WilliamLam.com

Passwordless login to vCenter Server or VMware Cloud Foundation (VCF) using Apple Face ID or Yubico YubiKey

by // Leave a Comment

After spending some time playing with a couple of self-hosted Identity Providers solutions like Authentik and Keycloak for use with vCenter Server Identity Federation, I was curious about their Multi-Factor Authentication (MFA) support. Specifically, I was interested in their WebAuthn capabilities, which should allow me to use the popular Yubico YubiKey for passwordless authentication into my VMware environment. 😊


It is also important to mention, today vCenter Server Identity Federation officially supports the following IdPs listed below, all of which have support for the YubiKey (linked below is the official Yubico documentation for each IdP from Yubico's website):

If you are already consuming one of these IdPs, you already have the ability to to use a YubiKey or other supported WebAuthn device for passwordless login! For VMware Cloud Foundation (VCF) customers, Identity Federation is also supported with the same IdPs as it relies on the VCF Management Domain vCenter Server, so this would allow you to login to SDDC Manager using YubiKey as an example.

I have never used a YubiKey before, so this was going to be a new adventure for me as well as playing with the WebAuthn protocol which is also new for me. I really like the UX of Authentik, which provides a seamless experience and with built-in support for SCIM, the choice was easy for the IdP I would choose for this experiment.

[Read more...]

vCenter Server Identity Federation with Keycloak Identity Provider without SCIM

by // 3 Comments

After publishing my recent article about using Authentik as an Identity Provider (IdP) for vCenter Server, which I have recieved a lot of positive feedback both internally (including a small typo note from my VP 😅 ) and externally, I had several folks ask whether the same could also be accomplished with another popular open source IdP called Keycloak.

While I have not personally worked with Keycloak before, I know it is a popular identity provider solution for modern applications, especially within a Kubernetes environment. After getting Keycloak up and running, I found out that it does NOT have support for a System for Cross-domain Identity Management (SCIM) server, which is used to automatically synchronize your users and groups from your IdP to your clients, which would be vCenter Server in this case.

While there are a couple of 3rd party SCIM providers for Keycloak such as this one, they were either out of date or just did not work for me and after a few hours of troubleshooting, I eventually gave up. It certainly would have been nice to have SCIM server out of the box with a nice UX like Authentik.

I figured I was completely out of luck with using Keylock as an IdP for vCenter Server, because it needs to know about the users before you can assign vSphere Permissions. As a last resort, I pinged a few folks from our IdP team to see if there were any tricks I that I could leverage given the lack of SCIM server support. It turns out since vCenter Server uses the Identity Broker (vIDB) for Identity Federation, there is an option for manually publishing users into vIDB by leveraging its APIs! 🤩

Disclaimer: Keycloak is currently not an officially supported vCenter Server IdP, please use at your own risk.

[Read more...]

vCenter Server Identity Federation with Authentik Identity Provider

by // 2 Comments

While answering a recent question on the VMware Reddit Community, I came to learn about Authentik, an open source identity provider (IdP), which is pretty feature rich and best of all, you can self-host the Authentik IdP solution.

While Authentik is not one of the officially supported Identity Providers for vCenter Server Identity Federation such as Okta, Microsoft Entra ID, Microsoft ADFS or PingFederate, I was curious if it would to allow me to easily play with the Identity Federation feature in vCenter Server? 🤔

Hint: It works! 😁

Disclaimer: Authentik is currently not an officially supported vCenter Server IdP as mentioned earlier, please use at your own risk.

[Read more...]