Setting host header values in Load Balancer configuration for SCIM Push.
search cancel

Setting host header values in Load Balancer configuration for SCIM Push.


Article ID: 311945


Updated On:


VMware vCenter Server


In any external identity provider configured via VMware Identity Services, the users and groups data is pushed to the vCenter from the external identity provider. When the external identity provider runs in the public cloud, this can be an issue if the vCenter is not accessible from the public cloud.


VMware vCenter Server 8.0.1


Note: This article does not cover entire load balancer configuration steps. It only has the part that tweaks the config to set the right host header values. 

This article documents a way to set up a load balancer in DMZ which can forward the usergroup push traffic to vCenter running in the private internal network. Since the VMware Identify Services does host header validation  on all incoming requests, it is not sufficient to forward the traffic but user also needs to set the right host header values in the redirect traffic.
When configuring the SCIM App to do the user group push, provide the loadbalancer hostname instead of hostname in the SCIM Push URL. The SCIM Push URL can be retrieved from the vCenter View Identify Provider Configuration Page.


Instead of the vCenter hostname, use the loadbalancer hostname in the URL 


Configure the load balancer to forward SCIM push data to the vCenter while setting the correct host header value. The host header should be hostname of the vCenter.

This is an example using HA Proxy.  is the vCenter  is the load balancer

For other load balancers from other vendors, the configuration may vary:

# main frontend which proxys to the backends
# http-request set-header Host
frontend vcenter-frontend-443
        bind <LB IP Address>:443 ssl crt /etc/haproxy/vcenter-frontend-443.pem
        option http-server-close
        option forwardfor header <LB IP Address>
        stats uri /haproxy?stats
        acl scim_path path -i -m sub /usergroup/t/CUSTOMER/scim/v2/
        use_backend vcenter-backend-443 if scim_path
# static backend for serving up images, stylesheets and such
backend vcenter-backend-443
        mode http
        http-request set-header Host <VC IP Address>