doOdzZZ's Notes

An offspring of a text file!

VCF 9 – Identity Broker and VCF SSO

by ·

From a configuration iteration perspective, you stood up your VCF 9 instance(s), you have changed the certificates, and now it is time to go to the next configuration iteration, which is enabling single-sign-on (SSO).

The purpose of SSO is to be able to navigate the VCF Management and VCF Instance(s) appliances without having to login to each appliance everytime.

SSO requires an identity broker, where the configuration can be based on the following criteria:

  • Per VCF Instance -> Using an embedded identity broker (which is the vCenter).
  • Per VCF Instance -> Using an external identity broker (dedicated 3 nodes, Kubernetes based, replacing the old identity manager).
  • For VCF Management -> Using the first VCF Instance selection, so if you chose embedded you will get to select the embedded one, if you choose the external one then you will get to choose that as well.

Prerequisites:

  • Depot configuration:
    • The depot settings for VCF Management is different from that of the instances, so you will need to configure the depot there as well.
    • Since we started the first blog with the offline depot configuration, I am going to continue the configuration using the same depot, however we haven’t downloaded the additional VCF Management appliances for installation, to do that you will have to ssh to the offline depot VM and run the following:
      • List -> ./vcf-download-tool binaries list --vcf-version=9.0.0 --sku=VCF --type=INSTALL --depot-download-token-file=/vcf/downloadtoken.txt
      • Download -> ./vcf-download-tool binaries download --vcf-version=9.0.0 --sku=VCF --type=INSTALL --depot-download-token-file=/vcf/downloadtoken.txt --depot-store=/vcf
    • Once the download is complete you can configure the VCF Management offline depot:
      • VCF Ops -> Fleet Management -> Lifecycle -> VCF Management -> Depot Configuration -> Edit the offline depot and enter the same details used for the VCF instances.
      • Synchronize the downloads -> VCF Ops -> Fleet Management -> Lifecycle -> VCF Management -> Binary Management -> INSTALL BINARIES -> then here select the component you want to download and hit the DOWNLOAD button.
  • External Identity Broker Deployment:
    • For the identity broker deployment you will need:
      • 1 VIP to be used with the embedded load balancer + its FQDN.
      • 4 IPs for the identity broker nodes (3 + 1 that will be used during upgrades).
      • Certificate.
      • A password.
    • To start the deployment -> VCF Ops -> Fleet Management -> Lifecycle -> VCF Management -> Overview -> identity broker (block) -> click ADD.
    • Deployment -> this is going to be a new installation, the deployment type is small (there is no other option).
    • Certificate -> Import the certificate that you have prepare previously, or create a new self-signed one.
    • Infrastructure -> Here you’ll select the placement for the appliances.
    • Network -> Here you will input the details related to the domain, the network, DNS and NTP.
    • Component -> You will start by adding the node prefix (make it something meaningful), each node doesn’t actually require a DNS name because the identity broker services will be running on top of a Kubernetes cluster. As such you will need to have an FQDN for the VIP (the internal LB pointing to the identity broker services), and 4 IPs in which 3 will be for the active nodes and 1 will kept as a spare for when upgrades are needed.
    • Precheck -> This will go through the series of validations to ensure the deployment will be successful.
    • Summary -> A final look on the configuration, after confirmation, you can submit for the deployment process to starts.
    • Progress can be monitored from the tasks.

    Enabling VCF SSO:

    • VCF Ops -> Fleet Management -> Identity & Access -> VCF Instances -> Select the VCF Instance you want to enable SSO for.
    • Before you start there are some caveats that you need to look into, then you continue.
    • Choosing the deployment mode -> Either embedded or the appliance, we will be selecting the appliance.
    • Identity Provider ->
      • Types: There are two types Modern Identity Provider or Directory-Based Identity Provider. We will be choosing AD/LDAP (Directory-Based).
      • Configuration -> Here you will input the Active Directory Services detail, the configuration is pretty much standard and clear, however one important factor is that you will need to add the Domain Controllers by name and not by IP, otherwise if you attempt to use VCF SSO, logins will fail.
      • Review the configuration and finish.
      • Users and Groups Provisioning -> Here you will provide the details and mappings related to which users or security groups that will be synchronized, ideally you would work on configuring groups and in terms of attributes mappings, only the first one is mandatory, the rest are optional and if you do not want to rely on them you can keep them blank.
      • Finish the configuration.
    • Components Configuration ->
      • Here you would simply select the VCD Instance components you want to enable VCF SSO on, and you will be presented with both the vCenter and NSX Manager.
      • When VCF SSO is enabled, you will need to remember that users/groups still needs to be added to each component locally and separately to provide the necessary access and permissions.
      • Once the components are configured, you can finish the flow.
      • Now you can go to the vCenter’s SSO configuration for example and you can add the ADDS user/group and make it part of the SSO Administrators group, and then same applies to NSX, where you can login to the NSX Manager and assign the ADDS user/group for the Enterprise Administrator role.
    • VCF Management:
      • Now that we have an identity broker setup in addition to a VCF Instance with SSO enabled, you can go to the VCF Management (Operations and Automation) and enable SSO there -> VCF Ops -> Fleet Management -> Identity & Access -> VCF Management -> operations appliance / automation appliance, and here you would select the identity broker based on the instance that we have enabled and configured previously.
      • Similarly to the VCF Instance components, once VCF SSO is enabled, you will need to login locally to each VCF Management component and add the user/group with their respective roles and permissions.

    The end result, is that when you login to VCF Ops, then have to navigate to the different other components, when presented with the window to login, you will select VCF SSO and you will be automatically authorized to login.

    849 Total Views 3 Views Today

    Tags:

    Abdullah

    Knowledge is limitless.

    Leave a Reply

    Your email address will not be published. Required fields are marked *

    This site uses Akismet to reduce spam. Learn how your comment data is processed.