Setting host header values in Load Balancer configuration for SCIM Push.
search cancel

Setting host header values in Load Balancer configuration for SCIM Push.

book

Article ID: 311945

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

In any external identity provider configured via VMware Identity Services, the users and groups data is pushed to the vCenter from the external identity provider. When the external identity provider runs in the public cloud, this can be an issue if the vCenter is not accessible from the public cloud.

Environment

VMware vCenter Server 8.0.1

Resolution

Note: This article does not cover entire load balancer configuration steps. It only has the part that tweaks the config to set the right host header values. 

This article documents a way to set up a load balancer in DMZ which can forward the usergroup push traffic to vCenter running in the private internal network. Since the VMware Identify Services does host header validation  on all incoming requests, it is not sufficient to forward the traffic but user also needs to set the right host header values in the redirect traffic.
image.png
When configuring the SCIM App to do the user group push, provide the loadbalancer hostname instead of hostname in the SCIM Push URL. The SCIM Push URL can be retrieved from the vCenter View Identify Provider Configuration Page.

image.png

Instead of the vCenter hostname, use the loadbalancer hostname in the URL 

https://loadbalancer-xyz/usergroup/t/CUSTOMER/scim/v2

Configure the load balancer to forward SCIM push data to the vCenter while setting the correct host header value. The host header should be hostname of the vCenter.

This is an example using HA Proxy.
vc01.domain.com  is the vCenter
haproxylb01.domain.com  is the load balancer

For other load balancers from other vendors, the configuration may vary:

#---------------------------------------------------------------------
# main frontend which proxys to the backends
#---------------------------------------------------------------------
# http-request set-header Host vc01.domain.com
frontend vcenter-frontend-443
        bind <LB IP Address>:443 ssl crt /etc/haproxy/vcenter-frontend-443.pem
        option http-server-close
        option forwardfor header <LB IP Address>,haproxylb01.domain.com
        stats uri /haproxy?stats
        acl scim_path path -i -m sub /usergroup/t/CUSTOMER/scim/v2/
        use_backend vcenter-backend-443 if scim_path
#---------------------------------------------------------------------
# static backend for serving up images, stylesheets and such
#---------------------------------------------------------------------
backend vcenter-backend-443
        mode http
        http-request set-header Host vc01.domain.com <VC IP Address>

Powered by Wolken Software