Configuring VMware Cloud Foundation (VCF) Single Sign-On (SSO), introduced in VCF 9.0, can be quite lengthy, especially when you go through the workflow for the first time.
For my lab setup, I use Keycloak, a popular and free OIDC-based IdP, and have documented a step-by-step guide for using it with VCF SSO.
Even as an experienced user of VCF SSO, I find the configuration can still take several minutes, depending on your familiarity with the UI inputs. This is something I have wanted to automate for some time, but it meant digging into the private API calls used by the VCF Operations UI.
After a bit of trial and error, I have created PowerShell script called configure_vcf_900_sso_with_oidc_idp.ps1 which will fully automate the configuration of VCF SSO with an OIDC-based IdP, such as using Keycloak in my example.
The script will also activate several VCF Operations UI confirmation screens as part of its activation, which will also save you a number of clicks!
Before running the script, you will need to update several variables.
The first section is the credentials to your VCF Operations instance and whether you would like to configure VCF SSO using the Embedded Identity Broker (vIDB) within vCenter Server or an External vIDB, which you have already deployed and whether VCF Automation (VCFA) is running within your enviornment.
$VCF_OPERATIONS_FQDN="vcf02.vcf.lab" $VCF_OPERATIONS_USERNAME="admin" $VCF_OPERATIONS_PASSWORD='VMware1!VMware1!' $VCF_SSO_DEPLOYMENT_MODEL="EMBEDDED" #EMBEDDED or EXTERNAL $VCF_AUTOMATION_DEPLOYED=$true #$true or $false
The second portion is all the configuration values from your IdP including the full path to your TLS certificate chain, as HTTPS is required for OIDC configuration with VCF SSO.
$OIDC_LABEL="Keycloak" $OIDC_OPENID_DISCOVERY_URL="https://auth.vcf.lab:8443/realms/it/.well-known/openid-configuration" $OIDC_TLS_FULLCHAIN_PEM="/Users/lamw/Desktop/auth.vcf.lab-fullchain.pem" $OIDC_CLIENT_ID="vcf" $OIDC_CLIENT_SECRET="" $OIDC_DOMAIN="vcf.lab" $OIDC_JIT_PRE_PROVISION_GROUP="vcf-admins" $OIDC_GROUP_ATTRIBUTE="groups"
Note: If you are unsure about the values or where to locate these from your IdP, please see this blog post which provides the step by step using Keycloak as the OIDC IdP
Once you have saved all the changes to the script, you can run it as shown in the screenshot below and the entire VCF SSO configuration is completed in just 15 seconds!
Even if you know have all the values memorized, which I suspect most of you will not, it will still take more than several minutes to iterate through each UI wizard, which can be painful if you are frequently rebuilding your environment 😅
While the automation has been specifically written for configuring an OIDC-based IdP, you can certainly use the same technique I had used by inspecting API calls and payloads used by the VCF Operations UI and then translating that into alternative IdP configuration including AD/LDAP or SAML2 based IdP.
Do you know where I can find a good resource on how to set up the EntraID SSO in VCF 9
https://techdocs.broadcom.com/us/en/vmware-cis/vcf/vcf-9-0-and-later/9-0/fleet-management/what-is/setting-up-sso/cofigure-vmware-cloud-foundation-identity-provider/configure-identity-provider-using-microsoft-entra-id.html