I'm trying to log in with SAML assertion to the VCloud Director instance (version 126.96.36.1993688) and I'm getting 401 HTTP error with next error in vcloud-container-debug.log (~20% of the trace is listed below, inverted for comfortable reading): See VCLOUD_SSO_ERROR.png
1. I set up SAML Identity Provider locally
2. Added my local IP to /etc/hosts in VCD instance (I can wget any page of Identity Provider from VCD instance, so, Identity Provider host was resolved successfully)
3. Checked time settings on my test app, VCD and Identity Provider
4. Added Identity Provider Metadata.xml (see attachment Metadata.xml) to https://VCD.host/cloud/#/userSettingsFederationPage?org=LONG_ORG_UUID_HERE (see VCLOUD_METADATA.png)
5. Imported users and groups to cloud (see VCLOUD_USERS.png and VCLOUD.GROUPS.png)
6. Set up identity provider to expose UserName, EmailAddress, FullName, Groups attributes in Assertion.xml (see saml:Assertion -> saml:AttributeStatement section) as it listed in VMware docs
7. After this I'm trying to log in on my Identity Provider
8. I'm getting SAML Assertion from previous step (see Assertion.xml attachment)
9. Using this assertion I'm truing to authenticate on VCD using PHP code listed below:
$service = VMware_VCloud_SDK_Service::getService();
'https://vcloud.director.fqdn', // VCD IP or fully-qualified domain name
$assertion, // Assertion.xml
'Organization name here', // Organization name
array('connect_timeout' => 60, 'ssl_verify_peer' => false) // SSL options for PHP connection
I tried to compare my Assertion.xml with AssertionWiki.xml assertion got from wiki and oasis docs ( http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf ) - I didn't find any misconfiguration or so.
Appreciate any insights, ideas, doc links, code examples etc!
Message was edited by: Max_Kolodezniy Added links to images and added XML attachments
Sorry, for external images - I don't know how to add inline image in the message text.
Were you able to login to the vCD UI using the SSO user?
What IDP are you using?
Is this SSO in System Admin/Tenant Admin/User context?
1. How can I login to VCD using SAML users?
2. I'm using simplesamlphp in IDP mode. Hence, I can control the login workflow and debug any execution step
3. SAML users are in orgadmins group and have "Organization administrators" permissions. They aren't System Administrators (I know what I have to use vSphere SSO for System Administrators)
Last updates: I can successfully log in to VCD using SAML IDP. Also, I can log in to my application by SAML IDP. But when I'm trying to log in to VCD using REST API with assertion got from IDP I'm getting next error: BearerError.png
What SubjectConfirmation method is allowed?
Many thanks for any help!
It looks like the 'Recipient' attribute of the SubjectConfirmationData element is incorrect. Per http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf, section 188.8.131.52:
The bearer <SubjectConfirmation> element described above MUST contain a <SubjectConfirmationData> element that contains a Recipient attribute containing the service provider's assertion consumer service URL and a NotOnOrAfter attribute that limits the window during which the assertion can be delivered. It MAY contain an Address attribute limiting the client address from which the assertion can be delivered. It MUST NOT contain a NotBefore attribute. If the containing message is in response to an <AuthnRequest>, then the InResponseTo attribute MUST match the request's ID.
Look at your vCD Org metadata, you'll find an AssertionConsumerService element; the 'Recipient' field should be the URL of that element.