As part of VMware Cloud Foundation (VCF) 9.0, users can now enable the new VCF Single Sign-On (SSO) capability, allowing true single sign-on across all components within the VCF solution. While modern IdPs such as Okta, PingFederate, Microsoft Entra ID and Microsoft ADFS continue to be supported for Production deployments, users might want to play with the new VCF SSO capability within their lab environment that may not have external access or you may want to use an IdP that is self-hosted for learning purposes.
In addition to the IdPs listed above, you can also play with the new VCF SSO using a generic OIDC provider. Keycloak is an IdP that can be self-hosted within your own environment and works perfectly out of the box with VCF SSO and this blog post will show you how that set it up without relying on a hosted IdP solution!
Step 0 - I will assume you have installed and configured basic Keycloak setup up to Step 4 from this blog post HERE. If not, please follow the steps in the blog post and then return back when you have gotten to Step 4.
Note: VCF SSO requires that your OIDC endpoint is served over HTTPS, which will require you to have a TLS certificate including the full chain of trust. You can refer to the blog post HERE for generating a self-signed TLS certificate using OpenSSL.
To take advantage of the new Just-in-Time (JIT) group provisioning for VCF SSO, we need to ensure that our IdP is including the group membership as part of the auth token that is provided to VCF SSO, so we need to make an additional configuration change on the Keycloak IdP.
Step 1 - Login to your Keycloak Realm that contains your OIDC application go to Clients->Name of your OIDC App->Client Scopes and then click on OIDC App-dedicated link. In my example, the OIDC application is called vcf and link will say vcf-dedicated as shown in the screenshot below
Step 2 - Click on Add Mapper by Configuration button and then select Group Membership
Step 3 - Use groups as the value for both the name and token claim name and then unselect Full group path and click save.
Step 4 - Lastly, make sure to create a new Keycloak Group that contains users that will be authorized for using VCF SSO.
We are now ready to configure VCF SSO!
Step 5 - Login to VCF Operations and navigate to Fleet Management->Identity and Access->VCF Instances and select your VCF Instance being the workflow.
Step 6 - Select the Identity Broker deployment type, for our setup we will be using the Embedded vIDB which is included as part of our Management vCenter Server and then continue to the identity provider configuration.
Step 7 - We will use the PingFederate IdP configuration which will allow us to specify our TLS certificate chain since we are using a self-signed certificate. If you are using a TLS certificate that is signed by public CA authority, then you can simply use the Okta IdP configuration for our generic OIDC setup.
Step 8 - Select OIDC for the authentication method
Step 9 - Fill in the details for your configured Keycloak OIDC application.
In my example, the name of my OIDC application is called vcf and you can fetch the shared secret by going to Keycloak and under Clients->vcf->Credentials->Client secret as shown in screenshot below:
To fetch the OpenID Address, navigate to Realm settings and scroll to very bottom and copy the OpenID endpoint configuration URL.
Step 10 - Select JIT provisioning and the pre-provisioning of the group option.
Step 11 - Enter the domain for your IdP, in my example it is vcf.lab
Step 12 - We now enter the pre-created Keycloak Group that we will had setup in Step 4. In this example, it is called vcf-admins
Step 13 - Next, scroll down to specify the groups claim attribute that needs to match label in Step 3. In this example, it is just called groups
Step 14 - Finally, click on the Finish Setup button to complete the VCF SSO setup.
Step 15 - Before we can login with a user from our vcf-admins group, we need to assign this group a vSphere Permission by logging into vCenter Server with SSO Administrator user and then granting the permission for the Keycloak Group we have configured for use with VCF SSO.
Step 16 - To confirm everything was setup correctly, open an incognito browser to your Management vCenter Server and VCF SSO should be pre-selected and once you click on the login button, it should redirect you to the Keycloak IdP for authentication. Assuming you have the correct vSphere Permission assigned, the Keycloak user can now successfully login to vCenter Server using VCF SSO!
Once you have verified VCF SSO works with vCenter Server, you can click on Component Configuration to enable VCF SSO for NSX Manager and then login to NSX Manager using the admin account to assign NSX role to vcf-admins group.
You can also enable VCF SSO for the VCF Management components like VCF Operations and Automation, simply select the component and click on configure to perform the enablement and then login with the local admin account to grant the desired permission to the vcf-admins group
Thanks for the comment!