Enable your organization to use an SAML identity provider, also called single sign-on, to import users and groups from an SAML identity provider and allow imported users to sign on to the organization with the credentials established in the SAML identity provider.


  • Verify that you are logged in as a system or organization administrator.
  • Verify that you have access to an OpenAM or Active Directory Federation Services SAML identity provider.
  • Verify that your system has updated JCE unlimited strength jurisdiction policy files. See Install Java Cryptography Extension Unlimited Strength Jurisdiction Policy Files.
  • Create an XML file with the following metadata from your SAML identity provider.
    • The location of the single sign-on service
    • The location of the single logout service
    • The location of the service's X.509 certificate
    For information on configuring and acquiring metadata from an OpenAM or Active Directory Federation Services SAML provider, consult the documentation for your SAML provider.


  1. Click Administration.
  2. In the left pane, select Settings > Federation.
  3. Select Use SAML Identity Provider.
  4. Copy and paste the SAML provider metadata XML into the text box or click Browse to upload the metadata XML file.
  5. Click Apply.

What to do next

  • Configure your SAML provider with vCloud Director metadata. See your SAML provider's documentation and the vCloud Director Installation and Upgrade Guide.
  • Configure your SAML provider to provide tokens with the following attribute mappings.
    • email address = "EmailAddress"
    • user name = "UserName"
    • full name = "FullName"
    • user's groups = "Groups"
  • Import users and groups from your SAML provider.