I have read that vCloud can be linked to vCenter where vCenter becomes the identity provider and vCloud obtains a SAML token from it for SSO. I would like to use vCloud with a 3rd party identity provider which will be backed by CAS, and will also provide vCloud a SAML token.
Is it possible to use a 3rd party identity provider with vCloud ?
No.
Think of it this way as a chain of passed tasks. The order is just different for the two processes.
system administrators --> System Login --> vSphere SSO (User Identification) --> 3rd Party Identity Provider (LDAP or SAML for Authentication) --> vCloud Director (Authorization and Access Control)
Organization Users --> Organization Login --> 3rd Party SAML Provider (Authentication) --> vCloud Director (Authorization and Access Control)
There are two ways of doing 'federation', which is what would do SSO.
1. Only for System Administrators in the 'System' Organization. This Federation is specifically for vSphere SSO, and you would configure your identity provider in the vSphere web client. There is a bit more to it than that, but i just wanted to ensure that you know System goes to vSphere SSO.
2. On a Per Organization basis you can do federation with an external SAML provider (e.g. ADFS 2.0). This will use the 3rd party system as the authentication, then vCloud Director would to the authorization.
Hi,
Thanks for the answer.
Can we have scenario #2 work for system administrators as well as well as organization users. I guess it would also be possible to point all organizations to the same (3rd party) SAML provider (most likely a CAS server which also talks SAML) ?
No.
Think of it this way as a chain of passed tasks. The order is just different for the two processes.
system administrators --> System Login --> vSphere SSO (User Identification) --> 3rd Party Identity Provider (LDAP or SAML for Authentication) --> vCloud Director (Authorization and Access Control)
Organization Users --> Organization Login --> 3rd Party SAML Provider (Authentication) --> vCloud Director (Authorization and Access Control)
Hi Thanks !
So I guess if we remove the system administration requirement, then we should be able to point all organizations to a single SAML provider and get vCloud to work with it. Would that work ?