If you want to import users and groups from a SAML identity provider to your VMware Cloud Director system organization, you must configure your system organization with this SAML identity provider. Imported users can log in to the system organization with the credentials established in the SAML identity provider.

To configure VMware Cloud Director with a SAML identity provider, you establish a mutual trust by exchanging SAML service provider and identity provider metadata.
Note: For successful VMware Cloud Director integration with external identity providers, to determine the correct values and settings and to ensure proper and accurate configuration, see also the product documentation of those identity providers.

When an imported user attempts to log in, the system extracts the following attributes from the SAML token, if available, and use them for interpreting the corresponding pieces of information about the user.

  • email address = "EmailAddress"
  • user name = "UserName"
  • full name = "FullName"
  • user's groups = "Groups"
  • user's roles = "Roles" (this attribute is configurable)

Group information is used if the user is not directly imported but is expected to log in by virtue of membership in imported groups. A user can belong to multiple groups, so can have multiple roles during a session.

If an imported user or group is assigned the Defer to Identity Provider role, the roles are assigned based on the information gathered from the Roles attribute in the token. If a different attribute is used, this attribute name can be configured using API and only the Roles attribute is configurable. If the Defer to Identity Provider role is used, but no role information can be extracted, the user can log in but has no any rights to perform any activities.

Prerequisites

  • Verify that you have access to a SAML 2.0 compliant identity provider.
  • Obtain an XML file with the following metadata from your SAML identity provider.
    • The location of the single sign-on service
    • The location of the single logout service
    • The location of the service's X.509 certificate

    For information on configuring and acquiring metadata from a SAML provider, consult the documentation for your SAML provider.

Procedure

  1. From the primary left navigation panel, select Administration.
  2. In the left panel, under Identity Providers, click SAML and click Edit.
    The current SAML settings are displayed.
  3. From the Service Provider tab, download the VMware Cloud Director SAML service provider metadata.
    1. Enter an Entity ID for the system organization.

      The Entity ID uniquely identifies your system organization to your Identity Provider.

    2. Examine the certificate expiration date and, if expiring soon, regenerate the certificate by clicking Regenerate.
      The certificate is included in the SAML metadata, and is used for both encryption and signing. Either or both of these might be required depending on how trust is established between your organization and your SAML IDP.
    3. Click Retrieve Metadata.
      Your browser downloads the SAML service provider metadata, an XML file which you must provide to your identity provider.
  4. On the Identity Provider tab, upload the SAML metadata that you previously received from your identity provider.
    1. Select Use SAML Identity Provider.
    2. Either click the Browse icon and upload the file, or copy and paste its content in the Metadata XML text box.
  5. For VMware Cloud Director 10.5.1 and later, if you want to customize the Sign in with SAML button label that appears on the VMware Cloud Director login page, enter a new custom button text.

    You can enter up to 24 symbols. You can use special characters and accented letters. If you want to revert to the default text, delete the custom label. The default button label is localized, and depending on your browser language settings, the text might appear in a different language. Custom labels always appear as you enter them.

  6. Click Save.