An identity provider is a service that manages user and group identities. VMware Cloud Director organizations that use the same identity provider are said to be federated.
An organization can define an identity provider that it shares with other applications or enterprises. Users authenticate to the identity provider to obtain a token that they can then use to log in to the organization. Such a strategy can enable an enterprise to provide access to multiple, unrelated services, including VMware Cloud Director, with a single set of credentials, an arrangement often referred to as single sign-on.
VMware Cloud Director includes a Multisite capability that extends the advantages of federation by enabling administrators to associate organizations with each other so that a user authenticated to one organization is also authenticated to all organizations that it is associated with. For organizations, federation (sharing of an IDP) is prerequisite to association. See Configuring and Managing Multisite Deployments in Your VMware Cloud Director for more information about associating sites and organizations.
About Identity Providers
- OAuth
- An organization can define an external identity provider that supports OAuth authentication, as defined in RFC 6749 ( http://tools.ietf.org/html/rfc6749). All organizations that participate in an OAuth-based federated identity scheme must include an OrgOAuthSettings element whose public key, IssuerId and OAuthKeyConfigurations were retrieved from the same identity provider.
- SAML
- An organization can define an external identity provider that supports the Security Assertion Markup Language (SAML) 2.0 standard. All organizations participating in a SAML-based federated identity scheme must include an OrgFederationSettings element that contains SAML metadata retrieved from the same identity provider.
- Integrated
- The integrated identity provider is a VMware Cloud Director service that authenticates users who are created locally or imported from LDAP. All organizations that participate in an LDAP-based federated identity scheme must include an OrgLdapSettings element that specifies shared configuration parameters.
The XML representation of a User can include an IdentityProvider element that specifies INTEGRATED, OAUTH, or SAML. If the element is missing or empty, a value of INTEGRATED is assumed.
The XML representation of a Group can include a ProviderType element that specifies INTEGRATED or SAML. If the element is missing or empty, a value of INTEGRATED is assumed.