VMware Cloud Community
IMHLAR
Contributor
Contributor
‎08-07-2020 04:22 PM

ADFS Authentication Issue with Alternative UPN Domain

My apologies if this has been covered, but didn't get any results when searching for ADFS or OAuth. I recently upgraded to vCenter 7 and after a lot of troubleshooting, I was able to get the Identity Provider to integrate with my ADFS server. My issue is that the domain for my users UPN does not match the domain of my user. As an example, my domain is 'abc.local', but my user has the UPN 'user@xyz.com'. When I try to login I have to provide a bogus username of 'user@abc.local' because the vCenter login page doesn't recognize my 'user@xyz.com' address. After that, I receive the error message: "Unable to login because you do not have permission on any vCenter Server systems connected to this client".

     I have verified Single Sign On works correctly with a user of a UPN that matches the domain (e.g. user2@abc.local). I have tried changing my claim to output the UPN and Name ID as SAM-Account-Name@abc.local without success. I have also tried using a completely different field with the attribute 'user@abc.local' without success. I thought maybe some type of transform my be necessary, but my experience with ADFS is limited and my experience with OAuth is non-existent. Has anybody else run across this issue or is this a known limitation with vCenter?

0 Kudos
4 Replies
IMHLAR
Contributor
Contributor
‎08-24-2020 09:34 AM

Has anybody successfully (or unsuccessfully) implemented SSO for vCenter 7 where their domain name and UPN do not match? Since best practice is for internal domain names to end in '.local' and e-mail addresses do not, I can't imagine this is an isolated situation. Any assistance or suggestions would be greatly appreciated.

0 Kudos
Nodnarb
Enthusiast
Enthusiast
‎02-01-2023 12:05 PM

Going on 3 years later and we have the same issue. Our domain is company.org but our e-mail addresses are @company.com. Haven't tried vCenter 8 but it's likely still an issue.

0 Kudos
pmichelli
Hot Shot
Hot Shot
‎02-02-2023 05:45 AM

I had a ticket open almost 1.5 years ago for this same issue . They said it would be fixed in an upcoming release but it never happened.

LiLo16
Contributor
Contributor
‎02-11-2024 12:32 PM

Got it after some hours of research, now with vCenter 8.0u2!

Step 1:

According to 

https://kb.vmware.com/s/article/78029

Step 6 you create a UPN Claim Rule in ADFS. This is the part that has to be done in a different way. If you already have created this claim rule, remove it.

Create these two custom claim rules instead:

Rule 1, on rule position 3

Name: User Principal Name query sAMAccountName

Claim:
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> add(store = "Active Directory", types = ("ssupn", "sswindowsaccountname"), query = ";UserPrincipalName,sAMAccountName;{0}", param = c.Value);

Rule 2, on rule position 4

Name: User Principal Name replace UPN Domain Name

Claim:
c1:[Type == "ssupn"]
&& c2:[Type == "sswindowsaccountname"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn", Value = c2.Value + "@<yourdomain.local>");

Replace <yourdomain.local> with the internal ADDS domain.

These claims works fine here, also with Azure MFA, which was the reason why I needed to use usernames with the offical domain in the UPN.

I hope my research will save you some time and improve the security of your vCenter deployment.

Have fun,

Lothar

 

0 Kudos