identifier
      • Shared secret
      • OpenID address of the AD FS server
    Note: If necessary, obtain the OpenID address of your AD FS server by running the following PowerShell command as an AD FS administrator. 
    Get-AdfsEndpoint | Select FullUrl | Select-String openid-configuration

    Copy the URL that is returned (select only the URL itself, not the closing bracket or the initial "@{FullUrl=" part).

  5. In the vCenter Server OpenID Connect panel:
    1. Enter the following information, which you obtained from the previous step when creating the AD FS Application Group:
      • Client Identifier
      • Shared Secret
      • OpenID Address

      The Identity Provider Name is automatically filled in as Microsoft ADFS.

    2. Click Next.
  6. Review the information and click Finish.
    vCenter Server creates the AD FS identity provider and displays the configuration information.
  7. Configure group membership in vCenter Server for AD FS Authorization.
    1. From the Home menu, select Administration.
    2. Under Single Sign On, click Users and Groups.
    3. Click the Groups tab.
    4. Click the Administrators group and click Add Members.
    5. Select the domain from the drop-down menu.
    6. In the text box below the drop-down menu, enter the first few characters of AD FS group that you want to add then wait for the drop-down selection to appear.
      It might take several seconds for the selection to appear as vCenter Server establishes the connection to and searches Active Directory.
    7. Select the AD FS group and add it to the Administrators group.
    8. Click Save.
  8. Verify logging in to vCenter Server with an Active Directory user.