How to enable OpenID Connect in ADFS 2016 for vCenter Server
search cancel

How to enable OpenID Connect in ADFS 2016 for vCenter Server

book

Article ID: 336079

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

In order to establish a relying party trust between your vCenter server and your ADFS provider, identifying information and a shared secret must be established between them. This is done by creating an OpenID Connect configuration in ADFS known as an Application Group, which consists of a Server application and a Web API. Both of these components together specify the vCenter redirect URIs that need to be invoked during authorization code flows as well as permissions, scopes, claims, and a client identifier and shared secret that vCenter uses to communicate with your ADFS server.

Environment

  • VMware vCenter Server 7.x
  • VMware vCenter Server 8.x

Resolution

The steps to create an Application Group in ADFS are described below. Note that the following steps were derived from Active Directory Federation Services for Windows Server 2016.

  1. Open the AD FS Management console (Server Manager → Tools → AD FS Management)
  2. Right-click Application Groups and select Add Application Group; alternatively, select Application Groups and select Add Application Group from the list of available actions under the Action menu bar or the Actions pane
  3. Enter a Name and optionally a Description for the new application group
  4. In the Template list, under Client-Server applications, select the Server application accessing a web API type. Click Next
  5. Make note of the Client Identifier. This ID will be needed in a later step as well as in the vCenter Identity Provider configuration
  6. Enter the vCenter Redirect URIs that were given in the vCenter Identity Provider configuration. These Redirect URIs must be exact; otherwise, the vCenter login may not work with ADFS. Click Next
  7. Check the option to Generate a shared secret, copy the value to the clipboard, and save it in a secure place. This will be needed in the vCenter Identity Provider configuration. Click Next
  8. Add an Identifier value that is equal to the Client Identifier generated above. Click Next
  9. Under Choose an access control policy, select Permit everyone. Click Next
  10. On the Configure Application Permissions page, under Permitted scopes, make sure openid and allatclaims are checked. Click Next
  11. Review the summary and click Next to create the Application Group
  12. Click Close to complete the wizard

The Application Group is now created and should be listed in the Application Groups pane. In order to populate the user tokens with the appropriate information during OAuth exchanges, some additional configuration steps are needed to transform Active Directory data into token claims.

  1. Right-click the newly created Application Group and select Properties; alternatively, select the newly created Application Group and select Properties from the list of available actions under the Action menu bar or the Actions pane
  2. Select the Web API entry under Applications and click Edit
  3. Go to the Issuance Transform Rules tab and add each of the following three rules
  4. Group Rule
    1. Click Add Rule
    2. Under Claim rule template, select the option Send LDAP Attributes as Claims and click Next
    3. Enter a name for the claim rule such as AD Group With Qualified Long Name
    4. Under Attribute store, select Active Directory
    5. In the mapping table on the first row, under the LDAP Attribute column, select the Token-Groups - Qualified by Long Domain Name option
    6. In the mapping table on the same row, under the Outgoing Claim Type column, select the Group option and click Finish
  5. Subject Rule
    1. Click Add Rule
    2. Under Claim rule template, select the option Send LDAP Attributes as Claims and click Next
    3. Enter a name for the claim rule such as Subject Claim
    4. Under Attribute store, select Active Directory
    5. In the mapping table on the first row, under the LDAP Attribute column, select the User-Prinicipal-Name option
    6. In the mapping table on the same row, under the Outgoing Claim Type column, select the Name ID option and click Finish
  6. UPN Rule
    1. Click Add Rule
    2. Under Claim rule template, select the option Send LDAP Attributes as Claims and click Next
    3. Enter a name for the claim rule such as User Principal Name
    4. Under Attribute store, select Active Directory
    5. In the mapping table on the first row, under the LDAP Attribute column, select the User-Prinicipal-Name option
    6. In the mapping table on the same row, under the Outgoing Claim Type column, select the UPN option and click Finish
  7. Click OK to save and close the updated Web API properties
  8. Click OK again to close the Application Group properties

OpenID Configuration URL 

In order to configure ADFS federation in your vCenter Server, you will need to know your ADFS server's OpenID Configuration URL. This is the standard OpenID Connect (OIDC) Discovery Endpoint that advertises OIDC metadata information about an OAuth identity provider. It is a well-known address that is typically the issuer endpoint concatenated with the path “/.well-known/openid-configuration”. For example: https://adfsserver01.corp.local/adfs/.well-known/openid-configuration

To obtain the OpenID Address for your ADFS server:

  1. Open a PowerShell terminal on your ADFS server as an Administrator
  2. Execute the following command:
Get-AdfsEndpoint | Select FullUrl | Select-String openid-configuration
  1. Copy the URL that is returned (select only the URL itself, not the closing bracket or the initial "@{FullUrl=" part)
  2. Use this URL whenever vCenter asks for the OpenID Address