Connect to an AD FS - Federated vCenter Server System

If your vCenter Server is federated to Active Directory Federation Services (AD FS), you can authenticate with PowerCLI by using the OAuth 2.0 Authorization Code grant type.

You can authenticate to a federated vCenter Server by creating a new OAuth security context and then exchanging it for a SAML security context. You create an OAuth security context for PowerCLI by using the New-OAuthSecurityContext cmdlet. One way to do this is to authenticate through the Authorization Code grant type, which is illustrated by this example. This workflow guarantees a substantial degree of security and can be used with multi-factor authentication.

Note: You can use PowerCLI to authenticate with the other OAuth 2.0 grant types as well, such as the Client Credentials, Refresh Token, and Password grant types. For more information, run Get-Help New-OAuthSecurityContext -full.

Prerequisites

  • Verify that your vCenter Server system is federted to AD FS. For more information, see Federate vCenter Server to Active Directory Federation Services (AD FS) in the VMware vCenter Server Management Programming Guide.
  • Create an OAuth client for PowerCLI on the authentication server (AD FS). Configure the OAuth client to do the same token transformation as your vCenter Server system . You must configure a redirect URL according to the requirements in the procedure below. Save the Client ID and Client Secret that are generated by the authentication server. For more information, see the Microsoft documentation.

Procedure

  1. Create an OAuth security context object for PowerCLI.
    In the background, PowerCLI sends an authentication request to the authentication server, AD FS. A web browser opens that prompts the user to authorize the client application's request. On confirmation, PowerCLI interacts with the authentication server to obtain the access and ID tokens (JWT tokens) and creates a new OAuth security context. 
    $oauthSecContext = New-OAuthSecurityContext -TokenEndpointUrl "https://<AD FS FQDN>/adfs/oauth2/token/" -AuthorizationEndpointUrl "https://<AD FS FQDN>/adfs/oauth2/authorize/" 
-RedirectUrl "http://localhost:8844/auth" -ClientId "powercli-native" -OtherArguments @{ "resource" = "my-vcenter" }
    This script contains the following parameters.
    Parameter Description Example value
    TokenEndpointUrl

    The base URL where the authentication server listens for requests to issue access tokens. You can see this value in the openid-configuration file of the authentication server under token_endpoint key.

    		 https://<AD FS FQDN>/adfs/oauth2/token/
    AuthorizationEndpointUrl

    The base URL at the authentication server where users are redirected in order to authenticate. You can see this value in the openid-configuration file under the authorization_endpoint key.

    		 https://<AD FS FQDN>/adfs/oauth2/authorize/
    RedirectUrl

    The URL where the user is redirected after he approves the authentication request. This URL must be on a localhost and a free port on the machine where PowerCLI is running. This URL must use the http schema.

    		 http://localhost:8844/auth
    ClientId The ID that you received from the authentication server when you registered the client application. powercli-native
    OtherArguments A hashtable of (String, String) pairs that represent arguments to the server-specific parameters. In the following example, it is used for an AD FS Application Group for vCenter Server with an example ID "my-vcenter". { "resource" = "my-vcenter" }
  2. Exchange the OAuth security context for an SAML security context. 
    $samlSecContext = New-VISamlSecurityContext -VCenterServer 'myVC' -OAuthSecurityContext $oauthSecContext
  3. Connect to your vCenter Server system by using the SAML security context. 
    Connect-VIServer -Server 'myVC' -SamlSecurityContext $samlSecContext