This post is about vSphere 8 Identity Federation, and part of our VCP-DCV on vSphere 8 Study Guide page. VCP-DCV on vSphere 8.x Objective 1.10 – Describe identity federation. vSphere 7 has brought the Identity Federation feature, so it is not new in vSphere 8. Identity Federation allows you to attach vCenter Server to enterprise identity providers like Active Directory Federation Services (ADFS). Corporate users can use the same methods to log into vCenter Server as they do their desktops or in their cloud workloads. vSphere 7 and 8 versions support MFA & 2FA.
vCenter Server 8, if attached to the identity provider, the vSphere Client will redirect logins to the provider’s login page. The user can log-in by using their corporate credentials, with including any MFA that is configured as part of the system.
Once authenticated, the identity provider redirects those clients back to the vSphere Client with a cryptographic token that authorizes them. You can see similar technology used when you basically log into your Google, FB or Twitter accounts….
vSphere Identity Federation (VIF) uses industry standard protocols such as OIDC and OAuth 2.0 to connect to these systems and to participate in the corporate and identity solution. OpenID Connect (OIDC) is an authentication protocol based on the OAuth 2.0 specifications. It uses simple JSON Web Tokens (JWT). OAuth 2.0 is a protocol that allows a user to grant limited access to their resources on one site or to a different site without the need to expose their credentials at any time.
The traditional link between vCenter Server and Microsoft Active Directory (AD) is no longer used if you use vCenter Identity Federation.
When Active Directory Federation Services (ADFS) are configured and users try to connect to vCenter, they are redirected to ADFS, which prompts the users for login credentials. After successful authentication, the users receive a token that enables them to do their work as before. The token-based service is an industry standard now, so vCenter will be able to use the same system as other applications and systems.
The process looks like this. Screenshot from VMware
vSphere Identity Federation will basically allows you to connect your vCenter Server to an external identity provider that supports OAuth 2.0, so you can log in to vCenter Server with the corporate identity using this enhanced single sign-on (SSO) and multi-factor authentication (MFA) method.
In this initial release, vSphere and ADFS will support some additional providers, such as Azure AD, PingID, Okta, vIDM, and others.
Find other chapters on the main page of the guide – VCP8-DCV Study Guide Page.
Thanks for reading.
More posts from ESX Virtualization:
- Homelab v 8.0 (NEW)
- vSphere 8.0 Page (NEW)
- Veeam Bare Metal Recovery Without using USB Stick (TIP)
- ESXi 7.x to 8.x upgrade scenarios
- A really FREE VPN that doesn’t suck
- Patch your ESXi 7.x again
- VMware vCenter Server 7.03 U3g – Download and patch
- Upgrade VMware ESXi to 7.0 U3 via command line
- VMware vCenter Server 7.0 U3e released – another maintenance release fixing vSphere with Tanzu
- What is The Difference between VMware vSphere, ESXi and vCenter
- How to Configure VMware High Availability (HA) Cluster