One of the new features introduced in VCF 9 is the VCF Identity Broker, which provides an improved Single Sign-On (SSO) experience.
In this article, I’ll show you how to prepare your environment to enable SSO across your VCF Fleet.
To get started, navigate to Fleet Management > Identity Access.
Select your VCF Instance.
Now, we must follow the step-by-step. The first step is choosing the deployment model.
There’s two deployment modes.
- Embedded VCF Identity Broker Model
- Appliance VCF Identity Broker Model
More details can be found here.
Note: If you choose the Identity Broker appliance deployment model, a three-node cluster will be deployed. Also, you must download the vIDB binaries beforehand.
Since I’m using a nested environment with limited resources, I’m going to use the Embedded Identity Broker deployment model.
The second step is choosing an identity provider.
In my case, I’m going to use the AD/LDAP integration method.
This part is really straightforward. You only need to provide:
- The bind user credentials
- The FQDN of your domain controller
- The LDAPS certificate
Once your identity provider is configured, you can map the attributes.
My suggestion is to keep the default. But if your organization use different attributes, now is the time to customize it.
For group and user provisioning, I usually keep the root domain or organizational unit (OU).
Note: That this does not mean you are granting permissions to all users and groups in the domain. It only means that vIDB will be able to discover them.
Once you complete the third step, the configuration is finished.
You should now see your domain listed as one of the authentication directories.
Although deploying the VCF Identity Broker is the main step for enabling SSO across the VCF solutions, you still need to manually enable SSO for the individual solutions.
You should go to Fleet Management > Identity & Access > VCF Management and manually enable the SSO on the desired solutions.
Important: This configuration only handle the authentication. To grant authorization to users or groups, you must access each individual solution (NSX, VCF Automation, VCF Operations, vCenter, etc.) and assign the appropriate roles and permissions.
I’m not going into the specifics of enabling SSO for each solution because the process is very similar and straightforward. However, if you have any questions, you can refer to the official documentation: Configure a New VCF Single Sign-On for a VCF Instance.
Hope you like it!
Leave a Reply