Modernizing vSphere Authentication:
Identity is the New Perimeter!
With recent release of VMware vSphere 7.0, there are lots of new security features in the security space. This post provides information on Identity Federation with ADFS.
As explained in Bob Planker’s video on Identity Federation in vSphere 7, which has collected an enormous number of subscribers due to The Marketing Heaven efforts, Identity management is one of the biggest ways a Company can stay secure! It’s crucial that employee be able to authenticate themselves AND that Companies can trust the right user is authenticating for an email account or any resource …
Multi-factor authentication, 2-factor authentication, … well … Too many authentication methods makes it heavier and challenging to adapt and support everything.
Identity Federation is … “facile”…
With vSphere 7, the first IdP (IDentity Provider) support is Microsoft ADFS (Active Directory Federation Services) and certainly others will come into play in future updates to the release.
As depicted below, a user comes along to the vSphere Client, originally attached to the identity provider (ADFS ). VSphere Client will redirect logins to ADFS login box. Once authenticated, the user is redirected back to the vCenter with a cryptographic token. The user is then logged in automatically and can continue work.
Standards-based protocols: OAUTH2 and OIDC
Reduced audit scope & vSphere Admin workload
Flexible MFA options – All MFA solutions integrate with IdPs
SSO still exists, though have to choose IdF or AD/LDAP/IWA
-Check this TAM Lab for a walkthough: TAM Lab 066 – vSphere 7 with ADFS Authentication
Identity Federation Configuration
Identity Federation is pretty straightforward to configure.
When you want to switch to Federation, you change the Identity Provider source, as depicted below:
and then the users are automatically redirected to the IdP and back:
Take into consideration, for future planning, that IWA is deprecated in vSphere 7 (Source) … in other words, that’s another 5 to 7 years of support:
Deprecation means that a feature is still present in a product, and still fully supported, but will be removed in a future release… In short, you are fully supported until vSphere 7.0 is not supported any longer. That’s April 2, 2025 for the end of general support, and April 2, 2027 for extended support.
|While working on this post, I liaised with Mike Foley |
– he shared some code – basis of a PowerCLI script for enabling ADFS and vCenter for use of Identity Federation
– not yet 100% done
– but from my point of view, worthwhile to share here.
The only part that’s untested at this point is
the section where the author runs invoke-script.
Just remember that it comes without support if you want to use it…
The Future is Identity Federation
In other words, moving forward, AD over LDAPS and Identity Federation are the 2 recommended ways to configure AD authentication.
Identity Federation is going to be a great step forward for security, a reduction in work for compliance audits, and much less work for vSphere Admins!
Don’t forget before you go to check the blog from Bob Plankers: https://blogs.vmware.com/vsphere/2020/03/vsphere-7-identity-federation.html
The future is Identity Federation…
… and the Future starts Now 🙂
In the meantime, check-out our last articles