Launching soon: The world's first vendor agnostic bug scrubLearn more & join waitlist
OPERATIONAL DEFECT DATABASE
...
...
In order to establish a relying party trust between your vCenter server and your ADFS provider, identifying information and a shared secret must be established between them. This is done by creating an OpenID Connect configuration in ADFS known as an Application Group, which consists of a Server application and a Web API. Both of these components together specify the vCenter redirect URIs that need to be invoked during authorization code flows as well as permissions, scopes, claims, and a client identifier and shared secret that vCenter uses to communicate with your ADFS server.
The steps to create an Application Group in ADFS are described below. Note that the following steps were derived from Active Directory Federation Services for Windows Server 2016. Open the AD FS Management console (Server Manager → Tools → AD FS Management)Right-click Application Groups and select Add Application Group; alternatively, select Application Groups and select Add Application Group from the list of available actions under the Action menu bar or the Actions paneEnter a Name and optionally a Description for the new application groupIn the Template list, under Client-Server applications, select the Server application accessing a web API type. Click NextMake note of the Client Identifier. This ID will be needed in a later step as well as in the vCenter Identity Provider configurationEnter the vCenter Redirect URIs that were given in the vCenter Identity Provider configuration. These Redirect URIs must be exact; otherwise, the vCenter login may not work with ADFS. Click NextCheck the option to Generate a shared secret, copy the value to the clipboard, and save it in a secure place. This will be needed in the vCenter Identity Provider configuration. Click NextAdd an Identifier value that is equal to the Client Identifier generated above. Click NextUnder Choose an access control policy, select Permit everyone. Click NextOn the Configure Application Permissions page, under Permitted scopes, make sure openid and allatclaims are checked. Click NextReview the summary and click Next to create the Application GroupClick Close to complete the wizard The Application Group is now created and should be listed in the Application Groups pane. In order to populate the user tokens with the appropriate information during OAuth exchanges, some additional configuration steps are needed to transform Active Directory data into token claims. Right-click the newly created Application Group and select Properties; alternatively, select the newly created Application Group and select Properties from the list of available actions under the Action menu bar or the Actions paneSelect the Web API entry under Applications and click EditGo to the Issuance Transform Rules tab and add each of the following three rulesGroup Rule Click Add RuleUnder Claim rule template, select the option Send LDAP Attributes as Claims and click NextEnter a name for the claim rule such as AD Group With Qualified Long NameUnder Attribute store, select Active DirectoryIn the mapping table on the first row, under the LDAP Attribute column, select the Token-Groups - Qualified by Long Domain Name optionIn the mapping table on the same row, under the Outgoing Claim Type column, select the Group option and click Finish Subject Rule Click Add RuleUnder Claim rule template, select the option Send LDAP Attributes as Claims and click NextEnter a name for the claim rule such as Subject ClaimUnder Attribute store, select Active DirectoryIn the mapping table on the first row, under the LDAP Attribute column, select the User-Prinicipal-Name optionIn the mapping table on the same row, under the Outgoing Claim Type column, select the Name ID option and click Finish UPN Rule Click Add RuleUnder Claim rule template, select the option Send LDAP Attributes as Claims and click NextEnter a name for the claim rule such as User Principal NameUnder Attribute store, select Active DirectoryIn the mapping table on the first row, under the LDAP Attribute column, select the User-Prinicipal-Name optionIn the mapping table on the same row, under the Outgoing Claim Type column, select the UPN option and click Finish Click OK to save and close the updated Web API propertiesClick OK again to close the Application Group properties OpenID Configuration URL In order to configure ADFS federation in your vCenter Server, you will need to know your ADFS server's OpenID Configuration URL. This is the standard OpenID Connect (OIDC) Discovery Endpoint that advertises OIDC metadata information about an OAuth identity provider. It is a well-known address that is typically the issuer endpoint concatenated with the path “/.well-known/openid-configuration”. For example: https://adfsserver01.corp.local/adfs/.well-known/openid-configurationTo obtain the OpenID Address for your ADFS server: Open a PowerShell terminal on your ADFS server as an AdministratorExecute the following command: Get-AdfsEndpoint | Select FullUrl | Select-String openid-configuration Copy the URL that is returned (select only the URL itself, not the closing bracket or the initial "@{FullUrl=" part)Use this URL whenever vCenter asks for the OpenID Address