VMware Cloud Foundation (VCF) 9.0.1 is the latest maintenance release, incorporating a number of fixes but also including several nice enhancements such as the support for converging existing NSX environments with or with NSX Federation.

While VCF 9.0.1 has only been out for a few weeks, I have already seen a number of folks roll this out in their lab environment. For those that are new to VCF, I have seen several folks get stuck while going through the upgrade process from VCF 9.0.0 to VCF 9.0.1 when they reach the ESX portion of the upgrade, where they are asked to assign the matching vLCM image, but none are found as shown in the message below:

There are no images available that match the required target version to initiate the vLCM upgrade

Before VCF Operations can apply the ESX update, it requires a vLCM image that contains the desired ESX version (9.0.1) and since this is still a manual process of constructing the image as users might want additional components or vendor add-on, there are a couple of steps required before VCF Operations is made aware of the vLCM image which you will then be able to assign to vSphere Cluster.

[Read more...]

Most organizations rely on a single Identity Provider (IdP) such as Symantec VIP AuthHub, Okta, Microsoft Entra ID, or PingFederate to provide common identity and access management. However, for some organizations, managing multiple IdPs is just the reality, often due to organizational structure or mergers and acquisitions (M&A).

The new VCF 9.0 Single Sign-On (SSO) has a flexible architecture that can benefit organizations with either a single IdP or multiple IdPs, while still providing the SSO capability. The component that is responsible for providing VCF SSO is called the VCF Identity Broker (vIDB) and it has two deployment models, one of which can aide in the multi-IdP requirement.

VCF SSO is configured on a per-VCF Instance and by leveraging the built-in Embedded vIDB from within the vCenter Server Appliance (VCSA), we can configure VCF SSO using the VCSA within the VCF Management Domain to enable the different IdPs within each VCF Instance as illustrated in the diagram below:

While this may not be a common scenario for most customers, the good news is this just works out of the box without requiring any additional resources to be deployed.

For those with a single IdP and would like VCF SSO across multiple VCF Instances, you can streamline the configuration by deploying a single External vIDB instance which can then be used by multiple VCF Instances as illustrated in the diagram below:

Whether you have organizational requirements that mandate multiple IdPs or you would like to streamline a single IdP deployment, VCF 9.0 can support either or both!

Lastly, for those interested in playing with VCF SSO in a lab environment, but do not have access to an Enterprise IdP, you can check out this blog post using a self-hosted IdP called Keycloak.