VMWARE VSPHERE 8.

0
OPERATE, SCALE AND SECURE

Lab 18: (Simulation) Configuring Identity Federation to

Use Microsoft ADFS

Document Version: 2023-05-30

Copyright © 2023 Network Development Group, Inc.

www.netdevgroup.com

NETLAB+ is a registered trademark of Network Development Group, Inc.

VMware is a registered trademark of VMware, Inc.

Lab 18: (Simulation) Configuring Identity Federation to Use Microsoft ADFS

Contents
Introduction ................................................................................................................................................ 3
Objectives.................................................................................................................................................... 3
Lab Topology ............................................................................................................................................... 4
Lab Settings ................................................................................................................................................. 5
1 VMware Bravais Lab Simulation ......................................................................................................... 6
2 Join Active Directory Domain and Set an Identity Source .................................................................. 8
3 Verify Active Directory Accounts Exist .............................................................................................. 18
4 Verify that the studentadmin User can Log Into vCenter via Active Directory ................................ 22
5 Knowledge Check .............................................................................................................................. 23

5/30/2023 Copyright © 2023 Network Development Group, Inc. www.netdevgroup.com Page 2

Lab 18: (Simulation) Configuring Identity Federation to Use Microsoft ADFS

Introduction

This lab is divided into two sections.

In this lab. you will use your local desktop web browser to run the VMware Bravais lab simulation and
the NDG lab environment.

The first section of this lab will be a simulation utilizing VMware Bravais labs to configure Identity
Federation to use Microsoft ADFS (Active Directory Federation Services).

The second section of this lab will utilize the NDG lab environment to verify a list of users in
ad.vclass.local. You will then verify that a user in active directory can successfully log in as an AD user.

Objectives

Utilize VMware Bravais Lab

• Configure vCenter Identity Provider Federation
• Log In to vCenter Using an AD Account to Create a Virtual Machine (VM) Alarm to Monitor an
Event

Utilize the NDG Lab Environment

• Add sa-vcsa.vclass.local to the ad.vclass.local Domain
• Set ad.vclass.local as an Identity Source
• View Active Directory Users
• Verify AD User Can Access vCenter

5/30/2023 Copyright © 2023 Network Development Group, Inc. www.netdevgroup.com Page 3

Lab 18: (Simulation) Configuring Identity Federation to Use Microsoft ADFS

Lab Topology

5/30/2023 Copyright © 2023 Network Development Group, Inc. www.netdevgroup.com Page 4

Lab 18: (Simulation) Configuring Identity Federation to Use Microsoft ADFS

Lab Settings

The information in the table below will be needed to complete the lab. The task sections beyond
provide details on the use of this information.

Virtual Machine IP Address Account Password

sa-student eth0: 172.20.10.80 sysadmin NDGlabpass123!

sa-vcsa eth0: 172.20.10.94 sysadmin@vclass.local NDGlabpass123!

sa-esxi-01 eth0: 172.20.10.51 root NDGlabpass123!

sa-esxi-02 eth0: 172.20.10.52 root NDGlabpass123!

sa-esxi-03 eth0: 172.20.10.53 root NDGlabpass123!

sa-aio eth0: 172.20.10.10 sysadmin NDGlabpass123!

5/30/2023 Copyright © 2023 Network Development Group, Inc. www.netdevgroup.com Page 5

Lab 18: (Simulation) Configuring Identity Federation to Use Microsoft ADFS

1 VMware Bravais Lab Simulation

In this task, you will configure the ADFS identity source and add permissions to vCenter for a user from
the ADFS identity source. You will then log in to vCenter as the user authenticated from ADFS.

Do not perform the steps from this simulation in your actual lab environment.

Do not refresh, navigate away from, or minimize the browser tab hosting the
simulation. These actions might pause the simulation, and the simulation
might not progress.

Integrating Microsoft ADFS into a vSphere environment involves configuring ADFS as an identity
provider (IdP) for vSphere, allowing users to authenticate against their Active Directory (AD)
environment through ADFS and gain access to vSphere resources. Here is a high-level overview of the
steps involved:

• Set up ADFS: Install and configure ADFS in your environment, including setting up an ADFS farm
if desired for high availability and load balancing. Configure the necessary trust relationships
between ADFS and your AD environment.
• Configure vSphere: In vSphere, configure the SAML (Security Assertion Markup Language)
settings to enable SSO with ADFS. This involves specifying the ADFS server's metadata URL,
setting the desired authentication method, and configuring mapping rules to map AD attributes
to vSphere roles and permissions.
• Configure ADFS as an Identity Provider in vSphere: Create a new relying party trust (RPT) in
ADFS for vSphere, specifying the vSphere service provider's metadata URL. Configure the claims
rules in ADFS to send the appropriate AD attributes as SAML assertions to vSphere, based on
the mapping rules configured in vSphere.
• Test and validate: Test the SSO integration by logging in to vSphere using ADFS as the IdP, and
verify that users can authenticate against AD through ADFS and access vSphere resources based
on their AD permissions.
• Secure and monitor: Implement appropriate security measures, such as using SSL certificates
for secure communication, configuring logging and monitoring for ADFS and vSphere, and
regularly reviewing and updating the integration configuration to ensure security and
compliance.

