I'm looking to do a similar thing. We run vCloud 9.1 and got to pretty much the same place as you. I'm looking for more information on the specfic tokens required to be passed to vcloud saml - is it Nameid, email, groups?
Did anyone make progress on this? We evaluating vCloud as a solution and require either MFA or SAML to be available.
I discovered how to make this work and it's not obvious (and not documented in VMware's documentation from what I can tell).
Setting up SAML requires the following:
- Configuring the service provider (SP) - i.e. vCloud Director
- Configuring the identity provider (IDP) - i.e. Okta, gSuite, etc
- Importing the users
That last step doesn't seem to be well documented. When you go to the Access Control >> Users section, there's an import option which allows you to specify what users should have local permissions set.
So if you've configured the first two steps and your SAML-credentials are resulting in the "SAML authentication failed for this organization" message, you may just need to configure privileges for the relevant users.
h/t to the author at RSA who provided the missing hint here: VMware vCloud Director integration with RSA Sec... | RSA Link
Yes, I did through Azure AD:
in Azure AD you create a custom enterprise application based on SAML
- you configure which users are allowed to use this method in here (as well on vCloud Director in Administration > Users)
This has to be an emailformat
- you configure SAML: Exchange the vCD Federation Metadata with Azure AD and Exchange the metadata of Azure AD (through the URL, not the downloadable XML) with vCD
- you also configure it to use SHA1 up until vCD 184.108.40.206 and as of vCD 220.127.116.11 you can use the standard SHA256
- vCloud Director supports only tokens with the age of 2hours. if you use AzureAD as the federation IDP you need to downsize the lifetime of the token (being 90days) to 2hrs. this can be done through the Azure AD Policy cmdlet.
the SAML attribute in AzureAD user.useruniqueidentifier is also known as the NameID, this one is the info the vCD is looking for and has to be filled in with either:
- user.mail or
- user.userprincipalname (if you don't have exchange)
Moderator: Moved to vCloud Director