<\/p>\n
LDAP:<\/strong> Lightweight Directory Access Protocol (LDAP), is a protocol used to query and authenticate users and computers in directory services that support it, for example AD. Active Directory (AD) is an example that uses the LDAP protocol, <\/p>\n ADFS: <\/strong>Active Directory Federation Services is also a protocol like LDAP, but this was developed by Microsoft.<\/p>\n Why use ADFS? Simple, in the past there was no great demand for SSO (Single Sign-ON) in cloud environments, SaaS service providers etc, but that has changed, currently there is a great demand for SSO in multi-company environments, for example, two companies with the same service provider authentication, there are also services like Azure, AWS, ,GSuites etc that can benefit from “federated” authentication. Basically, LDAP is more flexible than ADFS.<\/p>\n <\/p>\n Azure AD: <\/strong>Azure AD is an identity management solution, as AD is, but instead of a hierarchically organized structure like AD, in Azure AD it is not possible to include a machine in the domain, create OU’s or GPOs, or even perform queries via LDAP.<\/p>\n Azure AD is cloud based, so HTTP and HTTPS are basically the two ways that users and Azure AD communicate over the internet.<\/p>\n Authentication is performed through protocols such as OAuth and SAML, queries are possible through the use of REST APIs, both authentication and queries occur using HTTP and HTTPS communication.<\/p>\n As with ADFS, Azure AD works as a federated authentication mechanism for managing identities in Internet-based services such as: Microsoft Azure, Office 365, Dropbox for Business, Salesforce, Intranets published on Internet etc. But without using ADFS as a protocol.<\/p>\n <\/p>\n vSphere 7 with ADFS and alternatives<\/strong><\/p>\n vSphere 7 brings the new Identity Federation function, it allows vCenter to use a external identity source for the authentication and multi-factor authentication.<\/p>\n However, only ADFS is supported in Identity Federation, alternatively, we can use an application like Duo (https:\/\/duo.com) to serve as an authentication proxy, enabling other protocols and 2FA not only for vCenter 7.0 but for other versions of vCenter.<\/p>\n Lets to see the diagram of our test using Duo:<\/p>\n As I don’t have an Azure AD account for testing at the moment I am creating this post, in this post I will use an on-premises AD as the first authentication source, and the PUSH method in the Duo app as 2FA.<\/strong><\/p>\n Lets start this step-by-step<\/p>\n Creating a Duo account:<\/p>\n Access Duo Security web site (www.duo.com) and create a new account:<\/p>\n After login, click on Application<\/strong> and Protect an Application<\/strong><\/p>\n Filter by VMware and choose VMware View, <\/strong>after click in Protect (yes, although only having VMware view (Horizon) as an application, in my tests I got the same results with vCenter)<\/strong><\/p>\n After click on Protect, take a note of Integration Key, Secret Key and API hostname.<\/p>\n Now it’s time to create the VM that will be used as Duo Proxy, it can be created in a windows or linux VM, in my lab I used a VM with Ubuntu Desktop.<\/p>\n After creating the VM that will be used as Duo Proxy, download the package .tar <\/strong>and install, the full reference could be find here (Duo Authentication Proxy Reference | Duo Security<\/a>). The process is simple, basically it consists of installing the dependencies and running commands like make install.<\/p>\n After installing Duo Proxy, you will need to edit the proxy authentication configuration file, the file is authproxy.cfg<\/strong> and can be found in the following directory:<\/p>\n \/opt\/duoauthproxy\/conf<\/strong><\/p>\n The configuration file works in sessions format, in each session it is possible to configure the authentication type and how it will be used, let’s see an example:<\/p>\n Some parameters here are optional, as exempt_ou_1, <\/strong>that could be used to define a user or group that can login without 2FA.<\/p>\n All options and a complete definition can be found at (Duo Authentication Proxy Reference | Duo Security<\/a>)<\/p>\n IMPORTANT, whenever the configuration file is changed, restart the service with the following command: <\/strong><\/span><\/p>\n \/opt\/duoauthproxy\/bin\/authproxyctl restart<\/strong><\/span><\/p>\n After that, lets to configure Identity Federation on vCenter:<\/p>\n After access vCenter (at this point using local login administrator@vsphere.com), in the menu access Administration<\/strong>, under Single Sign On <\/strong>click on Configuration > Identity Sources<\/strong> and finally ADD:<\/strong><\/p>\n <\/p>\n Fill the information with the information of your environment, the username here has to be the same user configured as username service account.<\/p>\n At this point, it is already possible to authenticate in vCenter using proxy authentication, however, without 2FA, let’s now go to directory synchronization in Duo, use the mobile App, etc.<\/p>\n Access https:\/\/duo.com and login again. Click on Users <\/strong>and Directory Sync.<\/strong><\/p>\n <\/p>\n You can use some user synchronization sources, such as Azure AD and AD, in my case, as I don’t have Azure AD, I will use conventional AD.<\/p>\n At this point, the sync service will show as a failed process.<\/p>\n Again you should take note of the information like Integration Key, Secret Key and api-host, we will use those informations in the confi file configured before:<\/p>\n Return to the authproxy.cfg <\/strong>and create a new session called Cloud,<\/strong> use the same information collected before:<\/p>\n
\nIn this way, LDAP and AD complement each other, LDAP works as a translator for users who want to talk to AD and authenticate themselves, LDAP does the translation between user and AD server.<\/p>\n
\nbut there are several other services that can use the LDAP protocol like OpenLDAP, Apache Directory Server, and more.<\/p>\n![\"\"](\"http:\/\/vbrain.com.br\/wp-content\/uploads\/2022\/05\/img_626f19aaca0ed.png\")
<\/a><\/p>\n<\/p>\n<\/p>\n<\/p>\n<\/p>\n<\/p>\n<\/a><\/p>\n<\/p>\n<\/p>\n<\/p>\n<\/p>\n<\/p>\n<\/p>\n