Starting with vSphere 7.0, you can federate your vCenter Server to external identity providers through the OAuth 2.0 authorization framework and the OpenID Connect (OIDC) authentication protocol.
With identity federation, you can use the same identity source for your vCenter Server that you use for your other federated desktop and cloud applications.
vCenter Server Identity Provider Federation Basics
In vSphere 7.0 and later, vCenter Server supports federated authentication. In this scenario, when a user logs in to vCenter Server, vCenter Server redirects the user login to the external identity provider. The user credentials are no longer provided to vCenter Server directly. Instead, the user provides credentials to the external identity provider. vCenter Server trusts the external identity provider to perform the authentication. In the federation model, users never provide credentials directly to any service or application but only to the identity provider. As a result, you "federate" your applications and services, such as vCenter Server, with your identity provider.
Why Is Identity Provider Federation Useful
Federating vCenter Server to an enterprise identity provider alleviates the burden of identity management and provides flexible options such as multifactor authentication (MFA), automatic registration and termination of users across services, and many more. Identity provider federation uses token-based authentication and minimizes the risk of bad actors acquiring protected credentials such as user names and passwords. Identity provider federation also helps your organization with compliance as various international standards already require MFA to guarantee data security. In addition, with identity provider federation, you can automate vCenter Server user management because you utilize the users and groups from your main enterprise identity source, for example Microsoft Active Directory.
vCenter Server External Identity Provider Support
vCenter Server supports the following external identity providers:
- AD FS (vSphere 7.0 and later)
- Okta (starting in vSphere 8.0 Update 1)
Identity Provider Federation to Microsoft Active Directory Federation Services (AD FS)
In vSphere 7.0 and later, you can activate identity federation to Microsoft Active Directory Federation Services (AD FS). In this scenario, vCenter Server federates directly to the enterprise identity provider, AD FS, without the use of an authentication intermediary service.
You can configure federation to AD FS with the help of the vSphere Automation API. For more information, see Federate vCenter Server to Microsoft Active Directory Federation Services (AD FS).
Identity Provider Federation to Okta and Azure AD Through VMware Identity Services
Starting from vSphere 8.0 Update 1, you can activate federation to Okta as the identity provider. Starting from vSphere 8.0 Update 2, you can activate federation to Azure AD as the identity provider. Both configurations use VMware Identity Services, an authentication intermediary that functions as a built-in container within vCenter Server. With VMware Identity Services, you can configure principals to authenticate to vCenter Server by using an external identity provider.
vCenter Server supports only one configured external identity provider (one source), and the vsphere.local identity source (local source). You cannot use multiple external identity providers. vCenter Server Identity Provider Federation uses OpenID Connect (OIDC) for user login to vCenter Server.
Configuring VMware Identity Services for Okta and Azure AD is not possible through the vSphere Automation API. To federate vCenter Server to Okta or Azure AD, you must use the vSphere Client. For more information, see Configure vCenter Server Identity Provider Federation for Okta
in the vSphere Authentication Guide.