Microsoft is encouraging customers to use Azure Federation, with Azure PTA (Pass Through Authentication) or PHS (Password Hash Sync), in place of ADFS. Many customers are using Microsoft ADConnect to sync on-prem AD with AzureAD. Since the users and groups that are present in AD are also present in AzureAD (hybrid Identity), OIDC integration with VMware should be straight forward.
Below is the process we used to accomplish it. Please makes this an officially supported option. It would also be helpful to add AzureAD groups for use in delegating access to vSphere as an option. This would be forward thinking and help us get rid of the dependency on SSL certificates for LDAPS. Please do also keep the option of using LDAPS for authorization, as this may still be helpful in some scenarios.
Configure vCenter Server Identity Provider Federation for (Azure)AD FS
Register an Enterprise Application in AzureAD. Calling it something identifiable like VMware VSI Production
In AzureAD Click on app registration, and find the app registration created in the previous step
Record the Application Client ID and the Directory (tenant) ID. You will need these for the “ADFS” config later
Click on Endpoints. Grab the Oauth V1 Endpoint and the oauth well-known open ID config. These will be used in Step 6: Configure vCenter Server Identity Provider Federation for (Azure)AD FS
Add the URL for Oauth2 to the AzureAD integration: https://<vmware vsphere portal fqdn>/ui/login/oauth2/authcode
Create a new secret and record it. You’ll need this for the “ADFS” configuration of vSphere as the "Shared Secret" in Step 6 Configure vCenter Server Identity Provider Federation for (Azure)AD FS
Add the group claim using the AD Domain FQDN\group's samaccountname
Grant the integration the ability for authenticating users to read the AzureAD.
Per the VMWare Instructions for Configuring ADFS Configure vCenter Server Identity Provider Federation for (Azure)AD FS
- An AD FS root CA certificate added to the Trusted Root Certificates Store (also called the VMware Certificate Store).
Add the CA Root for login.microsoft.com
DigiCert CA
https://www.digicert.com/kb/digicert-root-certificates.htm
The remainder of the instructions are the same for AzureAD Federation Services, as they are for Microsoft AD FS (Step 6, and on).
Issues:
To Vmware: PowerCLI appears to still be using the AD Auth Library. To ensure the best security, MFA and Conditional Access, VMware should move to Modern Auth. In lieu of Modern Auth (the preferred option), PowerCLI should not accept requests on TCP 443. Rather advertise it on a separate port that can be firewalled. A bastion host could then be used to gain access to this port.
To VMWare Admins, make sure tcp 443 for vSphere is only accessible over VPN, preferably specific to vmware admins and vm guest admins, or to bastion hosts