WilliamLam.com

VCF 9.0 Automation (VCF) contains two types of organizations, one for the Provider (also referred to System) and one for the tenants, which are just called Organizations. Both types of VCFA Organizations can be connected to an external Identity Provider (IdP) including OIDC, LDAP and SAML.

The VCFA Provider Organization can be configured to use the new VCF Single-Sign (SSO) feature, which is a capability of VCF Operations and utilizes a deployment of vIDB (Embedded or External) which is the identity broker to your desired external IdP like PingFederate or Okta as an example. While you can connect the VCFA Provider Organization directly to an external IdP, by using VCF SSO, administrators can now seamlessly login to all VCF management components, assuming you have been granted the appropriate permissions within each component.

For VCFA Tenant Organizations, where each organization could represent a completely different customer, such as in a service provider model, each individual VCFA organization can connect to their own independent external IdP, as represented in the diagram below.

For a typical Enterprise, you might only have a single IdP that you would use for both the Provider and Tenant Organizations. If you are using an OIDC IdP, you would need to create one OIDC Client for VCF SSO and then one additional OIDC Client for each organization that you would like to connect to the same OIDC IdP as shown below.

Instead of creating multiple OIDC Clients, could we just leverage the Provider Organization as the OIDC IdP for the VCF Tenant Organizations?

Note: Depending on your external IdP capabilities, you might need to have separate OIDC Clients for controlling multi-factor authentication (MFA) or customized login screen as I have demonstrated with using Keycloak as my external IdP.

[Read more...]