Starting with VMware Integrated OpenStack 3.1, you can integrate your VMware Integrated OpenStack deployments with VMware Identity Manager.

About this task

By integrating VMware Integrated OpenStack with VMware Identity Manager you achieve a way to securely use existing credentials to access cloud resources such as servers, volumes, and databases, across multiple endpoints provided in multiple authorized clouds. You have a single set of credentials, without having to provision additional identities or log in multiple times. The credential is maintained by the user's Identity Provider.

Prerequisites

  • Verify that the version of VMware Identity Manager is 2.8.0 or later.

  • Verify that you can authenticate as administrator to the VMware Identity Manager instance.

Procedure

  1. Implement the custom.yml file. 
    sudo mkdir -p /opt/vmware/vio/custom
sudo cp /var/lib/vio/ansible/custom/custom.yml.sample /opt/vmware/vio/custom/custom.yml
  2. Edit the /opt/vmware/vio/custom/custom.yml file in a text editor to configure it for your environment.
    1. Under Federation, uncomment the following parameters and set values for your environment.

      The following example provides guidance for the most common configuration with VMware Identity Manager.

      Parameter

      Value

      federation_protocol

      saml2

      federation_idp_id

      vidm

      federation_idp_name

      vIDM SSO

      federation_idp_metadata_url

      https://IDP_HOSTNAME/SAAS/API/1.0/GET/metadata/idp.xml

      federation_group

      Federated Users

      federation_group_description

      Groups for all federated users

      vidm_address

      IDP_URL

      vidm_user

      vidm_administrative_user

      vidm_password

      vidm_administrative_user_password

      vidm_insecure

      False

      vidm_group

      ALL USERS
    2. Save the custom.yml file.
  3. Enable federation with the settings that you configured in the custom.yml file. 
    viocli deployment configure --tags federation --limit controller,lb

    After the integration operation completes successfully, the VMware Integrated OpenStack dashboard shows a new Authenticate using drop-down menu that allows the user choose the authentication method.

  4. Prior to being able to login a VMware Identity Manager user to VMware Integrated OpenStack, assign a role/project to the group that user belongs to.

    You might have to create a group in keystone that corresponds to a group found in VMware Identity Manager that a user is a member of. For VMware Identity Manager users, Keystone does not automatically create groups but ephemeral users. If the group does not exist, the user becomes a member of the default Federated Users group.

    1. Log in to the VMware Integrated OpenStack dashboard as an administrator.
    2. Under Federation, click Mappings to see the current mappings.
    3. Click Edit to configure a mapping according to your needs.

      For more information about mappings, see the Mapping Combinations for Federation in the OpenStack documentation.