VMware Cloud Community
Max_Kolodezniy
Contributor
Contributor

Unable to login to VCloud Director using SAML via PHP SDK.

Hello!

I'm trying to log in with SAML assertion to the VCloud Director instance (version 5.5.0.1323688) and I'm getting 401 HTTP error with next error in vcloud-container-debug.log (~20% of the trace is listed below, inverted for comfortable reading): See VCLOUD_SSO_ERROR.png

Prerequisites:

1. I set up SAML Identity Provider locally

2. Added my local IP to /etc/hosts in VCD instance (I can wget any page of Identity Provider from VCD instance, so, Identity Provider host was resolved successfully)

3. Checked time settings on my test app, VCD and Identity Provider

4. Added Identity Provider Metadata.xml (see attachment Metadata.xml) to https://VCD.host/cloud/#/userSettingsFederationPage?org=LONG_ORG_UUID_HERE (see VCLOUD_METADATA.png)

5. Imported users and groups to cloud (see VCLOUD_USERS.png and VCLOUD.GROUPS.png)

6. Set up identity provider to expose UserName, EmailAddress, FullName, Groups attributes in Assertion.xml (see saml:Assertion -> saml:AttributeStatement section) as it listed in VMware docs

7. After this I'm trying to log in on my Identity Provider

8. I'm getting SAML Assertion from previous step (see Assertion.xml attachment)

9. Using this assertion I'm truing to authenticate on VCD using PHP code listed below:

$service = VMware_VCloud_SDK_Service::getService();

$service->SSOLogin(

    'https://vcloud.director.fqdn',                                               // VCD IP or fully-qualified domain name

    $assertion,                                                                        // Assertion.xml

    'Organization name here',                                                   // Organization name

    array('connect_timeout' => 60, 'ssl_verify_peer' => false)      // SSL options for PHP connection

);

I tried to compare my Assertion.xml with AssertionWiki.xml assertion got from wiki and oasis docs ( http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf ) - I didn't find any misconfiguration or so.

Appreciate any insights, ideas, doc links, code examples etc!

Many thanks!

Message was edited by: Max_Kolodezniy Added links to images and added XML attachments

Sorry, for external images - I don't know how to add inline image in the message text.

Reply
0 Kudos
4 Replies
rkamal
VMware Employee
VMware Employee

Hi,

Were you able to login to the vCD UI using the SSO user?

What IDP are you using?

Is this SSO in System Admin/Tenant Admin/User context?

Regards,

Rajesh Kamal.

Reply
0 Kudos
Max_Kolodezniy
Contributor
Contributor

Hello!

1. How can I login to VCD using SAML users?

2. I'm using simplesamlphp in IDP mode. Hence, I can control the login workflow and debug any execution step

3. SAML users are in orgadmins group and have "Organization administrators" permissions. They aren't System Administrators (I know what I have to use vSphere SSO for System Administrators)

Reply
0 Kudos
Max_Kolodezniy
Contributor
Contributor

Hello!

Last updates: I can successfully log in to VCD using SAML IDP. Also, I can log in to my application by SAML IDP. But when I'm trying to log in to VCD using REST API with assertion got from IDP I'm getting next error: BearerError.png

What SubjectConfirmation method is allowed?

Many thanks for any help!

Reply
0 Kudos
admin
Immortal
Immortal

It looks like the 'Recipient' attribute of the SubjectConfirmationData element is incorrect. Per http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf, section 4.1.4.2:

The bearer <SubjectConfirmation> element described above MUST contain a <SubjectConfirmationData> element that contains a Recipient attribute containing the service provider's assertion consumer service URL and a NotOnOrAfter attribute that limits the window during which the assertion can be delivered. It MAY contain an Address attribute limiting the client address from which the assertion can be delivered. It MUST NOT contain a NotBefore attribute. If the containing message is in response to an <AuthnRequest>, then the InResponseTo attribute MUST match the request's ID.

Look at your vCD Org metadata, you'll find an AssertionConsumerService element; the 'Recipient' field should be the URL of that element.

Reply
0 Kudos