WilliamLam.com

You are here: Home / VCSA / vCenter Identity Federation with Authelia

vCenter Identity Federation with Authelia

by // Leave a Comment

Gotta catch them all!? 😂

Looks like I will be adding another identity provider to my existing collection of IdPs (AuthentikKeyCloakSynology SSOPocket ID, Zitadel and Kanidm) that can be used with vCenter Server and VMware Cloud Foundation (VCF) Identity Federation.

Authelia is another free and self-hosted IdP solution, which also supports Time-based one-time password (TOTP) out of the box and all configurations are managed in a couple of configuration files as there is no administrative web UI.

Step 0 (Optional)  - If you do not have an existing TLS certificate, here is a quick snippet for using OpenSSL to create a self-signed TLS certificate with the following required files:

  • key.pem - Private Key
  • cert.crt - Certificate
  • fullchain.pem - Certificate Chain
openssl req -new -key key.pem -out csr.pem -subj "/C=US/ST=CA/L=Palo Alto/O=WilliamLam/OU=R&D/CN=auth.williamlam.local"
openssl x509 -req -in csr.pem -signkey key.pem -out cert.crt -days 365
cat cert.crt key.pem > fullchain.pem

Step 1 - Install Authelia using one of the supported options, I opted for deploying Authelia natively as I am using Ubuntu and doing apt install authelia -y was very straight forward 🙂

Step 2 - The primary configuration file for Authelia is located in /etc/authelia/configuration.yml and below is a fully functional configuration, which you will need to update with your own environment details.

  • server -> tls -> key - The full path to TLS private key from Step 0
  • server -> tls -> certificate - The full path to TLS certificate from Step 0
  • identity_validation -> reset_password -> jwt_secret - This should be a randomly generated 64 character
  • totp -> issuer - In case you would like to use TOTP, you will need to change the value to match your domain
  • access_control -> rules -> domain - You will need to change the value to match your domain
  • session -> secret - This should be a randomly generated 64 character
  • session -> cookies -> {domain, authelia_url} - You will need to change the value to match your domain and FQDN of Authelia system
  • storage ->encryption_key - This should be a randomly generated 64 character
  • identity providers -> oidc -> hmac_secret - This should be a randomly generated 64 character
  • identity providers -> oidc -> jwks -> {key, certificate_chain} - PEM encoded private key and certificate for signing
  • identity providers -> oidc -> clients -> client_secret - This should be a randomly generated public secret
  • identity providers -> oidc -> clients -> redirect_uris - This will be your redirect URI from vCenter Server
  • identity providers -> oidc -> clients -> request_uris - You will need to change the value to match your domain
  • identity providers -> oidc -> clients -> audience - This will be your vCenter Server vSphere UI

Note: Please refer to Authelia Configuration Documentation for more information.

server:
  address: 'tcp://:443/'
  disable_healthcheck: false
  tls:
    key: "/etc/tls/key.pem"
    certificate: "/etc/tls/cert.crt"

theme: 'dark'

log:
  level: debug
  file_path: '/var/log/authelia/authelia.log'
  keep_stdout: true

identity_validation:
  elevated_session:
    require_second_factor: true
  reset_password:
    jwt_lifespan: '5 minutes'
    jwt_secret: 'FILL_ME_IN'

totp:
  issuer: 'williamlam.local'
  period: 30
  skew: 1

password_policy:
  zxcvbn:
    enabled: true
    min_score: 4

authentication_backend:
  file:
    path: '/etc/authelia/users.yml'
    password:
      algorithm: 'argon2'
      argon2:
        variant: 'argon2id'
        iterations: 3
        memory: 65535
        parallelism: 4
        key_length: 32
        salt_length: 16

access_control:
  rules:
    - domain:
        - "auth.williamlam.local"
      policy: bypass

session:
  name: 'authelia_session'
  secret: 'FILL_ME_IN'
  cookies:
    - domain: 'williamlam.local'
      authelia_url: 'https://auth.williamlam.local'

regulation:
  max_retries: 4
  find_time: 120
  ban_time: 300

storage:
  encryption_key: 'FILL_ME_IN'
  local:
    path: '/etc/authelia/db.sqlite3'

notifier:
  disable_startup_check: false
  filesystem:
    filename: '/etc/authelia/notification.txt'

identity_providers:
  oidc:
    hmac_secret: 'FILL_ME_IN'
    lifespans:
      access_token: '1h'
      authorize_code: '1m'
      id_token: '1h'
      refresh_token: '90m'
    jwks:
      - key_id: 'jwks-key'
        algorithm: 'RS256'
        use: 'sig'
        key: |
          -----BEGIN PRIVATE KEY-----
          FILL_ME_IN
          -----END PRIVATE KEY-----
        certificate_chain: |
          -----BEGIN CERTIFICATE-----
          FILL_ME_IN
          -----END CERTIFICATE-----
    clients:
      - client_id: 'vcenter'
        client_name: 'vCenter Server'
        client_secret: 'FILL_ME_IN'
        public: false
        redirect_uris:
          - 'https://vc02.williamlam.local/federation/t/CUSTOMER/auth/response/oauth2'
        request_uris:
          - 'https://oidc.williamlam.local:8080/oidc/request-object.jwk'
        audience:
          - 'https://vc02.williamlam.local/ui'
        scopes:
          - 'openid'
          - 'groups'
          - 'email'
          - 'profile'
        response_types:
          - 'code'
        response_modes:
          - 'form_post'
          - 'query'
          - 'fragment'
        authorization_policy: 'two_factor'

Note: The identity_providers section is not required to get Authelia up and running but since Authelia does not have a UI for managing configuration, we eventually will need to add this section to reflect the specific OIDC application definition for our vCenter Server.

