VMware Cloud Foundation

SDDC Manager delegates its authentication to vCenter Server, which supports a number of external Identity Providers (Microsoft ADFS, Okta, Microsoft Entra ID & PingFederate). Its important to understand that MFA is a capability of the IdP, it has no barring on VMware components :)

For example, I'm able to use YubiKey & Face ID to authenticate:

https://williamlam.com/2025/01/passwordless-login-to-vcenter-server-or-vmware-cloud-foundation-vcf-using-apple-face-id-or-yubico-yubikey.html

As long as your RADIUS Server has OAuth2/OIDC support, then it'll work but as mentioned above, only the officially listed IdPs today are officially supported but you can see from https://williamlam.com/tag/oidc it works with any OAuth2/OIDC compliant IdP 

SDDC Manager delegates its authentication to vCenter Server, which supports a number of external Identity Providers (Microsoft ADFS, Okta, Microsoft Entra ID & PingFederate). Its important to understand that MFA is a capability of the IdP, it has no barring on VMware components :)

For example, I'm able to use YubiKey & Face ID to authenticate:

https://williamlam.com/2025/01/passwordless-login-to-vcenter-server-or-vmware-cloud-foundation-vcf-using-apple-face-id-or-yubico-yubikey.html

As long as your RADIUS Server has OAuth2/OIDC support, then it'll work but as mentioned above, only the officially listed IdPs today are officially supported but you can see from https://williamlam.com/tag/oidc it works with any OAuth2/OIDC compliant IdP 

------------------------------
----
William Lam
https://williamlam.com/
------------------------------

@William Lam
here is another one for your list:
http://vbrain.com.br/index.php/2022/05/01/configuring-2fa-two-factor-authentication-in-vcenter-using-duo-proxy-providing-for-example-azure-ad-as-an-identity-provider/
https://www.virtualizationhowto.com/2021/12/easy-vcenter-server-two-factor-authentication-without-adfs/

https://youtu.be/q-7ee2tJAQo

I think DUO is not yet mentioned in your collection. :-)

And there is? also a TAM lab:
https://blogs.vmware.com/professional-services/2022/06/tam-lab-enabling-mfa-in-vsphere-7.html


Cheers

Original Message:
Sent: Apr 16, 2025 08:48 AM
From: William Lam
Subject: MFA integration with VCF 5.2.1

SDDC Manager delegates its authentication to vCenter Server, which supports a number of external Identity Providers (Microsoft ADFS, Okta, Microsoft Entra ID & PingFederate). Its important to understand that MFA is a capability of the IdP, it has no barring on VMware components :)

For example, I'm able to use YubiKey & Face ID to authenticate:

https://williamlam.com/2025/01/passwordless-login-to-vcenter-server-or-vmware-cloud-foundation-vcf-using-apple-face-id-or-yubico-yubikey.html

As long as your RADIUS Server has OAuth2/OIDC support, then it'll work but as mentioned above, only the officially listed IdPs today are officially supported but you can see from https://williamlam.com/tag/oidc it works with any OAuth2/OIDC compliant IdP 

------------------------------
----
William Lam
https://williamlam.com/

Duo is a hosted IdP, I'm primarily focused on self-hosted :) 

But hopefully the point being is that any OAuth/OIDC-compliant IdP will just "work" 

@William Lam
here is another one for your list:
http://vbrain.com.br/index.php/2022/05/01/configuring-2fa-two-factor-authentication-in-vcenter-using-duo-proxy-providing-for-example-azure-ad-as-an-identity-provider/
https://www.virtualizationhowto.com/2021/12/easy-vcenter-server-two-factor-authentication-without-adfs/

https://youtu.be/q-7ee2tJAQo

I think DUO is not yet mentioned in your collection. :-)

And there is? also a TAM lab:
https://blogs.vmware.com/professional-services/2022/06/tam-lab-enabling-mfa-in-vsphere-7.html


Cheers

Original Message:
Sent: Apr 16, 2025 08:48 AM
From: William Lam
Subject: MFA integration with VCF 5.2.1

SDDC Manager delegates its authentication to vCenter Server, which supports a number of external Identity Providers (Microsoft ADFS, Okta, Microsoft Entra ID & PingFederate). Its important to understand that MFA is a capability of the IdP, it has no barring on VMware components :)

For example, I'm able to use YubiKey & Face ID to authenticate:

https://williamlam.com/2025/01/passwordless-login-to-vcenter-server-or-vmware-cloud-foundation-vcf-using-apple-face-id-or-yubico-yubikey.html

As long as your RADIUS Server has OAuth2/OIDC support, then it'll work but as mentioned above, only the officially listed IdPs today are officially supported but you can see from https://williamlam.com/tag/oidc it works with any OAuth2/OIDC compliant IdP 

------------------------------
----
William Lam
https://williamlam.com/

Hi Guillermo,
Yes, MFA integration with VCF 5.2.1 is possible and has been implemented in several environments. For our setup, we integrated a RADIUS-based MFA solution through VMware Identity Manager (now Workspace ONE Access) to secure access to vCenter, NSX Manager, and SDDC Manager.

Key points:

• External Identity Provider (IdP) was configured to support RADIUS and SAML 2.0.

• Conditional access policies were used to enforce MFA on web UI logins.

• Ensure your environment allows proper communication between the VCF components and the IdP.

If you're using Duo, RSA, or a similar MFA system, the integration should be straightforward with Workspace ONE as the intermediary.

Let me know the MFA solution you're working with-I'd be happy to share specific steps or config references.