VCF 9.0 Automation (VCF) contains two types of organizations, one for the Provider (also referred to System) and one for the tenants, which are just called Organizations. Both types of VCFA Organizations can be connected to an external Identity Provider (IdP) including OIDC, LDAP and SAML.
The VCFA Provider Organization can be configured to use the new VCF Single-Sign (SSO) feature, which is a capability of VCF Operations and utilizes a deployment of vIDB (Embedded or External) which is the identity broker to your desired external IdP like PingFederate or Okta as an example. While you can connect the VCFA Provider Organization directly to an external IdP, by using VCF SSO, administrators can now seamlessly login to all VCF management components, assuming you have been granted the appropriate permissions within each component.
For VCFA Tenant Organizations, where each organization could represent a completely different customer, such as in a service provider model, each individual VCFA organization can connect to their own independent external IdP, as represented in the diagram below.
For a typical Enterprise, you might only have a single IdP that you would use for both the Provider and Tenant Organizations. If you are using an OIDC IdP, you would need to create one OIDC Client for VCF SSO and then one additional OIDC Client for each organization that you would like to connect to the same OIDC IdP as shown below.
Instead of creating multiple OIDC Clients, could we just leverage the Provider Organization as the OIDC IdP for the VCF Tenant Organizations?
Note: Depending on your external IdP capabilities, you might need to have separate OIDC Clients for controlling multi-factor authentication (MFA) or customized login screen as I have demonstrated with using Keycloak as my external IdP.
What might be the use case for the following, outside of lab purposes or proof-of-concepts? If you have a single external IdP that contains all of your users/groups that will be authorized to access all organizations, you can reduce the need to create individual OIDC Clients for each new organization. Furthermore, the external IdP is most likely managed by a different team (security/identity) than from the infrastructure team and requesting additional OIDC Clients for the same backend might not always be easy or possible.
Disclaimer: While the above configuration is currently possible, it is not officially supported. If you have common external IdP that you would like to use for both the Provider and Tenant Organization, you will need to create separate OIDC Clients for each organization.
Step 1 - Ensure VCF SSO has already been configured and enabled for your VCFA instance within VCF Operations.
Step 2 - Create a new VCFA Organization in the provider portal and then launch the newly created organization portal and head over to Administer->Connections->Identity Providers and make a note of the OIDC Client Redirect URL
Step 3 - Login to VCF Operations (VCFO) and under Fleet Management->Identity & Access->VCF Other Components and create a new client. Provide a friendly name for the client and then enter the OIDC Client Redirect URL from the previous step and then click on generate OIDC Client and make a note of the Identity Broker Issuer URL, Client ID, Client Secret and then click on the save button to complete the wizard
Step 4 - Login to VCFA Organization portal and head over to Administer->Connections->Identity Providers and start click on the configure button to begin the setup.
Enter the OIDC Client ID/Secret from Step 3 as well as the Identity Broker Issuer URL as IdP Well-Known address and append /.well-known/openid-configuration to end. In my example, the vIDB Issuer URL is https://vc01.vcf.lab/acs/t/CUSTOMER and the final URL should be https://vc01.vcf.lab/acs/t/CUSTOMER/.well-known/openid-configuration as you can see from the screenshot below.
You can use the defaults for the remainder section until you reach the Claims Mapping and you just need to adjust the Subject to use the value acct and you can leave the rest as defaults and complete the configuration.
Step 5 - Next, we need to import users and/or groups from our IdP and authorize them into VCF Organization by going to Administer->Access Control and either specify individual user(s) and/or group(s) including the full domain such as *protected email* or *protected email* and then assigning the desired role.
Step 6 - Finally, open up a new incognito browser window to your VCFA instance (e.g. https://auto01.vcf.lab/automation) and specify the organization to login to. You should see the login to OIDC or whatever custom text you might have specified.
Once you click login, you should be redirected to the external IdP login for the Provider Organization that was already configured. If you now login with a user that has been authorized to access the Tenant Organization, it should take you directly into the Organization portal!
Hello Sir,
This article was very helpful — I’ve successfully logged into the organization using a user account. very good !!
However, the account I imported under “Groups” in Access Control cannot log in.
Only the accounts imported under “Users” can log in.
Do I need to adjust the Claims Mapping settings?
(The Subject has already been changed to acct.)
Thank you
What worked for me: in 'Identity Providers > OIDC' click 'Edit'. Then in step '3. Scopes' add "group" and in step '4. Claims Mapping' click '+ Add Mapping' then for 'Theme' select "Groups" and for 'Claim' fill in "group_names".
Great content,
To get it working for 'Groups' a small addition to step 4.
In substep Scopes add 'group' and in substep Claims Mapping add a mapping with Theme 'Groups' and Claim 'group_names'.
Does anybody know if this potentially changes when using EntraID as the Identy Provider of the fleet?
For me the Group membership does not work, even with the amendments recommended in the comments.