You must generate SAML metadata on the Unified Access Gateway appliance and exchange metadata with the server to establish the mutual trust required for smart card authentication.
The Security Assertion Markup Language (SAML) is an XML-based standard that is used to describe and exchange authentication and authorization information between different security domains. SAML passes information about users between identity providers and service providers in XML documents called SAML assertions. In this scenario, Unified Access Gateway is the identity provider and the server is the service provider.
Prerequisites
- Configure the clock (UTC) on the Unified Access Gateway appliance so that the appliance has the correct time. For example, open a console window on the Unified Access Gateway virtual machine and use arrow buttons to select the correct time zone. Also verify that the ESXi host's time is synchronized with an NTP server. Verify that VMware Tools, which is running in the appliance virtual machine, synchronizes the time on the virtual machine with the time on the ESXi host.
Important: If the clock on the Unified Access Gateway appliance does not match the clock on the server host, smart card authentication might not work.
- Obtain a SAML signing certificate that you can use to sign the Unified Access Gateway metadata.
Note: VMware recommends that you create and use a specific SAML signing certificate when you have more than one Unified Access Gateway appliance in your setup. In this case, all appliances must be configured with the same signing certificate so that the server can accept assertions from any of the Unified Access Gateway appliances. With a specific SAML signing certificate, the SAML metadata from all the appliances is the same.
- If you have not done so already, convert the SAML signing certificate to PEM-format files and convert the .pem files to one-line format. See Convert Certificate Files to One-Line PEM Format.
Procedure
- In the admin UI Configure Manually section, click Select.
- In the Advanced Settings section, click the SAML Identity Provider Settings gearbox icon.
- Select the Provide Certificate check box.
- To add the Private Key file, click Select and browse to the private key file for the certificate.
- For add the Certificate Chain file, click Select and browse to the certificate chain file.
- Click Save.
- In the Hostname text box, enter the hostname and download the identity provider settings.