rossanderson
Enthusiast
Enthusiast

vCenter with SAML and MFA

I'm trying to connect vCenter to our IdP (Okta) using SAML so that we can also have multifactor auth. However, when I look under the SSO config, I do not see a SAML Providers tab at all (as indicated in this doc - https://docs.vmware.com/en/VMware-vSphere/6.7/com.vmware.psc.doc/GUID-24FBEF5A-4A93-468B-A039-A52603...)

What am I missing? Do I need to have a specific service running?

Thanks!

0 Kudos
4 Replies
sjesse
Leadership
Leadership

You can't in anything before 7.x, and that only works with adfs. Read this part

"You can use the vSphere Web Client to add a SAML service provider to vCenter Single Sign-On, and add vCenter Single Sign-On as the identity provider to that service. When users log in to the service provider, the service provider authenticates those users with vCenter Single Sign-On."

 

your making the vcenter an idp, not the other way around.. You need to use adfs and then use adf to point to okta I beleive

 

https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.authentication.doc/GUID-C5E998B2-11...

 

 

0 Kudos
rossanderson
Enthusiast
Enthusiast

Thanks for the reply and additional info. We are currently on 6.7 so it appears that our options are limited.

Ugh. So you have to federate vCenter with ADFS and then do SAML from there? That seems pretty convoluted. I can't believe that VMware doesn't support SAML, OpenID or some other external secure authentication method other than just ADFS.

What else are people doing for SSO with their IdP though?

0 Kudos
sjesse
Leadership
Leadership

No idea if okta can do this, but duo as a proxy you can setup that acts an ldap proxy. You configure that and then configure vcenter to use that as its identity source. It works quite well, I don't have it in production yet, and may not since we are almost at 7.x but I have it in lab working .

 

https://community.duo.com/t/integrate-duo-with-vmware-vcsa-6-5-vmware-vcenter-server-appliance/1242/...

 

 

0 Kudos
rossanderson
Enthusiast
Enthusiast

Thanks .. that's the other option I'm looking into as well 😉

0 Kudos