WilliamLam.com

VMware Cloud Enterprise Federation with Microsoft Azure Active Directory

by // Leave a Comment

As a follow-up to my recent blog post on how to configure identity federation between VMware Cloud and AWS SSO using our the new Just-in-Time (JiT) provisioning method, I was also interested to see what the process looked like with Microsoft Azure Active Directory (AD), which is another popular identity provider, which can also benefit our Azure VMware Solution (AVS) customers leveraging VMware Cloud Services. Similar to AWS SSO, I had never worked with Azure AD before and this was a good opportunity to check out their service.

Here is a quick video for those interested in the final logon experience when VMware Cloud is using Azure AD as the identity provider:

[Read more...]

VMware Cloud Enterprise Federation with AWS SSO

by // Leave a Comment

Earlier this week I came to learn about a really cool enhancement that was just added to our VMware Cloud Services Console called Connector-less Self-Service Enterprise Federation Setup, it's a bit of a mouth full, but it basically makes configuring identity federation between the VMware Cloud Services Console and other third party identity provider extremely easy.

Identity federation is not a new feature in VMware Cloud and it has been supported for some time now, but it required customers to deploy the Workspace ONE Access connector into their on-premises environment for federating with either their local or third party identity provider. The new method that was introduced is "connector-less" because it does not require any additional infrastructure to be deployed and it also leverages SAML JIT (Just-in-Time) dynamic provisioning.


While looking at the some the pre-defined identity providers, I noticed that AWS Single Sign-On (SSO) was not listed and since we have customers that use both VMware Cloud on AWS and native AWS services, this would certainly be a nice way to provide a common logon experience. Another benefit is also for customers using the new VMware Cloud with Tanzu services with Tanzu Mission Control (TMC), they can now easily manage secure access and provide their their end users the ability to provision and consume Tanzu Kubernetes Clusters (TKC) without the need of exposing them to the underlying infrastructure which is managed by the Cloud Administrators.

This was certainly a few good reasons to try out this new feature, especially as I have never worked with AWS SSO before.

Here is a quick video for those interested in the final logon experience when VMware Cloud is using AWS SSO as the identity provider:

[Read more...]

Configuring Active Directory integration with VMware PKS Ops Manager using VMware Identity Manager (vIDM)

by // 1 Comment

When configuring Ops Manager for VMware Pivotal Container Service (PKS) from an Authentication standpoint, you can either chose local authentication or use an external identity provider. The former means you are managing local users that reside within the User Account and Authentication (UAA) component of Ops Manager, which may be okay for a lab or proof of concept environment. However, for a Production deployment, most customers prefer to use their enterprise directory services which is typically Microsoft Active Directory.

Ops Manager can integrate with a number of external identity providers as long as it can speak SAML. For VMware customers, the preferred identity provider solution is VMware Identity Manager (vIDM) which not only supports Active Directory, but can also support a number of other directory service integrations like Active Directory Federation Services (ADFS) as example. Since vIDM supports SAML-based authentication, we can configure Ops Manager to use vIDM which also means we benefit from all of the enterprise Single Sign-On capabilities that vIDM delivers, including things like multi-factor authentication which can provide an additional layer of security when connecting to your PKS infrastructure.

Since there is currently no documentation on how to set this up, with the help of my colleague Blair Fritz and Assaf from the vIDM Engineering team, we have documented the process below which outline the required steps to integrate Ops Manager with vIDM.

[Read more...]