Having explored various OIDC identity providers, including Authentik, KeyCloak and Synology SSO, I recently came across Pocket ID, a super basic OIDC provider. Instead of using traditional username and passwords, Pocket ID only supports passkeys authentication based on the WebAuthn standard, which means you can login to your vCenter Server or VMware Cloud Foundation (VCF) environment using a physical device like a Yubico YubiKey or Apple Face ID.
Disclaimer: Pocket ID is not an officially supported vCenter Server IdP, please use at your own risk.
Step 1 - Install Pocket ID following the documentation HERE, I went with the recommended option of using Docker, so make sure you have Docker installed as well.
Step 2 - Pocket ID must be configured with a TLS certificate, as that is a requirement of WebAuthn. If you do not have an existing TLS certificate, here is a quick snippet for using OpenSSL to create a self-signed TLS certificate with the following required files:
- key.pem - Private Key
- cert.crt - Certificate
- fullchain.pem - Certificate Chain
openssl genpkey -algorithm RSA -out key.pem openssl req -new -key key.pem -out csr.pem -subj "/C=US/ST=CA/L=Palo Alto/O=WilliamLam/OU=R&D/CN=auth.williamlam.local" openssl x509 -req -in csr.pem -signkey key.pem -out cert.crt -days 365 cat cert.crt key.pem > fullchain.pem
Step 3 - To use our TLS certificate, Pocket ID documents the use of Caddy as both the HTTPS and reverse proxy solution. You will need to place both the TLS certificate (cert.crt) and private key (key.pem) that you will reference in the Caddy configuration file. In my example, I created a directory called /etc/tls and placed both files there with ownership to caddy user.
Edit /etc/caddy/Caddyfile configuration file with the following and ensure that you replace the FQDN of the system running Pocket ID along with the path to your TLS files as shown in example below:
auth.williamlam.local {
# Set this path to your site's directory.
root * /usr/share/caddy
# Enable the static file server.
file_server
# Another common task is to set up a reverse proxy:
reverse_proxy localhost:3000
tls /etc/tls/cert.crt /etc/tls/key.pem
}
Restart the Caddy service by running:
systemctl restart caddy
You now should be able to open a browser to https://FQDN and you should see Pocket ID load.
Step 4 - Before we can configure vCenter Server to use Pocket ID, we need to go through the initial Pocket ID setup. Open a browser to https://FQDN/login/setup and ensure the system you are using has passkey capabilities (e.g. YubiKey, Face ID, Touch ID, etc.) as there are no username/password with Pocket ID. For my setup, I am using Safari browser which has passkeys integration and my YubiKey.
Step 5 - Login to your vCenter Server and navigate to Administration->Single Sign On->Configuration->Identity Provider and select the PingFederate option and populate the directory name and DNS domain.
Copy the vCenter Server Redirect URI and then head back to Pocket ID to retrieve the rest of the required configurations.
Step 6 - Navigate to OIDC Clients to create our OIDC application for vCenter Server. Provide a name and then paste the redirect URI from Step 5 and then click save.
You will be able to expand the top section to view more details where you will need to make a note of the Client ID which will be used for the vCenter Server Client Identifier and the Client Secret which will be used for the vCenter Server Shared secret and lastly, we need to copy the OIDC Discovery URL as highlighted in the screenshot above.
Step 4 - Navigate back to your vCenter Server to complete the configuration and populate all fields as shown in the screenshot below along with full certificate chain.
Step 5 - Pocket ID does not have support for the SCIM (System for Cross-domain Identity Management) protocol, which means we need to manually make vCenter Server Identity Broker (vIDB) aware of the users before we can assign vSphere permissions.
To do this, we need to first capture the ExternalId value that is sent by Pocket ID, so that we can then publish the user information to vIDB. Open an incognito browser to the configured vCenter Server and select Single Sign On and authenticate to Pocket ID using your passkey and you will find that vCenter Server will fail the authorization check as the user is unknown, this is expected.
SSH to vCenter Server and look at the /var/log/vmware/vc-ws1a-broker/federation-service.log file which should look like the following with failed login and referenced ExternalID as shown below:
2025-03-29T01:31:10,289 INFO vc03.williamlam.local:federation (federation-business-pool-0) [CUSTOMER;-;192.168.30.4;c68a6163-1c76-4588-bff4-0a54f8158d53;-;e8076837-91ad-4195-ab86-84dc423f3f8b] com.vmware.vidm.federation.login.processor.AuthResponseUserResolver - Fetching user for jit login context: e8076837-91ad-4195-ab86-84dc423f3f8b on attribute ExternalId=d270d9bf-c3e8-4d09-824f-9d4f4123cd40, domains: [williamlam.local]
Make a note of the ExternalId value and you will need to do this for every use you wish to enable login to vCenter Server.
Step 6 - We now need to publish the Pocket ID users into vCenter Server's Identity Broker and to simplify this process, I have created a shell script that needs to be run directly within the VCSA that accepts a CSV file that contains the list of users and their configurations.
Using the information from Step 5, create a CSV file that contains list of users in the following format:
# Username, First Name, Last Name, Email, External Id lamw, William, Lam, *protected email*, d270d9bf-c3e8-4d09-824f-9d4f4123cd40
Note: Any entries with a "#" will be ignored by the script, so you can easily comment out entries that you do not wish to publish to vIDB.
Next, download the manual-scim-sync-users.sh script and the user CSV file to your VCSA and run the script with the following three arguments: vSphere admin username, password and the name of your CSV text file as shown in the screenshot below.
./manual-scim-sync-users.sh 'administrator[at]vsphere.local' 'VMware1!' external_users.txt
Step 7 - Login to your vCenter Server with your vSphere SSO account and you should now be able to lookup users from Pocket ID and assign vSphere Permissions. Once you have assigned the desired vSphere Permission, you can open an incognito window and after authenticating with Pocket ID and successfully log into vCenter Server!
If you need to remove users from vCenter Server's Identity Broker (vIDB), you can download the manual-scim-remove-users.sh script that can help with automating that process. Create a simliar CSV file with the list of users that you wish to un-publish and then run the script with the following three arguments: vSphere admin username, password and the name of your CSV text file as shown in the screenshot below.
./manual-scim-remove-users.sh 'administrator[at]vsphere.local' 'VMware1!' external_users.txt
Passwordless login to vCenter Server is super handy, here is another example using my iPhone Face ID to authenticate!
Thanks for the comment!