There are a number of exciting enhancements to VMware Cloud Foundation (VCF) Single Sign-On (SSO) with the release of VCF 9.1 from Generic OIDC/SAML2 Identity Provider (IdP) support, streamline way to manage component level priviledges using VCF Roles and API Client and Token support for non-interactive logins to just name a few.
The process of connecting to an external IdP is mostly the same from earlier VCF releases, I typically use Keycloak for my lab environment for VCF SSO, which you can follow this blog post for the detailed step by step.
What has changed are some of the underlying VCF Operations and Identity Broker APIs used to configure VCF SSO in 9.1. With the introduction of VCF Roles, I also thought it would be a good to refresh the PowerShell script I had originally written for configuring VCF 9.0 SSO with an OIDC-based IdP for VCF 9.1.
You can download the updated script called configure_vcf_910_sso_with_oidc_idp.ps1 which behaves similarly to the previous version. You will need to fill out the variables within the script:
- VCF_OPERATIONS_HOSTNAME - The FQDN of your VCF Operations
- VCF_OPERATIONS_USERNAME - The username with VCF SSO Configuration privileges (e.g. admin)
- VCF_OPERATIONS_PASSWORD - The password for the user
- VCF_SSO_DEPLOYMENT_MODEL - Whether to use the embedded vCenter Server Identity Broker or external Identity Broker located within the VCF Management Services (VCFMS)
- OIDC_LABEL - The friendly label shown in VCF SSO configuration UI
- OIDC_OPENID_DISCOVERY_URL - The OIDC Discovery URL for your external IdP
- OIDC_TLS_FULLCHAIN_PEM - HTTPS is required for OIDC-based IdP, you will need full path to TLS certificate chain in PEM format
- OIDC_CLIENT_ID - This is the Client ID generated from your IdP OIDC application
- OIDC_CLIENT_SECRET - This is the Client Secret generated from your IdP OIDC application
- OIDC_DOMAIN - This is your DNS Domain for your IdP
- OIDC_JIT_PRE_PROVISION_GROUP - This is the name of the group that has been provisioned in IdP that you will automatically grant VCF Administrator role to
- OIDC_GROUP_ATTRIBUTE - You can use default "group"
Here is an example of running the PowerShell script and as you can see the entire configuration completes in under 1 minute, where as the manual configuration of VCF SSO can easily be 10s of minutes if not more.
Hello William,
Please write a blog on how to configure Microsoft Entra ID as an Identity Provider with step by step procedure for 9.1!!
I’m pretty sure this already configured in product documentation, have you looked?