Blog post

4.3.1 – Configure Identity Federation

vSphere Identity Federation uses OAUTH 2.0 and OIDC to connect to these systems.

The configuration of vCenter Identity federation has three principal phases:

  1. Creating an app group on the MS ADFS server and configuring it for vCenter Server
  2. Creating an identity provider via the vCenter SSO Administration configuration page
  3. Configuring group membership in vCenter to provide authorization for users within the ADFS domain

After all this is done, users will be able to log in to vCenter and be redirected for authentication via ADFS and the corporate portal.

To configure vCenter identity federation, you must go to the Single Sign-On configuration page and add a new identity source in the Identity Sources pane.

In order to make the configuration work, you’ll need to configure the ADFS server before you start the wizard in your vCenter.

You’ll need to create an OpenID Connect configuration (application group). This group comprises a server application and API components, which together specify the connection details for vCenter Server. vCenter Server then uses those details as a trust and can communicate with the ADFS server.

After you create the application group on the ADFS server, you can return to the vCenter Server and launch the wizard. Other configurations are also needed, such as users and group configuration, as well as permission configuration within the vCenter SSO Administration section.