How to Configuring Identity Federation to Use Windows ADFS

Ok, you want to use multi-factor authentication accessing your vCenter? With vSphere 7 you can configure ADFS (Active Directory Federation Services)

ADFS is a software component to provide users with single sign-on access to systems and applications that are located across organizational boundaries.

Here is my playbook video:

Here is my playbook

  1. Go to Menu -> Administration
  1. Go to Single Sign On -> Configuration
  1. Check “i” icon for two URL

NOTE: Make a copy of them as you will need those URLs to configure your ADFS. Simply put, you need to tell ADFS where re-direct users.

  1. Now once you have URLs noted, click on Change Identity Provider.

NOTE: Currently, vCenter Server supports only Active Directory Federation Services (AD FS) as an external identity provider. vCenter Server supports only one external identity provider (one AD FS source), and the vsphere.local identity source. You cannot use multiple external identity providers. vCenter Server Identity Provider Federation uses OpenID Connect (OIDC) for user login to vCenter Server.

  1. Configuration page will appear and you need to fill out those information, which you will obtain from ADFS during ADFS configuration.
  1. Next page is for users and groups
  1. On the bottom part of this form you can find SSL Certificate. The ADFS server certificate should be signed by a trusted certificate authority. Browse for the cert and add it on.
  1. Add permissions in vCenter for ADFS
  1. New login experience.

NOTE: If ADFS or AD is not reachable you can login with vsphere.local account. Once you type in your local account then instead redirection, password field show up. Put correct credentials for vsphere.local and you will be in.

  1. Once you type in AD username than you will be redirected to ADFS login page. On ADFS login again to get to vCenter.
Please leave the comment