Learn more about the availability considerations in Enhanced Linked Mode configurations with Okta, Microsoft Entra ID, or PingFederate.

Prerequisites

  • Two or more vCenter Server systems in an Enhanced Linked Mode configuration. For example, the systems are labeled as VC_1, VC_2, VC_3, through VC_N, where N is the number of vCenter Server systems in the Enhanced Linked Mode configuration.
  • For Okta and Microsoft Entra ID, all vCenter Server systems must run vSphere 8.0 Update 2 or later. For PingFederate, all vCenter Server systems must run at least vSphere 8.0 Update 3.
  • Okta, Microsoft Entra ID, or PingFederate is configured as an external identity provider on one of the vCenter Server systems. For example, the system is labeled as VC_1.
  • The external identity provider is configured with all required OAuth2 and SCIM applications.

Procedure

  1. To activate a given vCenter Server VC_i where i is between 2 and N:
    1. Obtain local shell access to VC_i to run the activation script.
      Note: To perform the following steps, the vCenter Server user account with administrative privileges can be given either on the command line or in the console prompts.
    2. Execute 'status' from the activation script to get the current activation state of the vCenter Server. 
      python /usr/lib/vmware-trustmanagement/vmware_identity_services_activation.py status
    3. If the 'status' command indicates that the vCenter Server is not activated, execute 'activate' from the activation script: 
      python /usr/lib/vmware-trustmanagement/vmware_identity_services_activation.py activate
    4. If the 'status' command indicates that the vCenter Server is already activated, then execute the 'deactivate' option then execute the 'activate' option. 
      python /usr/lib/vmware-trustmanagement/vmware_identity_services_activation.py deactivate
      • For example, execute the 'activate' option.
      • Alternatively, you can specify the '--force-replace' option in the 'activate' command.
  2. Open a browser to the vCenter Server VC_i and log in as an administrator to vCenter Server.
    1. Navigate to Home > Administration > Single Sign On > Configuration.
    2. Under User Provisioning, verify that the Tenant URL contains the FQDN of VC_i.
    3. Copy the Tenant URL string and save this information for using it with the external identity provider.
    4. Under Secret Token, click the Generate, copy the generated token string, and save this information for using it with the external identity provider.
    5. Under OpenID Connect, verify that the Redirect URI contains the FQDN of VC_i.
    6. Copy the Redirect URI string and save this information for using it with the external identity provider.
  3. Open a browser to the administration page of the external identity provider.
    Note: For more information, refer to the external identity provider specific details to perform the following steps.
    1. Find the OAuth2 registration that was setup when the external identity provider was originally configured in VC_1.
    2. Edit the OAuth2 registration and add the Redirect URI that was previously obtained for VC_i.
    3. If the external identity provider supports SCIM Push configurations with multiple destinations, then:
      • Find the SCIM Push configuration that was setup when the external identity provider was originally configured in VC_1.
      • Edit the SCIM Push configuration and add the Tenant URL and Secret Token that were previously obtained for VC_i.
    4. If the external identity provider supports SCIM Push configurations with only one destination:
      • Create a new SCIM Push configuration with the Tenant URL and Secret Token that were previously obtained for VC_i.
      • Ensure that the SCIM Push configuration is pushing the same user/group data as the SCIM Push configuration that was setup when the external identity provider was originally configured in VC_1.
    5. Initiate a SCIM push operation to ensure that VC_i is populated with the latest user or group data.