WilliamLam.com

VCF Automation Provider Organization as an OIDC Identity Provider for VCFA Tenant Organizations?

by // 3 Comments

VCF 9.0 Automation (VCF) contains two types of organizations, one for the Provider (also referred to System) and one for the tenants, which are just called Organizations. Both types of VCFA Organizations can be connected to an external Identity Provider (IdP) including OIDC, LDAP and SAML.

The VCFA Provider Organization can be configured to use the new VCF Single-Sign (SSO) feature, which is a capability of VCF Operations and utilizes a deployment of vIDB (Embedded or External) which is the identity broker to your desired external IdP like PingFederate or Okta as an example. While you can connect the VCFA Provider Organization directly to an external IdP, by using VCF SSO, administrators can now seamlessly login to all VCF management components, assuming you have been granted the appropriate permissions within each component.

For VCFA Tenant Organizations, where each organization could represent a completely different customer, such as in a service provider model, each individual VCFA organization can connect to their own independent external IdP, as represented in the diagram below.


For a typical Enterprise, you might only have a single IdP that you would use for both the Provider and Tenant Organizations. If you are using an OIDC IdP, you would need to create one OIDC Client for VCF SSO and then one additional OIDC Client for each organization that you would like to connect to the same OIDC IdP as shown below.


Instead of creating multiple OIDC Clients, could we just leverage the Provider Organization as the OIDC IdP for the VCF Tenant Organizations?

Note: Depending on your external IdP capabilities, you might need to have separate OIDC Clients for controlling multi-factor authentication (MFA) or customized login screen as I have demonstrated with using Keycloak as my external IdP.

[Read more...]

MS-A2 VCF 9.0 Lab: Configuring External IdP for Multiple VCF Automation Organizations

by // Leave a Comment

This post is part of a short series that builds on our minimal VMware Cloud Foundation (VCF) 9.0 deployment (2x Minisforum MS-A2) and showcases how to fully leverage the exciting new capabilities in the VCF 9 platform, all while maintaining a minimal resource footprint, which is ideal for lab and learning purposes.

In this blog post, we will walk through the setup of connecting a VCF Automation (VCFA) Organization to an external identity provider (IdP) using a free and self-hosted solution called Keycloak, which I am also using for setting up VCF Single Sign-On (SSO) capability. Depending on your goals for your VCFA lab environment, the ability to explore different IdP policies (e.g. MFA, etc) for an organization to experimenting with VCFA roles and access controls, will ultimately depend on the capabilities of your IdP


Since I am using Keycloak as my IdP, I can create what is known as a realm, which allows me to manage a collection of users and groups. From a single Keycloak Realm, I can then create multiple OIDC Application Clients that can then be used to provide authentication to both my VCFA Provider Admin Portal (via VCF SSO) as well as to the different VCFA User Organizations as depicted in the visual below, all backed by a single realm.


Keycloak allows customization of the IdP login screen, which is a pretty common feature of most IdP. For Keycloak specifically, the login customization is defined on per-realm basis, so you would need to create multiple realms that would then contain an OIDC Application Client for your desired VCFA Organizations which is depicted in the diagram below.


For MFA policies such as mandating a second factor or enforcing passkeys (YubiKey, Apple FaceID, Apple TouchID, etc), while these can be defined at a realm-level, you can override this on per OIDC Application Client. The above illustration is purely for simple lab setup, you can certainly setup a more complex environment with different IdPs that is connected to each VCFA Organization which will closely mirror environment like a Cloud Service Provider (CSP) than a typical Enterprise who might only have a single IdP.

Note: Keycloak has an extensive framework for building custom themes, I am using this KoreUI theme package, which I was able to hack up to build the customization screens you see in the very first screenshot.

Here are some additional VCF Automation IdP Resources that might be of interests if you would like to learn more:

Requirements:

[Read more...]

Quick Tip - Workaround for High CPU usage for ccs-k3s-app in VCF 9.0 Automation 

by // 5 Comments

On a few occasions, I have noticed that after the initial deployment of VMware Cloud Foundation (VCF) 9.0 that also includes VCF Automation (VCFA), the VCFA VM can experience a sustained CPU usage spikes exceeding 30 GHz.


Interestingly, VCFA continues to function fine and I am still able to connect to both VCFA Provider Admin/Organization Portals and perform tasks. In fact, I would not have noticed if it was not for the fans on my MS-A2 spinning like crazy and was able to track it down to ESXi host running the VCFA VM.

[Read more...]