WilliamLam.com

Setup HTTPS for OIDC endpoint with Authentik and Keycloak for vCenter Server or VCF Identity Federation

by // Leave a Comment

If you have been following my recent adventures in playing with both Authentik and Keycloak as an OAuth/OIDC Identity Provider (IdP) for use with vCenter Server or VMware Cloud Foundation (VCF) Identity Federation, you can take it one step further and authenticate with a Yubico YubiKey or Apple Face ID for additional security.

In my original setup, the OIDC endpoint provided by both Authentik and Keycloak was using HTTP and works perfectly fine with both vCenter Server and SDDC Manager for a VCF-based environment. With that said, if you have a requirement to serve the OIDC endpoint over HTTPS, which is a requirement for using WebAuthn (e.g. YubiKey, Face Id, etc), then some additional configurations are required on both the identity provider as well on the vCenter Server side depending on the type of TLS certificate you are using.

[Read more...]

vCenter Server Identity Federation with Keycloak Identity Provider without SCIM

by // 3 Comments

After publishing my recent article about using Authentik as an Identity Provider (IdP) for vCenter Server, which I have recieved a lot of positive feedback both internally (including a small typo note from my VP 😅 ) and externally, I had several folks ask whether the same could also be accomplished with another popular open source IdP called Keycloak.

While I have not personally worked with Keycloak before, I know it is a popular identity provider solution for modern applications, especially within a Kubernetes environment. After getting Keycloak up and running, I found out that it does NOT have support for a System for Cross-domain Identity Management (SCIM) server, which is used to automatically synchronize your users and groups from your IdP to your clients, which would be vCenter Server in this case.

While there are a couple of 3rd party SCIM providers for Keycloak such as this one, they were either out of date or just did not work for me and after a few hours of troubleshooting, I eventually gave up. It certainly would have been nice to have SCIM server out of the box with a nice UX like Authentik.

I figured I was completely out of luck with using Keylock as an IdP for vCenter Server, because it needs to know about the users before you can assign vSphere Permissions. As a last resort, I pinged a few folks from our IdP team to see if there were any tricks I that I could leverage given the lack of SCIM server support. It turns out since vCenter Server uses the Identity Broker (vIDB) for Identity Federation, there is an option for manually publishing users into vIDB by leveraging its APIs! 🤩

Disclaimer: Keycloak is currently not an officially supported vCenter Server IdP, please use at your own risk.

[Read more...]