vCenter OIDC authentication using KeyCloak

VMWare vCenter 7 adds support for OIDC single-sign on. Officially only ADFS is supported, but with some tweaks, KeyCloak can be used instead. The changes necessary to trick vCenter into accepting KeyCloak as an IDP are:

  • Include a domain claim matching the vCenter SSO domain
  • Override the sub claim to be the plain username

The process is described in more detail on my wiki here:

The vCenter UI decides whether to use local SSO or OIDC by having you type in the username into the vCenter login form, and matching the domain part against the configured authentication domains. Unfortunately this means typing in the username twice, once fully qualified on the vCenter login form, and then again in the IDP login form.

Using OIDC for logging into vCenter can save entering the password as often, and the IDP supports 2FA, then this is used for the login to vCenter which is a nice security improvement. KeyCloak supports both TOTP codes, and FIDO U2F as the second factor, meaning it support Yubikeys and Krypton.

While setting this up, the /var/log/vmware/sso/tokenservice.log logfile on the vCenter host is helpful for troubleshooting the login process. It will show the data extracted fro the JWT claim, which can be used to confirm the username and domain claims are being set correctly