Starting with version 10.4.2, you can use VMware Cloud Director as a tenant-aware OpenId Connect (OIDC) identity provider proxy server.

After VMware Cloud Director is configured as an OIDC proxy server, when a user attempts to log in to the OIDC relying party (OIDC client), they are redirected to VMware Cloud Director and prompted to enter the name of their organization and their SSO or local credentials. After providing the necessary credentials, the user is directed to the OIDC relying party.

VMware Cloud Director delegates actual authentication to the authentication mechanism used by the provider or tenant. This can result in additional redirections to any external Identity Providers that perform authentication for those users.

Prerequisites

  • Verify that your role includes the OIDC Server: Manage Settings right.

  • Verify that the roles of the users that will log in to the OIDC relying party (OIDC client) through VMware Cloud Director include the OIDC Server: Enable right.

Procedure

  1. In the top navigation bar, click Administration.
  2. In the left panel, under Settings, click OIDC Proxy.
  3. Click Relying Parties and click New.
  4. Enter a relying party name for the client application registration and make a note of it.
  5. Enter the URI to which to redirect users that are attempting to log in to the relying party, and click Save.
  6. Copy the relying party ID and secret and make note of them.
  7. Configure your OIDC relying party to use VMware Cloud Director as an identity provider proxy server with the relying party ID and secret.
    Tip:

    You can retrieve the provider configuration values, including the JWKS endpoint and information about other endpoints and scopes necessary for the OIDC proxy configuration at the well-known configuration URL hostname/oidc/.well-known/openid-configuration. See View the OIDC Proxy General Settings in Your VMware Cloud Director.

Results

When a user attempts to log in to the OIDC relying party, they are redirected to VMware Cloud Director, prompted to select a VMware Cloud Director organization, and to provide their credentials. After a successful authorization, they are redirected back to the OIDC relying party.