Note:

• This tutorial requires access to Oracle Cloud. To sign up for a free account, see Get started with Oracle Cloud Infrastructure Free Tier.
• It uses example values for Oracle Cloud Infrastructure credentials, tenancy, and compartments. When completing your lab, substitute these values with ones specific to your cloud environment.

Integrate vCenter Server Identity Provider Federation with OCI IAM for Oracle Cloud VMware Solution

Introduction

In today’s rapidly advancing IT landscape, seamless integration between systems is essential for enhancing security and simplifying management. With VMware vCenter Server Appliance (VCSA) 8.0 U2, administrators can now take advantage of Oracle Cloud Infrastructure Identity and Access Management (OCI IAM) for identity federation. This capability is made possible because Oracle Cloud VMware Solution customers have complete control over their environments, allowing them to implement changes without restrictions. By enabling this integration, you can streamline authentication processes and establish a unified access control mechanism that ensures your VMware environment remains secure, compliant, and aligned with modern identity management practices.

This tutorial aims to highlight the benefits of adopting external identity providers for organizations using VCSA 8.0 U2. By integrating with an external identity provider like OCI IAM, organizations can leverage their existing identity infrastructure, streamline Single Sign-On (SSO) processes, and enhance security through multi-factor authentication. Additionally, this integration supports the separation of duties between infrastructure and identity management, aligning with best practices for security and administrative efficiency.

Architecture

The architecture for external identity provider federation remains consistent across vCenter, powered by VMware Identity Services. In this tutorial, we will focus on leveraging OCI IAM identity domains.

There are 2 phases in this integration:

• User Authentication: OAuth

  When a user attempts to log in to VCSA, the authentication request is seamlessly redirected through an OAuth token request, initiated by VMware Identity Services, to OCI IAM. Upon successful authentication and validation by OCI IAM, a secure token is returned to VMware Identity Services, which then grants the user access based on their assigned permissions.

  

• User/Group Push: System for Cross-Domain Identity Management (SCIM)

  OCI IAM is responsible for managing users and groups within the Oracle Cloud Infrastructure environment, while vCenter manages the virtual infrastructure in VMware environments. To ensure that the right users have the correct access permissions in vCenter, the SCIM protocol is used to automatically provision, update, or de-provision users from OCI IAM to vCenter. When a user or group is created, modified, or deleted in OCI IAM, SCIM automatically synchronizes these changes in vCenter. This ensures that the user identities in both systems remain up-to-date without requiring manual intervention.

  

  Note: When a group is assigned in the OCI IAM SCIM application, its members are provisioned in VCSA, but the group itself is not created.

Audience

OCI IAM professionals, Oracle Integration administrators, Oracle Cloud VMware Solution administrators and VMware administrators.

Prerequisites

• OCI IAM Requirements:

  • Access to an OCI tenancy.

  • User in OCI IAM needs to have User Name value in sAMAccountName format (not in email or UPN format) because When the SCIM provisioning process in OCI IAM creates user accounts in vCenter, the user’s sAMAccountName (for example, jdoe) is used as the primary identifier. During the authentication process, VCSA automatically appends the domain name to the sAMAccountName to form the fully qualified user identifier. For example, if jdoe is the username and the domain is corp.example.com, the resulting identity used in VCSA becomes jdoe@corp.example.com.

  • You must have permissions to create integrated applications on OCI IAM. For more information, see Understanding Administrator Roles.

  • Configure client access needs to be enabled under Access Signing Certificate in Domain setting of OCI IAM.

  • VCN with a public subnet.

  • Appropriate OCI IAM policies for creating Certificate Authority (CA) bundle and OCI API Gateway.

• OCI IAM and vCenter Connectivity Requirements:

  • vCenter server must be able to reach OCI IAM OAuth endpoints. By default during Oracle Cloud VMware Solution deployment, vSphere VLAN (where vCenter deployed) is already connected to NAT gateway.

  • Ensure that OCI IAM can reach the vCenter SCIM APIs. This connectivity is established using the OCI API Gateway service, which serves as a proxy to facilitate secure communication between OCI IAM and the vCenter SCIM APIs.

  • API gateway needs to have appropriate routes to reach VCSA. In this tutorial, the API gateway subnet and vSphere VCSA VLAN both are on the same CIDR.

