VMware Cloud Community
Whood
Contributor
Contributor
‎05-04-2018 03:23 AM

VMware vCloud Director 9.0 and 3rd-party SAML IDP

Hello !

Did anyone integrate VMware vCloud Director 9.0 with 3rd-party SAML identity provider (IDP) to provide authentication (SSO)?


What was done:

1) IDP server was Installed

2) Configured trust relationship between IDP and vCD through metadata

3) Users was imported from SAML to vCD in format: username@my.domain

4) When i connect to vCD i redirect to IDP server, successfully pass authentication, and redirect back to vCD, and

get error "SAML authentication failed for this organization", on like as this described by VMware Knowledge Base​:

https://imgur.com/0wPEBEU

Interested in a solution customized for each organization's vCd, not globally.

My question:

1) How and where can view authorization logs from vCD?

2) From logs on IDP server it is not possible to understand the reason for failed. How make troubleshooting on the side vCD?

Tags (3)
0 Kudos
5 Replies
jonathankristia
Contributor
Contributor
‎10-15-2018 06:18 AM

Hi there,

I'm looking to do a similar thing.  We run vCloud 9.1 and got to pretty much the same place as you.  I'm looking for more information on the specfic tokens required to be passed to vcloud saml - is it Nameid, email, groups?

Kind Regards,

Jonathan

0 Kudos
donalhunt0xan
Contributor
Contributor
‎09-13-2019 10:12 AM

Did anyone make progress on this? We evaluating vCloud as a solution and require either MFA or SAML to be available.

0 Kudos
donalhunt0xan
Contributor
Contributor
‎09-13-2019 10:34 AM

I discovered how to make this work and it's not obvious (and not documented in VMware's documentation from what I can tell).

Setting up SAML requires the following:

  • Configuring the service provider (SP) - i.e. vCloud Director
  • Configuring the identity provider (IDP) - i.e. Okta, gSuite, etc
  • Importing the users

That last step doesn't seem to be well documented. When you go to the Access Control >> Users section, there's an import option which allows you to specify what users should have local permissions set.

So if you've configured the first two steps and your SAML-credentials are resulting in the "SAML authentication failed for this organization" message, you may just need to configure privileges for the relevant users.

h/t to the author at RSA who provided the missing hint here: VMware vCloud Director integration with RSA Sec... | RSA Link

0 Kudos
ItrisTF
Contributor
Contributor
‎03-10-2020 08:38 AM

Yes, I did through Azure AD:

in Azure AD you create a custom enterprise application based on SAML

- you configure which users are allowed to use this method in here (as well on vCloud Director in Administration > Users)

This has to be an emailformat

- you configure SAML: Exchange the vCD Federation Metadata with Azure AD and Exchange the metadata of Azure AD (through the URL, not the downloadable XML) with vCD

- you also configure it to use SHA1 up until vCD 9.5.0.3 and as of vCD 9.5.0.4 you can use the standard SHA256

- vCloud Director supports only tokens with the age of 2hours. if you use AzureAD as the federation IDP you need to downsize the lifetime of the token (being 90days) to 2hrs. this can be done through the Azure AD Policy cmdlet.

the SAML attribute in AzureAD user.useruniqueidentifier is also known as the NameID, this one is the info the vCD is looking for and has to be filled in with either:

- user.mail or

- user.userprincipalname (if you don't have exchange)

0 Kudos
scott28tt
VMware Employee
VMware Employee
‎03-10-2020 10:16 AM

Moderator: Moved to vCloud Director


-------------------------------------------------------------------------------------------------------------------------------------------------------------

Although I am a VMware employee I contribute to VMware Communities voluntarily (ie. not in any official capacity)
VMware Training & Certification blog
0 Kudos