Authentication Strategy

When you configure the vRealize Orchestrator Plug-in for VMware Cloud Director, you must select an authentication method for managing users when they log in to your VMware Cloud Director instance.

Basic Authentication: The basic authentication method provides a way to log in with user name and password.
SAML Authentication: The Security Assertion Markup Language (SAML) authentication method provides a token login. This token is shared between all instances used by the user.

If you decide to use Basic Authentication and Session per user methods, ensure that the Orchestrator server is configured for LDAP authentication. The vRealize Orchestrator Plug-in for VMware Cloud Director uses the user name and password of the current user to log in to VMware Cloud Director.

If you decide to use SAML Authentication and Session per user methods, ensure that the Orchestrator server is configured for Single Sign-on authentication. The plug-in uses the Single Sign-on token provided by the Orchestrator server to log in to VMware Cloud Director.

The following figure shows the Session per user method to connect vRealize Orchestrator, vRealize Orchestrator Plug-in for VMware Cloud Director, LDAP server or Single Sign-on server, and VMware Cloud Director, when using SAML or Basic authentication.

For SAML authentication, the vRealize Orchestrator plug-in uses Single Sign-On. For basic authentication, the plug-in uses LDAP authentication. — Figure 1. Session Per User Method

If you decide to use Basic Authentication and Shared session methods, the Orchestrator server authentication mode is ignored and the plug-in uses a predefined user name and password to log in to VMware Cloud Director.

If you decide to use SAML Authentication and Shared session methods, the Orchestrator server authentication mode is ignored and the plug-in uses the SAML token provided by a callback action to log in to VMware Cloud Director. You must implement the callback action in your Orchestrator client.

Scripting example of the callback action

String acquireSamlToken() {
   var tokenKey = "cd5727e0-b5fd-11e1-afa6-0800200c9a66";
   var properties = new VclSharedProperties();
   var token = properties.getProperty(tokenKey);
   if (token == null) {
      var tokenLifetime = 600000; // 10 min lifetime
      token = // TODO: your logic to acquire the token
      properties.putProperty(tokenKey, token, tokenLifetime);
   }
   return token;
}

The following figure shows the shared session method to connect vRealize Orchestrator Plug-in for VMware Cloud Director, LDAP server or Single Sign-On Server, and VMware Cloud Director when using SAML or Basic authentication.

In a shared session, the plug-in stores the encrypted password in the VMware Cloud Director database from which it is matched for authentication. — Figure 2. Shared Session Method