To ensure that our Authelia configuration is correct, we can use the validate operation by running the following command:

authelia config validate --config /etc/authelia/configuration.yml

Step 3 - Next, we will define users in /etc/authelia/users.yml and below is an example of a user named "lamw".

users:
  lamw:
    displayname: 'William Lam'
    password: 'FILL_ME_IN'
    email: 'lamw[at]williamlam.local'
    groups:
      - 'admin'
      - 'dev'
      - 'vcf'

You will need to provide a hash of the desired password, which you can do so by running the following command:

authelia crypto hash generate argon2 --password 'VMware1!'


Step 4 - Start Authelia service by running the following command:

systemctl enable authelia
systemctl start authelia

Step 5 - Login to your vCenter Server and navigate to Administration->Single Sign On->Configuration->Identity Provider and select the PingFederate option and populate the directory name and DNS domain.


Next, fill out the required fields and for the client identifier/shared secret values, you will retrieve that from your Authelia configuration (from Step 2) under identity providers -> oidc -> clients -> client_id & client_secret, for the OpenID Address it will be https://[AUTHELIA-FQDN]/.well-known/openid-configuration (e.g. https://auth.williamlam.local/.well-known/openid-configuration) and then provide your full certificate chain.


Step 5 - If everything was setup correctly, you should now be able to open a browser to your Authelia endpoint and login with a user and the configured credentials from Step 3!


If you have enabled two-factor authentication in your Authelia configuratin file, after logging in you will be asked to setup the additional factor of authentication using either TOTP (if you have enabled) or WebAuthN (e.g. YubiKey, Face ID, etc).


If you select the TOTP option, a notification will be generated by Authelia and will be sent via email (if SMTP is configured) or you will need to retrieve it under /etc/authelia/notifications.log as it will contain a one-time passcode to begin the configuration as shown in the screenshot below.


Enter the the one-time code from the notification to start the TOTP registration process.


You will then be presented with a QR code to scan using your desired TOTP client such as Google Authenticator.


Once the TOTP registration has been completed, the next time you log in, you will be prompted for the one-time passcode from your TOTP client as shown in the screenshot below:


Step 6 - Authelia does not support the SCIM protocol, which means we need to manually make vCenter Server Identity Broker (vIDB) aware of the users before we can assign vSphere permissions.

To do this, we need to first capture the ExternalId value that is sent by Authelia, so that we can then publish the user information to vIDB. Open an incognito browser to the configured vCenter Server and select Single Sign On and authenticate to Authelia and you will find that vCenter Server will fail the authorization check as the user is unknown, this is expected.

SSH to vCenter Server and look at the /var/log/vmware/vc-ws1a-broker/federation-service.log file which should look like the following with failed login and referenced ExternalID as shown below:

2025-04-14T22:14:02,092 INFO vc02.williamlam.local:federation (federation-business-pool-0) [CUSTOMER;-;192.168.30.80;d0deaaae-48e9-4954-8054-60ac01bd7a68;-;0f892c21-9035-4b9c-99d5-753f2e1415d4] com.vmware.vidm.federation.login.processor.AuthResponseUserResolver - Fetching user for jit login context: 0f892c21-9035-4b9c-99d5-753f2e1415d4 on attribute ExternalId=63284094-8535-45b1-988f-6997309c06c0, domains: [williamlam.local]

Make a note of the ExternalId value and you will need to do this for every use you wish to enable login to vCenter Server.

Step 7 - We now need to publish the Authelia users into vCenter Server's Identity Broker and to simplify this process, I have created a shell script that needs to be run directly within the VCSA that accepts a CSV file that contains the list of users and their configurations.

Using the information from Step 5, create a CSV file that contains list of users in the following format:

# Username, First Name, Last Name, Email, External Id
lamw, William, Lam, *protected email*, 63284094-8535-45b1-988f-6997309c06c0

Note: Any entries with a "#" will be ignored by the script, so you can easily comment out entries that you do not wish to publish to vIDB.

Next, download the manual-scim-sync-users.sh script and the user CSV file to your VCSA and run the script with the following three arguments: vSphere admin username, password and the name of your CSV text file as shown in the screenshot below.

./manual-scim-sync-users.sh 'administrator[at]vsphere.local' 'VMware1!' external_users.txt

Step 8 - Login to your vCenter Server with your vSphere SSO account and you should now be able to lookup users from Authelia and assign vSphere Permissions. Once you have assigned the desired vSphere Permission, you can open an incognito window and after authenticating with Authelia and successfully log into vCenter Server!

If you need to remove users from vCenter Server's Identity Broker (vIDB), you can download the manual-scim-remove-users.sh script that can help with automating that process. Create a simliar CSV file with the list of users that you wish to un-publish and then run the script with the following three arguments: vSphere admin username, password and the name of your CSV text file as shown in the screenshot below.

./manual-scim-remove-users.sh 'administrator[at]vsphere.local' 'VMware1!' external_users.txt

More from my site

Thanks for the comment!

This site uses Akismet to reduce spam. Learn how your comment data is processed.