5 Replies Latest reply on Mar 10, 2020 10:16 AM by scott28tt

    VMware vCloud Director 9.0 and  3rd-party SAML IDP

    Whood Lurker

      Hello !

       

      Did anyone integrate VMware vCloud Director 9.0 with 3rd-party SAML identity provider (IDP) to provide authentication (SSO)?


      What was done:

      1) IDP server was Installed

      2) Configured trust relationship between IDP and vCD through metadata

      3) Users was imported from SAML to vCD in format: username@my.domain

      4) When i connect to vCD i redirect to IDP server, successfully pass authentication, and redirect back to vCD, and

      get error "SAML authentication failed for this organization", on like as this described by VMware Knowledge Base:

      https://imgur.com/0wPEBEU

      Interested in a solution customized for each organization's vCd, not globally.

       

      My question:

      1) How and where can view authorization logs from vCD?

      2) From logs on IDP server it is not possible to understand the reason for failed. How make troubleshooting on the side vCD?

        • 1. Re: VMware vCloud Director 9.0 and  3rd-party SAML IDP
          jonathankristianstorey Lurker

          Hi there,

           

          I'm looking to do a similar thing.  We run vCloud 9.1 and got to pretty much the same place as you.  I'm looking for more information on the specfic tokens required to be passed to vcloud saml - is it Nameid, email, groups?

           

          Kind Regards,

           

          Jonathan

          • 2. Re: VMware vCloud Director 9.0 and  3rd-party SAML IDP
            donalhunt0xan Lurker

            Did anyone make progress on this? We evaluating vCloud as a solution and require either MFA or SAML to be available.

            • 3. Re: VMware vCloud Director 9.0 and  3rd-party SAML IDP
              donalhunt0xan Lurker

              I discovered how to make this work and it's not obvious (and not documented in VMware's documentation from what I can tell).

               

              Setting up SAML requires the following:

              • Configuring the service provider (SP) - i.e. vCloud Director
              • Configuring the identity provider (IDP) - i.e. Okta, gSuite, etc
              • Importing the users

               

              That last step doesn't seem to be well documented. When you go to the Access Control >> Users section, there's an import option which allows you to specify what users should have local permissions set.

               

              So if you've configured the first two steps and your SAML-credentials are resulting in the "SAML authentication failed for this organization" message, you may just need to configure privileges for the relevant users.

               

              h/t to the author at RSA who provided the missing hint here: VMware vCloud Director integration with RSA Sec... | RSA Link

              • 4. Re: VMware vCloud Director 9.0 and  3rd-party SAML IDP
                ItrisTF Lurker

                Yes, I did through Azure AD:

                in Azure AD you create a custom enterprise application based on SAML

                - you configure which users are allowed to use this method in here (as well on vCloud Director in Administration > Users)

                This has to be an emailformat

                - you configure SAML: Exchange the vCD Federation Metadata with Azure AD and Exchange the metadata of Azure AD (through the URL, not the downloadable XML) with vCD

                - you also configure it to use SHA1 up until vCD 9.5.0.3 and as of vCD 9.5.0.4 you can use the standard SHA256

                - vCloud Director supports only tokens with the age of 2hours. if you use AzureAD as the federation IDP you need to downsize the lifetime of the token (being 90days) to 2hrs. this can be done through the Azure AD Policy cmdlet.

                 

                the SAML attribute in AzureAD user.useruniqueidentifier is also known as the NameID, this one is the info the vCD is looking for and has to be filled in with either:

                - user.mail or

                - user.userprincipalname (if you don't have exchange)

                • 5. Re: VMware vCloud Director 9.0 and  3rd-party SAML IDP
                  scott28tt Champion
                  User ModeratorsVMware EmployeesCommunity Warriors

                  Moderator: Moved to vCloud Director