How to Setup Authentication for NSX-T with VMware Workspace One Access
I recently rebuilt my lab environment. This will go over the process I used to connect NSX-T 4.0.1.1 to VMware Workspace One Access (WOA, formerly VMware Identity Manager/vIDM)
Prereqs
You will need to have NSX-T 4.0.1.1 and VMware Workspace One (VMware Identity Manager) already deployed. I would also recommend you already have the proper SSL Web Certificates on these systems so you don't have to do any connections a 2nd time. (Did you see my other post about installing Certs on NSX-T?)
VMware Workspace One Access should also already be setup with Active Directory Access.
You will need an SSL Client like Putty to SSH into the NSX Manager to run a command to grab the WOA/vIDM SHA256 Thumbprint
Step 1
Login to the web interface of Workspace One Access with the admin account https://<WOAFQDN>/SAAS/auth/login/userstore
Step 2
Click on Catalog > Settings > Remote Access
Step 3
Click on the Create Client green button
Step 4
Set Access Type to - Service Client Token
Client ID - NSX-T_O-AuthClient (or something that makes it easy to understand) (copy this for later use, save it securely) Expand Advanced Click Generate Shared Secret (copy this for later use, save it securely)
(Optional) Change the Access Token TTL to 9 Hours and Ilde Token TTL to 7 days
Step 5
SSH into the NSX Manager using the root account/password
Step 6
Run the below command to get the SHA256 Thumbprint from your instance of WOA/vIDM
HOST=hamvidm01.hamker.local
PORT=443
openssl s_client -servername $HOST -connect $HOST:$PORT </dev/null 2>/dev/null | openssl x509 -noout -sha256 -fingerprint
Step 7
Login to NSX-T with the admin account
Step 8
Click on System > User Management > Authentication Providers > VMware Identity Manager > Edit
Step 9
(Optional if vIDM is in front of an External Load Balancer) Enable External Load Balancer Integration
Enable VMware Identity Manager Integration
Input the WOA/vIDM FQDN
Input the OAuth Client ID
Input the OAuth Client Secret
Input the SSL Thumbprint from Step 6
Input the NSX Appliance FQDN
Click on Save
Step 10
Validate that the WOA/vIDM Connection is Up and the Integration is Enabled
Step 11
Click on user Role Assignment > Add Role For Providers > VIDM
Step 12
Type in the name of a vIDM User (3 letters required), select the name, and then select the role. Click Save
Step 13
Logging in with Local vs vIDM Creds
For Local Use the link like: https://<NSX-FQDN>/login.jsp?idp=local
For vIDM, Use the link like: https://<NSX-FQDN>/login.jsp#/
Comments