WS1 Access Integration with NSX-T

In this How to blog, I will demonstrate about how to integrate NSX-T with VMware Workspace One Access (WS1 Access), formally known as VMware Identity Manager (vIDM). With this integration, you can leverage on your AD accounts to login to NSX-T which will help in avoiding/managing the use of local accounts as well as in auditing also. Before we dive into this integration, there are certain pre-requisite which we should be completed. This integration is explained below in four parts:

  • Create oAuth Client for NSX-T Integration
  • Fetching VMware WS1 Access Fingerprint
  • Enable VMware Ws1 Access integration with NSX-T
  • Assign Role and Test Permission

Create oAuth client for NSX-T Integration

  • Login to VIDM and navigate to Catalog > Settings.
  • Select Remote App Access in left panel and click on Create Client.
  • Enter the required information Access type, Client ID as shown in snapshot. Click on Generate Shared Secret and copy the secret to be used later.
  • Click on Add
  • Once added, verify the OAuth client details. With this we are done with creating OAuth client to be used in NSX-T.

VMware WS1 Access Fingerprints

  • In order to get the fingerprint go VIDM, we need to login using SSH to VIDM manager and follow below steps.
  • Using any SSH client (putty), login to VIDM and switch user to root.
  • Change directory to /usr/local/horizon/conf
  • Enter openssl command to get the fingerprint of the VDIM Manager.
openssl x509 -in <FQDN_VIDM> -noout -sha256 -fingerprint
  • Copy this Fingerprint to be used later in NSX-T configuration.

Enable VIDM integration with NSX-T

Now, we have all the data which is required from VIDM, lets start with the configuration in NSX-T

  • Login to NSX-T with admin user and navigate to System>Users>Configuration
  • Click on EDIT. A popup wizard will open.
  • Toggle the External Load Balancer Integration and VMware Identity Manager Integration.
  • Enter FQDN for VIDM appliance in VMware Identity Manager Appliance.
  • Paste the OAuth Client ID & secret which you copied in first section of the article against OAuth Client ID & OAuth Client Secret.
  • Paste the SSL Thumbprint which you copied in second section of this article.
  • Enter NSX appliance IP/FQDN and click on SAVE.
  • Now, you can refresh browser and verify that VIDM integration is Up & Enabled

Assign Role & Test Permission

Now, we need to assign role and verify if this functions correctly or not.

  • Login to NSX-T manager with admin console.
    Note: If you are logged out of NSX-T manager console, you need to use this URL to login with local admin user. https://<nsx-manager-ip-address>/login.jsp?local=true
  • Navigate to System>Users>Role Assignments
  • Click on ADD then Role Assignment
  • Enter the name of User and select the same once it appears in list.
  • Select the desired role from Roles drop down list.
  • Once done, click on Save
  • Verify the user is added to list with desired Role.
  • Launch a new browser and enter the NSX-T manager URL. Click on Next post domain selection.
  • Enter the credential for the user and click Sign In
  • You can see user is successfully logged into NSX-T portal. You can navigate to different options and see that this user doesn’t have permission to Add Segment or to Add Edge VM

With this, we are done with NSX-T integration with VIDM.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Post