  Note: If the vSphere VLAN route table does not contain a NAT gateway route, you will need to create a new NAT gateway in the VCN and add a corresponding route rule to enable internet access.

Task 1: Register a Confidential Application in OCI IAM Domain

We will register a confidential application in the respective OCI IAM domain. Using this confidential application we will use OAuth 2.0 authorization code flow, to obtain access tokens.

1. Log in to the OCI Console, go to Identity & Security and click Domains.

   

2. Select your domain.

   

3. Click Integrated Applications, select Confidential application which is used for OAuth and click Launch Workflow.

   

   

4. Enter the Name for your application and click Next.

   

5. In the Client configuration section, select Client credentials .

   

   Note: Save the application without enabling Authorization Code and the Redirect URL. Update the application again after grabbing the Redirect URL from Task 2. See below

   

6. Complete the application workflow and activate it. Copy the Client ID and Client Secret.

   

7. Copy the Domain URL from the Domain Information page.

   

Task 2: Configure Identity Provider (IdP) in vCenter Server and Download VCenter Certificate

We will integrate vCenter Server with OCI IAM to enable SSO for users. In this task, configure an IdP in VCSA. Once the IdP is configured, we need to download the vCenter certificate to use in the IdP configuration to establish trust between vCenter and the OCI API Gateway.

1. Log in as an administrator to vCenter Server and navigate to Home, Administration, Single Sign On, Configuration, Identity Provider, Identity Sources. From the drop-down menu, select Okta to Change Provider.

   

   Note: We will be using the Okta IdP template, but it will be modified with OCI IAM details.

2. Confirm the prerequisites are met and select Next.

   

3. Enter a Directory Name, Domain Name(s) and click Next.

   

4. Select a Token Lifespan value from the drop-down menu and click Next.

   

5. In the OpenID Connect section, copy the Redirect URI , enter an Identity Provider Name, Client Identifier and Secret copied in Task 1.

   In the OpenID Address, use the Domain URL copied in Task 1 and append it with /.well-known/openid-configuration. Click Next once the details are saved.

   Note: Note down the Redirect URI and update the confidential app in OCI IAM as mentioned in Task 1 Step 5.

   

6. Click Finish after reviewing the Identity Provider details section.

   

7. Click Download trusted root CA certificate to download your trusted root CA certificate from vCenter.

   

Task 3: Create SCIM Application in OCI IAM

In this task, we will create a SCIM 2.0 application in OCI IAM that will enable us to specify which users from OCI IAM should be pushed to the vCenter Server.

1. Login to OCI console, Navigate to Identity & Security, Select your Domain and Navigate to Integrated Applications and select Application Catalog to add a new application.

   

2. Enter GenericSCIM - Bearer Token in the search bar and select the tile.

   

3. Enter an application Name and click Next.

   

4. Select Enable Provisioning.

   

5. Since vCenter URL is not a public URL so OCI IAM will not be able to reach vCenter SCIM APIs. To expose the vCenter SCIM API, we will configure public OCI API Gateway and add vCenter SCIM API routes. Let us leave the provisioning Configure connectivity details as blank for now and complete the Attribute mapping section.

   Note:

   • By default user.id is mapped with externalId. Replace user.id with $(user.userName).
   • Provisioning section is updated in Task 6.

   

   As mentioned in prerequisites, OCI IAM needs to have User Name value in sAMAccountName format (not in email or UPN format) because When the SCIM provisioning process in OCI IAM creates user accounts in vCenter, the user’s sAMAccountName (for example, jdoe) is used as the primary identifier. Refer to the following sample attribute mapping.

   

6. In the Select provisioning operation section, select Create an account, Delete the account, Push user updates, Push user activation/deactivation status, enable Enable Synchronization and use the default configuration.

   

   

Task 4: Create a CA Bundle

To establish a trusted connectivity between OCI API Gateway and VCenter, we need to provide VCenter trusted root CA certificates in OCI API gateway.

1. Login to OCI console, Navigate to Identity & Security, Certificates and CA Bundles.

   

2. In the Create CA Bundle page, select an appropriate compartment and provide a valid Name to your bundle and paste the content of the certificate downloaded in Task 2.

