If you want to import users and groups from a SAML identity provider to your VMware Cloud Director system organization, you must configure your system organization with this SAML identity provider. Imported users can log in to the system organization with the credentials established in the SAML identity provider.

To configure VMware Cloud Director with a SAML identity provider, you establish a mutual trust by exchanging SAML service provider and identity provider metadata.
Note: For successful VMware Cloud Director integration with external identity providers, to determine the correct values and settings and to ensure proper and accurate configuration, see also the product documentation of those identity providers.

When an imported user attempts to log in, the system extracts the following attributes from the SAML token, if available, and use them for interpreting the corresponding pieces of information about the user.

  • email address = "EmailAddress"
  • user name = "UserName"
  • full name = "FullName"
  • user's groups = "Groups"
  • user's roles = "Roles" (this attribute is configurable)

Group information is used if the user is not directly imported but is expected to log in by virtue of membership in imported groups. A user can belong to multiple groups, so can have multiple roles during a session.

If an imported user or group is assigned the Defer to Identity Provider role, the roles are assigned based on the information gathered from the Roles attribute in the token. If a different attribute is used, this attribute name can be configured using API and only the Roles attribute is configurable. If the Defer to Identity Provider role is used, but no role information can be extracted, the user can log in but has no any rights to perform any activities.

Tip:

For version 10.4.2 and later, if an organization in VMware Cloud Director has SAML or OIDC configured, the UI displays only the Sign in with Single Sign-On option. To log in as a local user, navigate to https://vcloud.example.com/tenant/tenant_name/login or https://vcloud.example.com/provider/login.

VMware Cloud Director login page with an SSO login button.

For versions 10.3.3 through 10.4.1, if an organization in VMware Cloud Director has SAML or OIDC configured, to log in with your identity provider, select the Sign in with Single Sign-On option.

VMware Cloud Director login page with SSO and local user login buttons.

Prerequisites

  • Verify that you have access to a SAML 2.0 compliant identity provider.
  • Obtain an XML file with the following metadata from your SAML identity provider.
    • The location of the single sign-on service
    • The location of the single logout service
    • The location of the service's X.509 certificate

    For information on configuring and acquiring metadata from a SAML provider, consult the documentation for your SAML provider.

Procedure

  1. From the top navigation bar, select Administration.
  2. In the left panel, under Identity Providers, click SAML and click Edit.
    The current SAML settings are displayed.
  3. From the Service Provider tab, download the VMware Cloud Director SAML service provider metadata.
    1. Enter an Entity ID for the system organization.

      The Entity ID uniquely identifies your system organization to your Identity Provider.

    2. Examine the certificate expiration date and, if expiring soon, regenerate the certificate by clicking Regenerate.
      The certificate is included in the SAML metadata, and is used for both encryption and signing. Either or both of these might be required depending on how trust is established between your organization and your SAML IDP.
    3. Click Retrieve Metadata.
      Your browser downloads the SAML service provider metadata, an XML file which you must provide to your identity provider.
  4. On the Identity Provider tab, upload the SAML metadata that you previously received from your identity provider.
    1. Select Use SAML Identity Provider.
    2. Either click the Browse icon and upload the file, or copy and paste its content in the Metadata XML text box.
  5. Click Save.