User Tools

Site Tools




8th gen nuc needs a customised install with either the net-community vib or the usbnic fling slipstreamed in.


OIDC SSO authentication via KeyCloak

Officially vCenter 7 adds support for OIDC for ADFS only, however with some tweaks, it can be made to work using KeyCloak instead.

  • Ensure KeyCloak docker container is running with env vars
    JAVA_OPTS_APPEND = "-Dkeycloak.profile.feature.scripts=enabled -Dkeycloak.profile.feature.upload_scripts=enabled"
  • Add a client with ID vmware
  • Ensure enabled, standard flow and direct access grants are enabled
  • For the Root URL, Admin URL, Web Origins, use https://vcenter.fqdn
  • For backchannel logout URL use https://vcenter.fqdn/ui/login and enable Backchannel logout session required
  • Set Client Protocol to openid-connect and Access Type to confidential
  • On the Credentials tab, make a note of the secret
  • On the mappers tab:
    • Add a hardcoded claim for claim domain, with the value matching the vmware SSO domain that will be used (e.g. the bit after the @ sign of the username, in my case
    • Add a script mapper named nameid with value:

      This sets the sub claim in the JWT to be the plain username, as opposed to the internal keycloak user UUID which is the default. Without this, vcenter can't match to a user from LDAP

  • Under Realm Settings → Endpoints, right click OpenID Endpoint Configuration and copy the URL

Under vCenter → Administration → Single Sign On → Configuration

  • Click Change identity provider and select ADFS
  • Under Client Identifier, enter vmware, or the value picked for client ID in keycloak
  • Under shared secret, enter the secret noted earlier
  • Under OpenID address, paste the URL noted earlier
  • Fill in the LDAP details when prompted. Be sure to upload the root CA certificate (needed even for LetsEncrypt certs)

If there are certificate errors, try also adding the LetsEncrypt root cert under vCenter → Administration → Certificates → Certificate Management. If this view does not render in chrome, try firefox, or logging in with Administrator@vsphere.local

Reset Eval license

  • Start the SSH service on the ESXi host
  • Start a SSH connection with a SSH client (e.g. PuTTY)
  • Delete the current license:
    rm -r /etc/vmware/license.cfg
  • Copy the new license:
    cp /etc/vmware/.#license.cfg /etc/vmware/license.cfg
  • Restart the VPXA service:
    /etc/init.d/vpxa restart
vmware.txt · Last modified: 2024/01/30 13:56 by ben