To use the vSphere programming features effectively, you must understand a set of specific authentication terms and concepts.
Term | Definition |
---|---|
Principal | An entity that can be authenticated, such as a user. |
Identity Provider | A service that manages identity sources and authenticates principals. Examples: Microsoft Active Directory Federation Services (AD FS) and vCenter Single Sign-On. |
Identity Source (Directory Service) | Stores and manages principals. Principals consist of a collection of attributes about a user or a service account such as name, address, email, and group membership. Examples: Microsoft Active Directory and VMware Directory Service (vmdir). |
Authentication | The means of determining whether someone or something is, in fact, who or what it declares itself to be. For example, users are authenticated when they provide their credentials, such as smart cards, user name and correct password, and so on. |
Authorization | The process of verifying what objects principals have access to. |
Token | A signed collection of data comprising the identity information for a given principal. A token might include not only basic information about the principal such as email address and full name, but also, depending on the token type, the principal's groups and roles. |
vmdir | VMware Directory Service. The internal (local) LDAP repository in vCenter Server that contains user identities, groups, and configuration data. |
OAuth 2.0 | An open authorization standard that enables the exchange of information among principals and web services without exposing principals’ credentials. |
OpenID Connect (OIDC) | Authentication protocol based on OAuth 2.0 that augments OAuth with user-identifying information. It is represented by the ID token that the authorization server returns together with the access token during OAuth authentication. vCenter Server uses OIDC capabilities when interacting with Active Directory Federation Services (AD FS), Okta, Microsoft Entra ID, and PingFederate. |
System for Cross-domain Identity Management (SCIM) | The standard for automating the exchange of user identity information between identity domains or IT systems. |
VMware Identity Services | Starting in version 8.0 Update 1, VMware Identity Services is a built-in container within vCenter Server that you can use for identity federation to external identity providers. It serves as an independent identity broker within vCenter Server and comes with its own set of APIs. Currently, VMware Identity Services support Okta, Microsoft Entra ID, and PingFederate as external identity providers. |
Tenant | A VMware Identity Services concept. A tenant provides a logical separation of data from other tenants’ data in one and the same virtual environment. |
JSON Web Token (JWT) | A token format defined by the OAuth 2.0 specification. A JWT token carries authentication and authorization information about a principal. |
Relying party | A relying party “relies” on the authorization server, VMware Identity Services or AD FS, for identity management. For example, through federation, vCenter Server establishes relying party trust to VMware Identity Services or AD FS. |
Security Assertion Markup Language (SAML) | An XML-based open standard for exchanging authentication and authorization data between parties that is used by vCenter Server. Principals obtain a SAML token from vCenter Single Sign-On and then send it to the vSphere Automation API endpoint for a session identifier. |