VMware Cloud Community
adaptives
Contributor
Contributor
‎10-10-2013 03:14 AM
Jump to solution

vCloud SSO with a 3rd party identity provider ?

I have read that vCloud can be linked to vCenter where vCenter becomes the identity provider and vCloud obtains a SAML token from it for SSO. I would like to use vCloud with a 3rd party identity provider which will be backed by CAS, and will also provide vCloud a SAML token.

Is it possible to use a 3rd party identity provider with vCloud ?

Tags (1)
Reply
1 Solution

Accepted Solutions
IamTHEvilONE
Immortal
Immortal
‎10-10-2013 06:15 AM
Jump to solution

No.

Think of it this way as a chain of passed tasks.  The order is just different for the two processes.

system administrators --> System Login --> vSphere SSO (User Identification) --> 3rd Party Identity Provider (LDAP or SAML for Authentication) --> vCloud Director (Authorization and Access Control)

Organization Users --> Organization Login --> 3rd Party SAML Provider (Authentication) --> vCloud Director (Authorization and Access Control)

View solution in original post

Reply
4 Replies
IamTHEvilONE
Immortal
Immortal
‎10-10-2013 04:32 AM
Jump to solution

There are two ways of doing 'federation', which is what would do SSO.

1. Only for System Administrators in the 'System' Organization.  This Federation is specifically for vSphere SSO, and you would configure your identity provider in the vSphere web client.   There is a bit more to it than that, but i just wanted to ensure that you know System goes to vSphere SSO.

2. On a Per Organization basis you can do federation with an external SAML provider (e.g. ADFS 2.0).  This will use the 3rd party system as the authentication, then vCloud Director would to the authorization.

Reply
adaptives
Contributor
Contributor
‎10-10-2013 05:28 AM
Jump to solution

Hi,

Thanks for the answer.

Can we have scenario #2 work for system administrators as well as well as organization users. I guess it would also be possible to point all organizations to the same (3rd party) SAML provider (most likely a CAS server which also talks SAML) ?

Reply
0 Kudos
IamTHEvilONE
Immortal
Immortal
‎10-10-2013 06:15 AM
Jump to solution

No.

Think of it this way as a chain of passed tasks.  The order is just different for the two processes.

system administrators --> System Login --> vSphere SSO (User Identification) --> 3rd Party Identity Provider (LDAP or SAML for Authentication) --> vCloud Director (Authorization and Access Control)

Organization Users --> Organization Login --> 3rd Party SAML Provider (Authentication) --> vCloud Director (Authorization and Access Control)

Reply
adaptives
Contributor
Contributor
‎10-10-2013 06:29 AM
Jump to solution

Hi Thanks !

So I guess if we remove the system administration requirement, then we should be able to point all organizations to a single SAML provider and get vCloud to work with it. Would that work ?

Reply
0 Kudos