After publishing my recent article about using Authentik as an Identity Provider (IdP) for vCenter Server, which I have recieved a lot of positive feedback both internally (including a small typo note from my VP 😅 ) and externally, I had several folks ask whether the same could also be accomplished with another popular open source IdP called Keycloak.
While I have not personally worked with Keycloak before, I know it is a popular identity provider solution for modern applications, especially within a Kubernetes environment. After getting Keycloak up and running, I found out that it does NOT have support for a System for Cross-domain Identity Management (SCIM) server, which is used to automatically synchronize your users and groups from your IdP to your clients, which would be vCenter Server in this case.
While there are a couple of 3rd party SCIM providers for Keycloak such as this one, they were either out of date or just did not work for me and after a few hours of troubleshooting, I eventually gave up. It certainly would have been nice to have SCIM server out of the box with a nice UX like Authentik.
I figured I was completely out of luck with using Keylock as an IdP for vCenter Server, because it needs to know about the users before you can assign vSphere Permissions. As a last resort, I pinged a few folks from our IdP team to see if there were any tricks I that I could leverage given the lack of SCIM server support. It turns out since vCenter Server uses the Identity Broker (vIDB) for Identity Federation, there is an option for manually publishing users into vIDB by leveraging its APIs! 🤩
Disclaimer: Keycloak is currently not an officially supported vCenter Server IdP, please use at your own risk.
Step 1 - Setup Keycloak, there are several deployment options, which you refer to in the Getting Started guide. I opted for running Keycloak instance locally within an Ubuntu VM (non-docker), for easier troubleshooting and debugging purposes. For the purposes of demonstrating the vCenter Server IdP integration, I am running Keycloak using the start-dev (non-production) option and using admin/admin as the bootstrap admin account as you can see from the commands below.
export KC_BOOTSTRAP_ADMIN_USERNAME=admin export KC_BOOTSTRAP_ADMIN_PASSWORD=admin export KC_LOG=file bin/kc.sh start-dev
Note: To avoid any potential issues with DNS and networking while configuring the IdP with vCenter Server, I would strongly recommend deploying a small Ubuntu VM that has been configured with a DNS forward/reverse entry to be used to install the Keycloak IdP.
Step 2 - Once Keycloak is running, you can access the management console by opening a browser to the FQDN and login with the bootstrap account that you had initially configured. Once logged in, create a new Realm, which in my example, I am naming it VMware and then click the Create button to complete setup.
Step 2 - Create a new Keycloak Client application which should default to OpenID Connect and then enter a Client ID (which will be used later), Name and then click Next.
Next, toggle the Client authentication to enable and then click Next.
Specify the vSphere UI login URL for your vCenter Server (e.g. https://vc.williamlam.local/ui) and then Valid redirect URIs which will be your vCenter Server redirect URL (e.g. https://vc.williamlam.local/federation/t/CUSTOMER/auth/response/oauth2) and then click save to finish.
Step 3 - We need to retrieve the shared secret from our new Keycloak client application, by going to Credentials and copy the Client Secret value.
We also need the OpenID address which can be found by clicking on the Realm Settings and then scrolling to the bottom and click on OpenID Endpoint Configuration and make a note of the URL.
Step 4 - We need to create new users within your Keycloak Realm, so go ahead and create a few users that can be used for testing purposes and make sure to set a password for each user under credentials. Lastly, we need to also capture the username, first name, last name, email and the Keycloak ID (which can be found by clicking into a specific user), all of this information will be used to publish into vCenter Server's Identity Broker (vIDB) before we can assign vSphere permissions.
Step 5 -Login to your vCenter Server and under Administration->Single Sign-On->Configuration select Change Provider and choose the Okta option to begin the configuration.
Provide a friendly directory name and domain name(s) for your IdP and then click next.
Enter the Identity Provider Name and then enter the values for Client Identifier, Shared Secret and OpenID Address which was retrieved from Step 2 & 3 and save the configuration.
Step 6 - We now need to publish the Keycloak users into vCenter Server's Identity Broker and to simplify this process, I have a shell script that needs to be run directly within the VCSA that will accept a CSV file that contains the list of users.
Using the information from Step 4, create a CSV file that contains list of users in the following format:
# Username, First Name, Last Name, Email, External Id lamw,William, Lam, lamw[at]williamlam.local, 346815e0-b456-4b56-9642-86cf3228accd depping, Duncan, Epping, depping[at]williamlam.local, fd53d4f6-d88e-4336-99f5-26d09033c0f6 fdenneman, Frank, Denneman, fdenneman[at]williamlam.local, 75da7271-7e5b-4d8e-b186-50aec30dc36b chogan, Cormac, Hogan, chogan[at]williamlam.local, 9217d9ac-798c-4e6a-872a-78bcf8ffd380
Note: Any entries with a "#" will be ignored by the script, so you can easily comment out entries that you do not wish to publish to vIDB.
Next, download the manual-scim-sync-users.sh script and the user CSV file to your VCSA and run the script with the following three arguments: vSphere admin username, password and the name of your CSV text file as shown in the screenshot below.
Step 7 - Login to your vCenter Server with vSphere SSO account and you should now be able to lookup users from your Keycloak IdP and assign vSphere Permissions.
Step 8 - Finally, we can now test the end-to-end login using Keycloak. Open an incognito browser to your vCenter Server and select the Identity Federation option which should automatically redirect the login flow to your Keycloak IdP and enter a valid username and password.
If everything was configured correctly, you should now be successfully logged into vCenter Server!
If you need to remove users from vCenter Server's Identity Broker (vIDB), you can download the manual-scim-remove-users.sh script that can help with automating that process. Create a simliar CSV file with the list of users that you wish to un-publish and then run the script with the following three arguments: vSphere admin username, password and the name of your CSV text file as shown in the screenshot below.
I want to thank you for this article. It worked like a charm.
Do you know an effective way to bypass the SSO login in case that the IdP service is not reachable for any technical reasons?
I've tried using https://{vcenter.url}/ui/?local=true, how it's suggested around here and there, but it is ignored.
Anyone had any luck converting the deletion script to Powershell? I was able to convert the add-users bash script over without issue, but not the delete users, i've posted to Stack Overflow, any help is appreciated
https://stackoverflow.com/questions/79481506/powershell-rest-api-calls-to-delete-users-from-vcenter-scim-database