This post is part of a short series that builds on our minimal VMware Cloud Foundation (VCF) 9.0 deployment (2x Minisforum MS-A2) and showcases how to fully leverage the exciting new capabilities in the VCF 9 platform, all while maintaining a minimal resource footprint, which is ideal for lab and learning purposes.
In this blog post, we will walk through the setup of connecting a VCF Automation (VCFA) Organization to an external identity provider (IdP) using a free and self-hosted solution called Keycloak, which I am also using for setting up VCF Single Sign-On (SSO) capability. Depending on your goals for your VCFA lab environment, the ability to explore different IdP policies (e.g. MFA, etc) for an organization to experimenting with VCFA roles and access controls, will ultimately depend on the capabilities of your IdP
Since I am using Keycloak as my IdP, I can create what is known as a realm, which allows me to manage a collection of users and groups. From a single Keycloak Realm, I can then create multiple OIDC Application Clients that can then be used to provide authentication to both my VCFA Provider Admin Portal (via VCF SSO) as well as to the different VCFA User Organizations as depicted in the visual below, all backed by a single realm.
Keycloak allows customization of the IdP login screen, which is a pretty common feature of most IdP. For Keycloak specifically, the login customization is defined on per-realm basis, so you would need to create multiple realms that would then contain an OIDC Application Client for your desired VCFA Organizations which is depicted in the diagram below.
For MFA policies such as mandating a second factor or enforcing passkeys (YubiKey, Apple FaceID, Apple TouchID, etc), while these can be defined at a realm-level, you can override this on per OIDC Application Client. The above illustration is purely for simple lab setup, you can certainly setup a more complex environment with different IdPs that is connected to each VCFA Organization which will closely mirror environment like a Cloud Service Provider (CSP) than a typical Enterprise who might only have a single IdP.
Note: Keycloak has an extensive framework for building custom themes, I am using this KoreUI theme package, which I was able to hack up to build the customization screens you see in the very first screenshot.
Here are some additional VCF Automation IdP Resources that might be of interests if you would like to learn more:
Requirements:
- VCF 9.0 environment deployed
- NSX VPC configured with Centralized Transit Gateway
- vSphere Supervisor configured with NSX VPC Networking
- VCF Automation configured with Organizations
- VCF Single Sign-On w/Keycloak configured and enabled for VCF Automation Provider Portal
Step 1 - Login to the VCFA Provider Admin Portal (e.g. https://auto01.vcf.lab/provider) and then navigate to your desired VCFA Organization and launch the Organization Admin Portal
Step 2 - On the homepage of the VCFA Organization Admin Portal open the Connect Identity Provider to begin the configuration
Step 3 - Copy the organization-specific redirect URL as this will be needed to create the OIDC client application in Keycloak
Step 4 - Login to your Keycloak IdP and create a new Realm that will map to your specific VCFA Organization
Step 5 - Create a new OIDC Client that will be used to connect to your VCFA Organization.
Use Client ID name that is easy to remember its function such as the name of your VCFA Organization
Paste the redirect URL that was retrieved from Step 3 and enter the root URL which will be your general VCFA Organization Portal URL
Retrieve the Client Secret which we will need in the next step
Lastly, we need to retrieve the OIDC Well-Known URL which you can find in the Realm Settings->Endpoints at the very bottom of the page
Step 6 - Navigate back to VCFA Organization Admin Portal and start IdP Configuration wizard and enter the Client ID, Secret and OIDC Well-Known URL from the previous step.
Step 7 - For the Keycloak IdP, I used the following claim mappings, you may need to adjust based on other IdPs and then click Save to complete the OIDC Client configuration.
Step 8 - To enable users to login from your IdP, navigate to Access Control on the left hand side of the VCFA Organization Admin Portal and enter the full user[at]domain and specify the desired role and click Save.
Repeat this for the remainder VCFA Organizations that you wish to connect to your desired IdP.
Step 9 (Bonus) - Multi-Factor Authentication (MFA) is a capability of an IdP and most modern IdP will have support for the WebAuthN protocol, which enables the use of passkeys including YubiKey, Apple FaceID, Apple TouchID, etc. Below are the high level steps to enable WebAuthN for the Keycloak IdP, please refer to your specific IdP for enabling simliar capability.
Under Realm Settings->Login, toggle Use Registration
Under Authentication->Flows, duplicate the default browser flow and to add support for WebAuthN. Add the Username Form and WebAuthN Passwordless Authentication step by clicking on the "+" icon within the sub-flow and then remove any other items not seen in screenshot below.
Open an incognito browser and login to the specific Keycloak Realm with a user that will register their WebAuthN device (e.g. https://auth.vcf.lab:8443/realms/engineering/account). In my example, I have registered a YubiKey for authentication.
When I attempt to login to a VCFA Organization that is connected to my Keycloak IdP which only has WebAuthN configured for that Realm, I will only see an option to use passkey for signing in.
After selecting the specific type of passkey device, I will authenticate with both passcode and physically pressing the YubiKey and assuming the user has been authorized in VCFA Organization, I should now be taken to the VCF Organization!
Thanks for the comment!