VMware Cloud Community
ManivelR
Hot Shot
Hot Shot
‎03-23-2019 07:56 AM

Two factor authentication for vCloud director provider URL

Hi Team,

I have a doubt on "Two factor authentication for vCloud director provider URL"

Right now,my provider URL also accessible from public internet "https://mycloud.com/cloud"(via system administrator) and like to secure the URL using some third party security like "DUO security"

Do we have any Duo guide to setup this with vCloud director ?   or any other ways available to secure from vCloud director(Federation) ?

Please suggest the bet possible options to secure this.

Thanks,

Manivel RR

Reply
0 Kudos
5 Replies
sk84
Expert
Expert
‎03-23-2019 08:59 AM

I don't know Duo Security. We use the MFA solution from Okta: https://www.okta.com/products/adaptive-multi-factor-authentication/

In the background our own ADFS is used as Identity Source and, in addition, we have an app on our mobile phones to approve the login requests. It's easy to use and we can control the logins for each orgVDC or only the system logins or both.

However, any third-party identity provider that supports SAML can be used to build a multi-factor authentication solution:

Configure Your System to Use a SAML Identity Provider

--- Regards, Sebastian VCP6.5-DCV // VCP7-CMA // vSAN 2017 Specialist Please mark this answer as 'helpful' or 'correct' if you think your question has been answered correctly.
Reply
ManivelR
Hot Shot
Hot Shot
‎03-24-2019 04:31 AM

Thank you for your update Sebastian.

I will check this and update you ASAP.

Regards,

Manivel R

Reply
0 Kudos
ManivelR
Hot Shot
Hot Shot
‎08-15-2019 11:03 AM

Hi Sebestian,

I have an issue on SAML authentication.Issue is mentioned below in detail.

Vcloud director 9.7.0 SAML authentication issue

In vcloud-container-debug.log,we are seeing the below message.Any ideas ?

2019-08-15 13:19:25,360 | DEBUG    | pool-jetty-59             | SAMLProtocolMessageXMLSignatureSecurityPolicyRule | Validation of protocol message signature failed for context issuer 'https://globalduolab.usinternal.com/dag/saml2/idp/metadata.php', message type: {urn:oasis:names:tc:SAML:2.0:protocol}Response | requestId=d7ef548d-ac03-401f-a1dd-c79fd426f145,request=POST https://globalvcd.usinternal.com/cloud/saml/SSO/alias/vcd,requestTime=1565889565128,remoteAddress=10... (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/2010...,accept=text/html application/xhtml+xml application/xml;q 0.9 image/webp */*;q 0.8

org.opensaml.ws.security.SecurityPolicyException: Validation of protocol message signature failed

2019-08-15 13:19:25,361 | DEBUG    | pool-jetty-59             | CustomSamlProcessingFilter     | Authentication request failed: org.springframework.security.authentication.AuthenticationServiceException: Incoming SAML message is invalid | requestId=d7ef548d-ac03-401f-a1dd-c79fd426f145,request=POST https://globalvcd.usinternal.com/cloud/saml/SSO/alias/vcd,requestTime=1565889565128,remoteAddress=10... (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/2010...,accept=text/html application/xhtml+xml application/xml;q 0.9 image/webp */*;q 0.8

Thanks,

Manivel R

Reply
0 Kudos
ManivelR
Hot Shot
Hot Shot
‎09-07-2019 04:27 AM

Hi All,

The issue has been fixed.

Summary:- Identity provider:- AD only. ADFS is not required. We just need to create users with email I’d.

Service provider;- vcloud director. DAG;- This is linux Duo access gateway enables two factor authentication. Here authentication source has been set as AD.By default, it will provide xml file, we just need to download this xml file and need import in vcloud director saml federation. Also you need to import JSON file here(This will be taken from duo admin console)

Duo admin console;-we need to create a new service provider in which service provider name, ACS, SSO login, logout should be defined. Here the saml attribute mentioned as email. After providing this information, you need to save the service provider configuration also you can get JSON file.

In AD user properties, we need to set the email I’d and also in vcloud director user section, we need to import user(Saml) as “rr@example.com”. I was given the user name only earlier in saml user section (vcd). Now the email I’d has been given “rr@example.com” and issue has been fixed.

Thank you,

Manivel RR

Reply
0 Kudos
Tomt99
Contributor
Contributor
‎06-04-2020 02:29 AM

Hello,

You can configure 2FA via SAML integration with some Identity Provider. Link below provides instruction how to configure it with Google Authenticator and Keycloak:

https://digaround.cloud/vcloud_2fa_google_authenticator/

Reply
0 Kudos