After publishing my recent article about using Authentik as an Identity Provider (IdP) for vCenter Server, which I have recieved a lot of positive feedback both internally (including a small typo note from my VP 😅 ) and externally, I had several folks ask whether the same could also be accomplished with another popular open source IdP called Keycloak.
While I have not personally worked with Keycloak before, I know it is a popular identity provider solution for modern applications, especially within a Kubernetes environment. After getting Keycloak up and running, I found out that it does NOT have support for a System for Cross-domain Identity Management (SCIM) server, which is used to automatically synchronize your users and groups from your IdP to your clients, which would be vCenter Server in this case.
While there are a couple of 3rd party SCIM providers for Keycloak such as this one, they were either out of date or just did not work for me and after a few hours of troubleshooting, I eventually gave up. It certainly would have been nice to have SCIM server out of the box with a nice UX like Authentik.
I figured I was completely out of luck with using Keylock as an IdP for vCenter Server, because it needs to know about the users before you can assign vSphere Permissions. As a last resort, I pinged a few folks from our IdP team to see if there were any tricks I that I could leverage given the lack of SCIM server support. It turns out since vCenter Server uses the Identity Broker (vIDB) for Identity Federation, there is an option for manually publishing users into vIDB by leveraging its APIs! 🤩
Disclaimer: Keycloak is currently not an officially supported vCenter Server IdP, please use at your own risk.