This post is part of a short series that builds on our minimal VMware Cloud Foundation (VCF) 9.0 deployment (2x Minisforum MS-A2) and showcases how to fully leverage the exciting new capabilities in the VCF 9 platform, all while maintaining a minimal resource footprint, which is ideal for lab and learning purposes.
In this blog post, we will walk through the setup of connecting a VCF Automation (VCFA) Organization to an external identity provider (IdP) using a free and self-hosted solution called Keycloak, which I am also using for setting up VCF Single Sign-On (SSO) capability. Depending on your goals for your VCFA lab environment, the ability to explore different IdP policies (e.g. MFA, etc) for an organization to experimenting with VCFA roles and access controls, will ultimately depend on the capabilities of your IdP
Since I am using Keycloak as my IdP, I can create what is known as a realm, which allows me to manage a collection of users and groups. From a single Keycloak Realm, I can then create multiple OIDC Application Clients that can then be used to provide authentication to both my VCFA Provider Admin Portal (via VCF SSO) as well as to the different VCFA User Organizations as depicted in the visual below, all backed by a single realm.
Keycloak allows customization of the IdP login screen, which is a pretty common feature of most IdP. For Keycloak specifically, the login customization is defined on per-realm basis, so you would need to create multiple realms that would then contain an OIDC Application Client for your desired VCFA Organizations which is depicted in the diagram below.
For MFA policies such as mandating a second factor or enforcing passkeys (YubiKey, Apple FaceID, Apple TouchID, etc), while these can be defined at a realm-level, you can override this on per OIDC Application Client. The above illustration is purely for simple lab setup, you can certainly setup a more complex environment with different IdPs that is connected to each VCFA Organization which will closely mirror environment like a Cloud Service Provider (CSP) than a typical Enterprise who might only have a single IdP.
Note: Keycloak has an extensive framework for building custom themes, I am using this KoreUI theme package, which I was able to hack up to build the customization screens you see in the very first screenshot.
Here are some additional VCF Automation IdP Resources that might be of interests if you would like to learn more:
Requirements:
