About External Authentication

CloudControl external authentication requires users to provide two forms of identification to login. CloudControl supports the following external authentication types:

Radius
Any identify provider that supports the OpenID Connect authorization protocol, such as Azure AD.
Any identify provider that supports the SAML 2.0 authorization protocol, such as PingFederate.

Important: You must have Active Directory configured in CloudControl in order to use External Authentication.

You can also configure a whitelist which allows users to bypass external authentication and log in directly.

Important: The following changes were made to external authentication in CloudControl 6.4. For these examples we are using PingFederate, but it also applies to any SAML 2.0-based identify provider.

When you log out of vCenter or NSX-T when using PingFederate with External Authentication, you are now redirected to an Entrust login page instead of the PingFederate login page. This happens whether you are using an identity provider-initiated login or using a service provider-initiated login.
When you are using a service provider-initated login, at first you login on the Entrust custom login page, and are then redirected to the PingFederate login page. When you log in to additional endpoints, you will only be redirected to the PingFederate login page. When you log out of any endpoint, any subsequent logins will display the Entrust custom login page.