Certified: September 11, 2024
Solution Summary
This guide describes VMware vSphere/vCenter integration with RSA ID Plus using Authentication Agent. Use this information to determine which use case and integration type your deployment will employ.
Use Case
VMware vSphere/vCenter can be integrated with RSA using Authentication Agent. When integrated, users must authenticate with RSA to sign in to VMware vSphere/vCenter.
Integration Types
Authentication Agent integrations use an embedded RSA agent to provide SecurID and Authenticate OTP authentication methods within the partner’s application. Authentication agents are simple to configure and support the highest rate of authentications.
Supported Features
This section shows all the supported features by integration type and by RSA components. Use this information to determine which integration type and RSA component your deployment will use. The next section in this guide contains the instruction steps for how to integrate RSA with VMware vSphere/vCenter using each integration type.
VMware vSphere/vCenter Integration with RSA Cloud Authentication Service
| Authentication Methods | RSA MFA API (REST) | RADIUS | Relying Party | SSO |
| Approve | - | - | - | - |
| LDAP Password | - | - | - | - |
| SecurID OTP | - | - | - | - |
| Authenticate OTP | - | - | - | - |
| Device Biometrics | - | - | - | - |
| SMS OTP | - | - | - | - |
| Voice OTP | - | - | - | - |
| FIDO Security Key | - | - | - | - |
| QR Code | - | - | - | - |
| Emergency Access Code | - | - | - | - |
VMware vSphere/vCenter Integration with RSA Authentication Manager
| Authentication Methods | RSA MFA API (REST) | RADIUS | Authentication Agent |
|---|---|---|---|
| RSA SecurID | - | - | |
| On Demand Authentication | - | - | |
| Risk-Based Authentication | - | - | - |
| Supported | |
| - | Not supported |
| n/t | Not yet tested or documented, but may be possible |
| n/a | Not applicable |
Configuration Summary
This section contains instruction steps that show how to integrate VMware vSphere/vCenter with RSA using all of the integration types.
This document is not intended to suggest optimum installations or configurations. It is assumed that the reader has both working knowledge of all products involved, and the ability to perform the tasks outlined in this section. Administrators should have access to the product documentation for all products to install the required components.
All RSA and VMware vSphere/vCenter components must be installed and working prior to the integration.
This section of the guide includes links to the appropriate sections for configuring both sides for each use case.
Integration Configuration
RSA Authentication Manager
RSA Terminology Changes
The following table describes the differences in the terminologies used in the different versions of RSA products and components.
| Previous Version | New Version | Examples/Comments |
| Company ID | Organization ID | |
| Account | Credential | |
| Token | OTP Credential | SecurID OTP Credential |
| Tokencode | OTP/Access Code | SecurID OTP, SMS OTP, Voice OTP Emergency Access Code, Disable Access Code |
| Hardware Token | Hardware Authenticator | |
| Device Serial Number | Binding ID | |
| Device | Credential/Authenticator | |
| Device Registration Code | Registration Code | |
| Authenticate App | Authenticator App |
Certification Details
RSA Authentication Manager 8.7 SP2 or later
VMware vSphere/vCenter 8.0.2
Known Issues
Challenge-Response
Currently, VMware vSphere does not support any challenge-response features. As a result, RSA is unable to certify vSphere as RSA ready.
This limitation impacts the user under the following conditions: RSA Authentication Manager administrator forces the change of a user or system-generated PIN or if the RSA Authentication Manager requires the user to enter the next OTP.
RSA challenge-response is essential to the functionality and usability of the integration. Without supporting challenge-response, users are unaware that RSA is requesting the authorization of a new system-generated PIN, to create a new user PIN or use the next OTP. As a result, users need to contact their customer support group to determine the cause of the vSphere login Invalid Credentials message.
