vSphere - Authentication

#VCP vCenter has it's own SSO instance that is checking with an identity Source and sending authentication tokens to the vSphere client and other items in the vSphere SSO domain. ## Identity sources You can imagine identity sources as pools of users that are able to be authenticated against the vCenter SSO. ### local operating system of SSO server vsphere.local domain is only local to the vSphere SSO. Should not be used as general repository of users to be used with vSphere. Administrator user is part of vsphere.local. ### Active Directory(Integrated Windows Authentication) Legacy option for Active Directory integration, depreceated in vSphere 7. ### Active Directory over LDAP Method used for migration of older versions of vSphere. ### Open LDAP Open LDAP version of identity source against an LDAP Server, recommended way. Supports Open LDAP 2.4 or later. ## vSphere Identity Federation Allows for Identity providers like ADFS to be attached directly to vCenter. Allows for Identity providers like ADFS to be attached directly to vCenter. Users connect to vCenter but they are redirected to ADFS. vCenter no longer handles the credentials. ADFS is then either authenticating through AD directly or forwarding to 2FA. ADFS is then giving the authenticated vSphere session a SAML token. - requires AD - Supports features like MFA - OIDC and OAuth 2.0 Support - vCenter does not need to be joined with AD ![[_media/vSphere - Authentication2024-07-20.png|vSphere - Authentication2024-07-20.png]] ![[_media/vSphere - Authentication2024-07-27.png|vSphere - Authentication2024-07-27.png]] ### benefits Identity federation allows for one single identity system to be integrated across vCenter and all other services using ADFS. It increases datacenter security as the authentication is never done on the vCenter server. It allows for MFA which is not possible in the other authentication methods. ### Setup - on vCenter Server 7.0 or later - create application group on ADFS server - vCenter server Admin group on ADFS - configuring identity provider via vCenter SSO administrator with required information - Client Identifier UUID - Shared Secret to authenticate vCenter with ADFS Application group - OpenID Address, Endpoint URL of the ADFS server - configuring group membership in vCenter ## 🔗Resources ### ADFS setup - tinyurl.com/2e6phv3v