We use SAML for vCloud authentication and are wanting to start doing UAT testing against the HTML5 UI.
Currently using vcd 9.1
But I'm struggling to figure out what the endpoint configuration is for the IDP.(we are using F5 as the IDP)
In the flex UI the saml endpoint is shown as this.
https ://servername/cloud/org/testorg/saml/SSO/alias/vcd
The idp post to this address and the client is then redirected to the flex UI.
But I can't find how this should be configured to achieve the same thing in the HTML5 ui.
In summary, here's where we are at (got this from Engineering) - the SAML assertion consumer endpoint is hosted by the web module that contains the Flex UI, not the H5 UI. While we are working on deprecating the Flex UI, there is a backlog on migrating these functions to another module. However, as expected, no ETA.
Long answer from Engineering:
The SAML assertion consumer endpoint is hosted by the web module that contains the flex UI. You can look at the organization's SAML metadata to confirm this.
If you attempt to access an SAML-enabled organization in the H5 UI without a VCD session, it will redirect the browser to the IDP with a SAMLRequest containing a relayState parameter with the URL of the original request. The IDP will present a login page. After login, the IDP posts a SAMLResponse containing SAML assertions as well as the relayState parameter to the assertion-consumer endpoint for the organization: e.g., POST https://<VCD >/cloud/org/testsaml/saml/SSO/alias/vcd. Inside the assertion consumer service, a VCD session is created. Finally, the browser is redirected back to the original request URL encoded in the relayState parameter.
-Daniel
I haven't tested this, but I wonder if it would follow the same URL pathing for the H5 UI - could you try this?
https ://servername/tenant/orgname/saml/SSO/alias/vcd
Yea I thought the same thing and it 'kinda' works, so I thought there was something I was missing.
What I get when using it is that it authenticates then you get a blank age at the correct URL. A SAML tracer shows that the authentication side of things looks fine.
The browser(firefox) debugger shows the following error.
ERROR Error: "[object Object]"
resolvePromise https://servername/tenant/orgname/vendor.bundle.js:1047:1078
resolvePromise https://servername/tenant/orgname/vendor.bundle.js:1047:717
scheduleResolveOrReject https://servername/tenant/orgname/vendor.bundle.js:1047:1650
invokeTask https://servername/tenant/orgname/vendor.bundle.js:1040:8365
onInvokeTask https://servername/tenant/orgname/vendor.bundle.js:457:940
invokeTask https://servername/tenant/orgname/vendor.bundle.js:1040:8278
runTask https://servername/tenant/orgname/vendor.bundle.js:1040:3408
drainMicroTaskQueue https://servername/tenant/orgname/vendor.bundle.js:1040:385
invokeTask https://servername/tenant/orgname/vendor.bundle.js:1040:9611
invoke https://servername/tenant/orgname/vendor.bundle.js:1040:9443
timer https://servername/tenant/orgname/vendor.bundle.js:1012:8267
If I manually press F5 the page will refresh and I'll be logged in at the correct starting page as you would expect.
I'm not sure if this is something specific to 9.1 as we haven't done the 9.5 upgrade in any of our test environments yet and the beta hosted environment that VMWare supplies isn't configured for SAML.
jonathanw I forgot to ask you if you'd come across this in your federation testing with 9.1 or 9.5.
vCD 9.5 is out now, so if you have a test environment to utilize, I would try this out. I'm going to also ask internally to see if we have any insight into this.
In summary, here's where we are at (got this from Engineering) - the SAML assertion consumer endpoint is hosted by the web module that contains the Flex UI, not the H5 UI. While we are working on deprecating the Flex UI, there is a backlog on migrating these functions to another module. However, as expected, no ETA.
Long answer from Engineering:
The SAML assertion consumer endpoint is hosted by the web module that contains the flex UI. You can look at the organization's SAML metadata to confirm this.
If you attempt to access an SAML-enabled organization in the H5 UI without a VCD session, it will redirect the browser to the IDP with a SAMLRequest containing a relayState parameter with the URL of the original request. The IDP will present a login page. After login, the IDP posts a SAMLResponse containing SAML assertions as well as the relayState parameter to the assertion-consumer endpoint for the organization: e.g., POST https://<VCD >/cloud/org/testsaml/saml/SSO/alias/vcd. Inside the assertion consumer service, a VCD session is created. Finally, the browser is redirected back to the original request URL encoded in the relayState parameter.
-Daniel
Thanks Daniel,
So if I'm paraphrasing this correctly engineering is saying that the HTML5 UI is not quite ready for cutover if the customer is using SAML authentication just yet. We should stay with the flex UI.
I imagine this particular change is not the sort of thing that would be included in release notes given its obscurity. So I would want to go through our TAM for any notification of this change.
That's a fair statement. Definitely stay in touch with your TAM so they can align with our BU on next steps. Thanks!
For future travelers, Tom did a blog on using the relaystate parameter to maintain the flex saml assertion endpoint while still being able to redirect client browsers to the html5 ui which helped us get this working in the interim.
https://fojta.wordpress.com/2018/10/30/vcloud-director-9-5-and-vmware-identity-manager-integration/
Yep, Fojta rocks!