# VMware vSphere Integration ## What is vSphere From https://en.wikipedia.org/wiki/VCenter !!! note "" vCenter Server is the centralized management utility for VMware, and is used to manage virtual machines, multiple ESXi hosts, and all dependent components from a single centralized location. VMware vMotion and svMotion require the use of vCenter and ESXi hosts. !!! warning This requires passbook 0.10.3 or newer. ## Preparation The following placeholders will be used: - `vcenter.company` is the FQDN of the vCenter server. - `passbook.company` is the FQDN of the passbook install. Since vCenter only allows OpenID-Connect in combination with Active Directory, it is recommended to have passbook sync with the same Active Directory. ### Step 1 Under *Property Mappings*, create a *Scope Mapping*. Give it a name like "OIDC-Scope-VMware-vSphere". Set the scope name to `openid` and the expression to the following ```python return { "domain": "<your active directory domain>", } ``` ### Step 2 !!! note If your Active Directory Schema is the same as your Email address schema, skip to Step 3. Under *Sources*, click *Edit* and ensure that "Autogenerated Active Directory Mapping: userPrincipalName -> attributes.upn" has been added to your source. ### Step 3 Under *Providers*, create an OAuth2/OpenID Provider with these settings: - Client Type: Confidential - Response Type: code - JWT Algorithm: RS256 - Redirect URI: `https://vcenter.company/ui/login/oauth2/authcode` - Post Logout Redirect URIs: `https://vcenter.company/ui/login` - Sub Mode: If your Email address Schema matches your UPN, select "Based on the User's Email...", otherwise select "Based on the User's UPN...". - Scopes: Select the Scope Mapping you've created in Step 1 ![](./passbook_setup.png) ### Step 4 Create an application which uses this provider. Optionally apply access restrictions to the application. ## vCenter Setup Login as local Administrator account (most likely ends with vsphere.local). Using the Menu in the Navigation bar, navigate to *Administration -> Single Sing-on -> Configuration*. Click on *Change Identity Provider* in the top-right corner. In the wizard, select "Microsoft ADFS" and click Next. Fill in the Client Identifier and Shared Secret from the Provider in passbook. For the OpenID Address, click on *View Setup URLs* in passbook, and copy the OpenID Configuration URL. On the next page, fill in your Active Directory Connection Details. These should be similar to what you have set in passbook. ![](./vcenter_post_setup.png) If your vCenter was already setup with LDAP beforehand, your Role assignments will continue to work.