VMware vSphere 8.0 Update 3 adds federation support for four Identity Providers

Reading Time: 2 minutes

On June 25th, 2024, Broadcom made vSphere 8.0 Update 3 generally available.

In the details of the Release Notes for vSphere 8.0 Update 3 and ESXi 8.0 Update 3, Broadcom announces PingFederate Support in vSphere Identity Federation. This is a huge update for Identity and Access admins using VMware's virtualization platform as it broadens their options to provide single sign-on (SSO) and multi-factor authentication (MFA) for accessing vCenter Server.

 

About vSphere Identity Federation

vSphere Identity Federation provides support for federated authentication to sign in to vCenter Server. With vSphere Identity Federation configured, sign-ins are redirected to an identity provider (IdP), based on the Open ID Connect protocol. From a vSphere perspective, this identity provider is designated as an external provider.

In the world of federation and modern authentication, access is granted based on claims that are exchanged between the Identity Provider (IdP) and the relying functionality. Claims token, containing claimtypes and values for these claimtypes, but also the claims issuance rules are defined by the admin of the IdP. vCenter Server acts as a relying party, accepting claims, because of the trust setup between vSphere and the IdP, based on certificates.

With subsequent releases of vSphere 7 and 8, VMware have been adding more ways to introduce modern authentication to vSphere.

 

Why use vSphere Identity Federation?

vSphere Identity Federation provides:

  • Single Sign-On (SSO) access with existing federated infrastructure and applications.
  • Use multi-factor authentication (MFA) and other authentication assurance mechanisms.
  • Strictly separate datacenter security from identity, because vCenter Server never handles the user’s credentials.

However, there are a couple of caveats that you should be aware of.

 

Supported Federation providers

The following federation providers are now supported with vSphere Identity Federation:

  • Microsoft Active Directory Federation Services (AD FS)
    (since vSphere 7.0)
  • Okta
    (since vSphere 8.0 Update 1)
  • Microsoft Entra ID
    (since vSphere 8.0 Update 2)
  • PingFederate
    (since vSphere 8.0 update 3)

 

Concluding

Building a straight-forward and secure vSphere delegation model has been on the mind of many vSphere admins throughout the years. vSphere Identity Federation is a logical building block towards this lofty goal.

Further reading

vSphere 7’s vCenter Server Identity Provider Federation feature allows for MFA
Ten Things You should know about vCenter Identity Provider Federation
Building a straight-forward vSphere delegation model for running virtual Domain Controllers safely

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.