One of the new Fleet Management capabilities introduced in VMware Cloud Foundation (VCF) 9.0 is a totally revamped single sign-on experience that supports administrator access to all of the essential management interfaces such as: VCF Operations, vSphere Client, NSX Manager, and more. This new VCF Identity Broker (VIDB) component supports many modern identity providers as well as traditional directory services. In this article, you will learn how to enable and configure SSO in a VCF 9 environment.
Deployment Modes – Embedded or External Appliance
The first step in enabling VCF SSO is to chose a deployment mode for the identity broker. There are two options: embedded or appliance. The embedded option is integrated with vCenter Server in the management domain and is perfect for smaller VCF environments that do not need to scale up to a fleet of VCF instances. For higher scalability, you can choose the appliance option which will run on a small 3-node cluster of VIDB appliances for resiliency. The external option can provide identity services across a VCF fleet, and is recommended for up to five VCF instances.
Identity Provider Support
After selecting the deployment mode, you choose the identity provider. VCF 9 adds support for Ping Identity and Generic SAML 2.0 providers in addition to Okta, Entra ID, Active Directory, OpenLDAP, and more. Depending on the chosen provider, there will be various options as far as how to determine the groups which will be granted access to sign in to VCF components. Consult the product documentation for specific requirements. Another enhancement is to the user and group provisioning methods – now you can use JIT or AD/LDAP in addition to SCIM with the modern identity providers.
Component Configuration
Once the ID provider is set up, there is just one more step to enable VCF SSO on each component in the deployment. Setting up the core infrastructure components – vCenter Server and NSX Manager – are as easy as checking a box, and multiple services can be enabled at once and it takes just moments.
For the management components, the process is nearly as easy, but they are each positioned in a dedicated node in the navigation tree, so simply click over there and follow the user interface guidance to complete the SSO configuration.
Role Assignment
After completing the VCF SSO configuration, the remaining administrative task is to assign desired roles to each component. This one-time task must be performed by using the local admin accounts (such as “admin” or “administrator@vsphere.local” in the case of vCenter Server). Grant access to users and groups that are provisioned from the configured Identity provider and select the needed permissions for those users or groups to manage the components.
This process varies according to component. For example, you may decide to grant the Enterprise Admin role to a certain group so they can manage NSX.
To see the entire process for enabling access in a full VCF 9 deployment, check out the demo below.
SDDC Manager User Interface
A special note about SDDC Manager in VCF 9: This user interface is deprecated, but still accessible and the backend appliance is still a necessity for certain infrastructure management tasks. Given this status, it is not possible to log into the SDDC Manager UI via VCF SSO credentials – continue to use the local admin account, which is typically administrator@vsphere.local.
However, SDDC Manager does have an SSO configuration and you should still set up SSO for remote API access. This is because once you log into vCenter Server, certain actions you initiate in the vSphere Client will actually be performed by the SDDC Manager behind the scenes, and this will require authentication. So grant Administrator permissions in SDDC Manager to the same SSO group you will use in vCenter Server to ensure smooth and seamless access.
Hands-On Demo
If you would like to see the full VCF SSO configuration flow, check out this short Hands-On Lab (HOL) that walks you through the process. https://labs.hol.vmware.com/HOL/catalog/lab/26724
Takeaway
This new release of VMware Cloud Foundation brings significant changes for administrator workflows, especially with the consolidation of many administrative and management activities into the all-new VCF Operations interface. But there are still other, more specialized management consoles for administrators to access, and now thanks to VCF SSO and VIDB, there is far less friction when jumping over to perform certain actions in NSX Manager or vSphere Client. VCF SSO setup is easy, and security is not compromised due to the integration with trusted and proven identity providers.