Note: Detailed configuration steps may vary depending on the specific versions of ADFS and vSphere
being used, and the desired configuration options. It is recommended to refer to official
documentation and best practices from both Microsoft and VMware for specific guidance on
integrating ADFS with vSphere in your environment.

5/30/2023 Copyright © 2023 Network Development Group, Inc. www.netdevgroup.com Page 6

Lab 18: (Simulation) Configuring Identity Federation to Use Microsoft ADFS

1. On your local desktop, open a web browser.

Do not perform the steps from this simulation in your actual lab environment.

Do not refresh, navigate away from, or minimize the browser tab hosting the
simulation. These actions might pause the simulation, and the simulation
might not progress.

2. Go to https://core-vmware.bravais.com/s/dfx0wDotmsZvWT6R9aiK to open the simulation.

3. After you complete the simulation, close the simulation browser tab. Navigate back to the NDG lab
environment.

5/30/2023 Copyright © 2023 Network Development Group, Inc. www.netdevgroup.com Page 7

Lab 18: (Simulation) Configuring Identity Federation to Use Microsoft ADFS

2 Join Active Directory Domain and Set an Identity Source

In this task, you will use the NDG lab environment to utilize the techniques learned in the VMware
Bravais simulation lab. You will join sa-vcsa.vclass.local to the ad.vclass.local domain and set
ad.vclass.local as the default identity source.

1. Change focus back to the NDG lab environment.

2. Launch the sa-student Virtual Machine (VM) to access the graphical login screen.

To launch the console window for a VM, either click on the VM’s
graphic image from the topology page or click on the VM’s respective
tab from the navigation bar.

3. Launch the Mozilla Firefox web browser by either clicking on the icon shortcut found on the
bottom toolbar or by navigating to Start Menu > Internet > Firefox Web Browser.

5/30/2023 Copyright © 2023 Network Development Group, Inc. www.netdevgroup.com Page 8

Lab 18: (Simulation) Configuring Identity Federation to Use Microsoft ADFS

4. In Firefox, click LAUNCH VSPHERE CLIENT.

If the VMware Getting Started web page does not load, please wait
an additional 3-5 minutes, and refresh the page to continue. This is
because the vCenter Server Appliance is still booting up and requires
extra time to initialize.

5. To log in to the vCenter Server Appliance, enter sysadmin@vclass.local as the username and
NDGlabpass123! as the password. Click LOGIN.

5/30/2023 Copyright © 2023 Network Development Group, Inc. www.netdevgroup.com Page 9

Lab 18: (Simulation) Configuring Identity Federation to Use Microsoft ADFS

6. From the main menu, select Administration.

7. In the navigation pane, navigate to Single Sign On > Configuration.

5/30/2023 Copyright © 2023 Network Development Group, Inc. www.netdevgroup.com Page 10

Lab 18: (Simulation) Configuring Identity Federation to Use Microsoft ADFS

8. In the Configuration pane, select Identity Provider and click Active Directory Domain. Verify that
the sa-vcsa.vclass.local node is selected. Click JOIN AD.

9. In the Join Active Directory Domain window, enter ad.vclass.local for the Domain, administrator for the
Username, and NDGlabpass123! for the Password. Click JOIN.

5/30/2023 Copyright © 2023 Network Development Group, Inc. www.netdevgroup.com Page 11

Lab 18: (Simulation) Configuring Identity Federation to Use Microsoft ADFS

For this lab, Active Directory has been preconfigured on the SA-AIO
machine.

10. Verify that sa-vcsa.vclass.local has successfully joined the ad.vclass.local AD. Click Acknowledge on
the popup dialog box.

11. Restart the vCenter Server Appliance using the vCenter Server Appliance Management Interface.

a. Open a new Firefox tab and click [Mgmt] sa-vcsa.

Port 5480 is the default port used to access the vCenter Server
Appliance Web User Interface. The VMware vCenter Server Appliance
Management Interface (VAMI) is used to perform administrative tasks
such as changing the host name, network configurations, applying
updates and patches.

5/30/2023 Copyright © 2023 Network Development Group, Inc. www.netdevgroup.com Page 12

Lab 18: (Simulation) Configuring Identity Federation to Use Microsoft ADFS

b. In the Username field, type sysadmin@vclass.local and in the Password field, type
NDGlabpass123!. Click on LOGIN.

c. From the Actions dropdown menu in the top right corner, select Reboot.

d. In the System Reboot window, click YES.

12. Change focus back to the vSphere Client tab, and refresh the screen periodically until the vSphere
Client login page appears.

5/30/2023 Copyright © 2023 Network Development Group, Inc. www.netdevgroup.com Page 13

Lab 18: (Simulation) Configuring Identity Federation to Use Microsoft ADFS

The reboot process takes 5 - 10 minutes to complete. During this time, the
vSphere Client is unavailable. You will not be able to add ad.vclass.local as an
identity source until the reboot process is complete.

