diff --git a/docs/integrations/services/vmware-vsphere/index.md b/docs/integrations/services/vmware-vsphere/index.md new file mode 100644 index 000000000..24819d169 --- /dev/null +++ b/docs/integrations/services/vmware-vsphere/index.md @@ -0,0 +1,73 @@ +# VMware vSphere Integration + +## What is vSphere + +From https://en.wikipedia.org/wiki/VCenter + +!!! note "" + + vCenter Server is the centralized management utility for VMware, and is used to manage virtual machines, multiple ESXi hosts, and all dependent components from a single centralized location. VMware vMotion and svMotion require the use of vCenter and ESXi hosts. + +!!! warning + + This requires passbook 0.10.3 or newer. + +## Preparation + +The following placeholders will be used: + + - `vcenter.company` is the FQDN of the vCenter server. + - `passbook.company` is the FQDN of the passbook install. + +Since vCenter only allows OpenID-Connect in combination with Active Directory, it is recommended to have passbook sync with the same Active Directory. + +### Step 1 + +Under *Property Mappings*, create a *Scope Mapping*. Give it a name like "OIDC-Scope-VMware-vSphere". Set the scope name to `openid` and the expression to the following + +```python +return { + "domain": "", +} +``` + +### Step 2 + +!!! note + If your Active Directory Schema is the same as your Email address schema, skip to Step 3. + +Under *Sources*, click *Edit* and ensure that "Autogenerated Active Directory Mapping: userPrincipalName -> attributes.upn" has been added to your source. + +### Step 3 + +Under *Providers*, create an OAuth2/OpenID Provider with these settings: + + - Client Type: Confidential + - Response Type: code + - JWT Algorithm: RS256 + - Redirect URI: `https://vcenter.company/ui/login/oauth2/authcode` + - Post Logout Redirect URIs: `https://vcenter.company/ui/login` + - Sub Mode: If your Email address Schema matches your UPN, select "Based on the User's Email...", otherwise select "Based on the User's UPN...". + - Scopes: Select the Scope Mapping you've created in Step 1 + +![](./passbook_setup.png) + +### Step 4 + +Create an application which uses this provider. Optionally apply access restrictions to the application. + +## vCenter Setup + +Login as local Administrator account (most likely ends with vsphere.local). Using the Menu in the Navigation bar, navigate to *Administration -> Single Sing-on -> Configuration*. + +Click on *Change Identity Provider* in the top-right corner. + +In the wizard, select "Microsoft ADFS" and click Next. + +Fill in the Client Identifier and Shared Secret from the Provider in passbook. For the OpenID Address, click on *View Setup URLs* in passbook, and copy the OpenID Configuration URL. + +On the next page, fill in your Active Directory Connection Details. These should be similar to what you have set in passbook. + +![](./vcenter_post_setup.png) + +If your vCenter was already setup with LDAP beforehand, your Role assignments will continue to work. diff --git a/docs/integrations/services/vmware-vsphere/passbook_setup.png b/docs/integrations/services/vmware-vsphere/passbook_setup.png new file mode 100644 index 000000000..ca1bd096b Binary files /dev/null and b/docs/integrations/services/vmware-vsphere/passbook_setup.png differ diff --git a/docs/integrations/services/vmware-vsphere/vcenter_post_setup.png b/docs/integrations/services/vmware-vsphere/vcenter_post_setup.png new file mode 100644 index 000000000..6fb71e233 Binary files /dev/null and b/docs/integrations/services/vmware-vsphere/vcenter_post_setup.png differ diff --git a/mkdocs.yml b/mkdocs.yml index e0dc6689b..f473fb26b 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -52,6 +52,7 @@ nav: - Harbor: integrations/services/harbor/index.md - Sentry: integrations/services/sentry/index.md - Ansible Tower/AWX: integrations/services/tower-awx/index.md + - VMware vSphere: integrations/services/vmware-vsphere/index.md - Upgrading: - to 0.9: upgrading/to-0.9.md - to 0.10: upgrading/to-0.10.md