To manage replications on remote cloud sites, extend your session to that site by accepting an authentication token or by providing credentials for the local VMware Cloud Director. Any replication operation to remote cloud sites and specific replication operations from remote cloud sites require an extended session.
Extending Session Authentication from Cloud to Cloud
Extend a local cloud site session to the remote Cloud Director site when prompted by using either of the following authentication methods to perform replication operations from the local cloud site on a remote cloud site:
- When the local and the remote VMware Cloud Director and their organizations are associated, or when multiple cloud sites use a single VMware Cloud Director instance, select Use multisite authentication. As one organization can be associated with multiple remote organizations, select the organization for authentication from the Organization drop-down menu then click Login. For more information, see Multisite authentication.
- When the remote VMware Cloud Director organization supports local users, select Use local user authentication, enter a local VMware Cloud Director Username and Password then click Login to extend the session from the local cloud site to the remote cloud site.
Note: With version 10.4.1, VMware Cloud Director started the deprecation process for local users. VMware Cloud Director continues to fully support the use of local users while they are under deprecation. For more information, see the VMware Cloud Director 10.4.1 Release Notes.
- With VMware Cloud Director Availability 4.7 and later in both the local and the remote sites allows the users to extend their existing user session from the local cloud site to the remote cloud site by using a temporary token challenge.
- To activate this extension method, first in each destination cloud site, log in to VMware Cloud Director Availability as a provider.
- In the left pane, click Settings, then under Site settings next to Cloud-to-Cloud Challenge Authentication click Edit.
- In the Cloud-to-Cloud Challenge Authentication window, activate the toggle then click Apply.
- Once active, when any user attempt a remote replication operation from the local cloud site, they can also click Other authentication methods then select Use challenge authentication. This applies for both provider and for tenant users.
- The user must remember this one-time token for validation later, then click Login. This opens a new pop-up browser window with the VMware Cloud Director sign-in page for their organization.
- In the VMware Cloud Director sign-in pop-up, the user enters their credentials and clicks Sign-in.
- After signing in VMware Cloud Director, an Approve Remote Login pop-up window allows the user to click Approve. Before approving the remote login request, the user can validate the two tokens match.
- To activate this extension method, first in each destination cloud site, log in to VMware Cloud Director Availability as a provider.
After using any of these three methods for authenticating to the remote site, the Cloud Service keeps the newly created extended session and for the replication operations on the remote site uses the extended session without requiring credentials anymore. See also the Note in the below section.
On-Premises Authentication to the Cloud
VMware Cloud Director Availability provides two authentication mechanisms for the on-premises tenants to perform disaster recovery operations with a remote cloud site that require authentication, for example, configuring a new replication or falling over.
- When performing a replication operation that requires authentication, the tenants are prompted for providing the remote cloud site user credentials.
- Alternatively, the tenants can click Use challenge authentication to generate a temporary token for authentication that requires acceptance in VMware Cloud Director.
- Clicking Login opens a new pop-up window with the VMware Cloud Director sign-in page.
- The tenants can choose an authentication method for authenticating to VMware Cloud Director such as single-sign-on or multi-factor authentication, then click Sign-in. When the VMware Cloud Director organization uses an external identity provider, for example, SAML, the on-premises tenants can use that method for authentication.
- After the tenants authenticate in VMware Cloud Director, a prompt requests verifying and clicking Approve that the temporary token from the challenge matches the displayed one.
- Accepting the temporary token grants the tenants with access to the cloud site for the duration of their sessions, allowing them to resume the recovery workflow which requested authentication with the cloud site.
Note:
- The token acceptance interval is 5 minutes. After this timeframe expires, VMware Cloud Director Availability requires generating a new token.
- A single token allows accepting or rejecting only once.
- Accepting the token creates a regular session that is active for up to 24 hours, or 30 minutes of inactivity.
- Logging out invalidates the accepted token. After re-authenticating, when performing a replication operation requiring authentication you must generate a new token and then accept it.
- The user must ensure logging into the correct VMware Cloud Director organization, or they cannot accept the token.
Session Expiration
- The local Cloud Service session has a soft time limit reached due to inactivity. By default, the soft session lifespan expires after your session is idle for over 30 minutes and you are not viewing a dynamically refreshing management interface page.
- The local Cloud Service session also has a hard time limit that you cannot prolong without re-authenticating. By default, the hard session lifespan expires after 24 hours. During this time, you can perform all operations, until you log out of the management interface, or in the Peer Sites page you select the site and you click Logout. IFor more information about the two types of lifespans of the session, see Security configuration properties, and for more information about the user sessions, see Users roles rights and sessions in the Security Guide.
- The extended Cloud Service session to a remote cloud site expires when the remote JWT becomes invalid, due to expiry or due to manual logout. By default, the lifespan of VMware Cloud Director JWT also expires in 24 hours. When modifying the lifespan of the JWT, for example, reducing to one hour, the extended session expires after one hour. When extending the lifespan of JWT over 24 hours, the extended session expires according to either of the Cloud Service session lifespans, meaning after 24 hours or after 30 minutes of inactivity.
Replication Operations Requiring Extended Session Authentication
Extend the session to the remote site for the following replication operations, depending on where the replications reside.
- Incoming Replications from Cloud
-
To manage the replications on the remote site you can perform some replication operations without authenticating and providing the remote site credentials, while you must authenticate and provide the remote site credentials for performing the remaining replication operations.
Replication Operations Not Requiring Authentication: No Credentials Needed Replication Operations Requiring Authentication: Provide Credentials for the Remote Site Migrate New protection Failover New migration Test failover Network settings Replication settings Disk settings Change owner Change storage policy Sync Pause Resume Delete replication - Outgoing Replications to Cloud
-
To manage the replications on the remote cloud site for all replication operations you must authenticate and provide the remote site credentials.
Replication Operations Requiring Authentication: Provide Credentials for the Remote Site Migrate Failover Test failover New protection New migration Replication settings Network settings Disk settings Change storage policy Sync Pause Resume Delete replication
Tenant Organization Impersonation
For information about impersonating as a tenant, see Log in from the VMware Cloud Director Service Provider Admin Portal.