13. Log in to the vCenter Server Appliance: enter sysadmin@vclass.local as the username and
NDGlabpass123! as the password. Click LOGIN.

You may ignore the browser-OS combination warning message

presented on the VMware vCenter Single Sign-On page, and continue
moving forward with the lab.

14. From the main menu, select Administration.

5/30/2023 Copyright © 2023 Network Development Group, Inc. www.netdevgroup.com Page 14

Lab 18: (Simulation) Configuring Identity Federation to Use Microsoft ADFS

15. In the navigation pane, navigate to Single Sign On > Configuration.

16. In the Configuration pane, select Identity Provider and click Identity Sources. Notice that the
vclass.local and localos domains appear as identity sources.

5/30/2023 Copyright © 2023 Network Development Group, Inc. www.netdevgroup.com Page 15

Lab 18: (Simulation) Configuring Identity Federation to Use Microsoft ADFS

17. Click ADD in the Identity Sources pane.

18. In the Add Identity Source window, verify that Active Directory (Integrated Windows
Authentication) is selected. Verify that AD.VCLASS.LOCAL is listed as the Domain name. Ensure
that Use machine account it selected, and click ADD.

19. In the Identity Sources window, verify that AD.VCLASS.LOCAL is listed as an identity source. Select
the AD.VCLASS.LOCAL identity source, and click SET AS DEFAULT.

5/30/2023 Copyright © 2023 Network Development Group, Inc. www.netdevgroup.com Page 16

Lab 18: (Simulation) Configuring Identity Federation to Use Microsoft ADFS

20. In the Set Default Identity Source window, click OK.

21. Leave the vSphere Client open, and continue to the next task.

5/30/2023 Copyright © 2023 Network Development Group, Inc. www.netdevgroup.com Page 17

Lab 18: (Simulation) Configuring Identity Federation to Use Microsoft ADFS

3 Verify Active Directory Accounts Exist

In this task, you will view the list of AD users, and confirm that the studentadmin and cladmin single
sign-on accounts exist.

By regularly reviewing AD users in vCenter, administrators can help ensure that their virtual
environment is secure, compliant, and running efficiently, improving the reliability and performance of
their virtualized infrastructure.

1. From the main menu, select Administration.

2. In the navigation pane, navigate to Single Sign On > Users and Groups.

5/30/2023 Copyright © 2023 Network Development Group, Inc. www.netdevgroup.com Page 18

Lab 18: (Simulation) Configuring Identity Federation to Use Microsoft ADFS

3. In the Users and Groups pane on the Users tab, verify that AD.VCLASS.LOCAL is selected from the
dropdown menu.

4. In the AD.VCLASS.LOCAL domain, you should see the studentadmin and cladmin users.

5/30/2023 Copyright © 2023 Network Development Group, Inc. www.netdevgroup.com Page 19

Lab 18: (Simulation) Configuring Identity Federation to Use Microsoft ADFS

You may need to scroll through the Users window to verify that both
studentadmin and cladmin are listed.

5. In the Users and Groups pane, click the Groups tab. Select Administrators and click EDIT.

6. In the Edit Group window, for the Add Members dropdown menu, select ad.vclass.local. In the
search box, type student. Select studentadmin and click SAVE.

5/30/2023 Copyright © 2023 Network Development Group, Inc. www.netdevgroup.com Page 20

Lab 18: (Simulation) Configuring Identity Federation to Use Microsoft ADFS

7. Logout of the vSphere Client and continue to the next task.

5/30/2023 Copyright © 2023 Network Development Group, Inc. www.netdevgroup.com Page 21

Lab 18: (Simulation) Configuring Identity Federation to Use Microsoft ADFS

4 Verify that the studentadmin User can Log Into vCenter via Active Directory

In this task, you will verify that studentadmin@ad.vclass.local can successfully log in to vCenter as an
AD user.

1. Log in to the vCenter Server Appliance: enter studentadmin@ad.vclass.local as the username and
NDGlabpass123! as the password. Click LOGIN.

You may ignore the browser-OS combination warning message

presented on the VMware vCenter Single Sign-On page, and continue
moving forward with the lab.

2. Verify that you are logged in as studentadmin@ad.vclass.local.

3. From the main menu, select Inventory.

4. Navigate the vSphere Client to confirm that the studentadmin account can complete administrative
tasks.

5/30/2023 Copyright © 2023 Network Development Group, Inc. www.netdevgroup.com Page 22

Lab 18: (Simulation) Configuring Identity Federation to Use Microsoft ADFS

5 Knowledge Check

In this task, you will configure the cladmin user account, and confirm the status of the group to which it
will be added.

1. Using the studentadmin account, assign the cladmin to the ReadOnlyUsers group
2. Log in to vCenter as the cladmin user
3. Navigate to the vSphere Client and confirm you are a read only user
4. Verify that you cannot shutdown the sa-esxi-02.vclass.local host
5. The lab is now complete; you may end your reservation.

5/30/2023 Copyright © 2023 Network Development Group, Inc. www.netdevgroup.com Page 23