   

Task 5: Configure OCI API Gateway

To securely enable OCI IAM to reach the vCenter SCIM APIs, which are not exposed to the internet, an OCI API Gateway acts as a proxy, ensuring seamless and secure communication between OCI IAM and the vCenter SCIM APIs.

1. Login to OCI console, Navigate to Developer Services, API Management and Gateways.

   

2. In the Create gateway page, enter an appropriate Name, select a desired Virtual cloud network and a public Subnet. Use the default certificate and click Finish. Wait for the gateway to get deployed completely.

   

   

3. Click Add certificate authorities to add the CA bundle created in Task 4.

   

4. Click Deployments and Create Deployment.

   

5. In the Basic Information section, enter the following information.

   • Name: Enter a valid name.
   • Path prefix: Enter /.
   • Execution log level: Select Information.

   

   

6. Select No Authentication.

   

7. In the Routes section, add the appropriate vCenter SCIM API endpoints as different routes (Route 1, Route 2, Route 3, Route 4 and Route 5) and click Next.

   • Route 1: Path as /usergroup/t/CUSTOMER/scim/v2, URL as https://<VSCA URL>

     

   • Route 2: Path as /usergroup/t/CUSTOMER/scim/v2/Users, URL as https://<VSCA URL>/usergroup/t/CUSTOMER/scim/v2/Users

     

   • Route 3: Path as /usergroup/t/CUSTOMER/scim/v2/Groups, URL as https://<VSCA URL>/usergroup/t/CUSTOMER/scim/v2/Groups

     

   • Route 4: Path as /usergroup/t/CUSTOMER/scim/v2/Groups/{object*}, URL as https://<VSCA URL>/usergroup/t/CUSTOMER/scim/v2/Groups/${request.path[object]}

     

   • Route 5: Path as /usergroup/t/CUSTOMER/scim/v2/Users/{object*}, URL as https://<VSCA URL>/usergroup/t/CUSTOMER/scim/v2/Users/${request.path[object]}

     

8. Wait for the deployment completion and copy the Endpoint URL.

   

Task 6: Update the SCIM Application in OCI IAM

1. Login to OCI console, Navigate to Identity & Security, Select your Domain and Navigate to Integrated Applications, select your generic SCIM bearer token application, paste the OCI API Gateway deployment endpoint URL.

   

   Note: Make sure only Host Name is used.

2. Enter Base URI.

   

3. Add the vCenter access token. For this you need to Login to vCenter Server, select the vCenter configuration, generate and copy the token.

   

4. Paste the access token in the SCIM application and click Test connectivity.

   

Task 7: Sync users from OCI IAM to vCenter

To specify which users from OCI IAM are to be pushed to the vCenter Server, we will assign those users to the SCIM application.

1. Login to OCI console, Navigate to Identity & Security, Select your Domain and Navigate to Integrated Applications, select your SCIM Application, click User and Assign Users.

   

   

   

2. Now validate in vCenter for the pushed users and assign appropriate permissions. Login to vCenter Server, select the vCenter configuration, Click on User and Groups in Single Sign On, Select your added Domain and validate users.

   

Task 8: Testing

1. Enter the vSphere URL in an incognito browser and click LAUNCH VSPHERE CLIENT.

   

   

2. In the vSphere log in page, click SIGN IN WITH OCI-IAM.

   

3. The request gets redirected to OCI IAM log in page. Enter the Username and Password.

   

   After successful authentication it goes to the vSphere homepage.

   

Next Steps

In this tutorial, we demonstrated how to integrate OCI IAM with vSphere for federated authentication, allowing users to log in through a centralized identity provider, and SCIM provisioning, ensuring that user accounts are efficiently synchronized between the two systems. This integration simplifies identity management, enhances security, and improves operational efficiency for administrators.

Related Links

• Understanding Administrator Roles

• Creating an API Gateway

• Authenticate with OAuth 2.0

• How Do You Use the Generic SCIM App Template?

Acknowledgments

• Authors - Gautam Mishra (Principal Cloud Architect), Nikhil Verma (Principal Cloud Architect)

More Learning Resources

Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.

For product documentation, visit Oracle Help Center.

---

Title and Copyright Information

Integrate vCenter Server Identity Provider Federation with OCI IAM for Oracle Cloud VMware Solution

G14941-02

September 2024

Copyright ©2024,

Oracle and/or its affiliates.