You can configure VMware Integrated OpenStack to use VMware Identity Manager as an identity provider solution.

Users can authenticate with VMware Identity Manager over the Security Association Markup Language (SAML) 2.0 protocol. Federated users must authenticate using the VMware Integrated OpenStack dashboard. The OpenStack command-line interface is not supported.

Prerequisites

  • Deploy and configure VMware Identity Manager 2.8 or later.
  • Ensure that your VMware Identity Manager instance can communicate with the VMware Integrated OpenStack management network.

Procedure

  1. Log in to the OpenStack Management Server as viouser.
  2. If your deployment is not using a custom.yml file, copy the template custom.yml file to the /opt/vmware/vio/custom directory. 
    sudo mkdir -p /opt/vmware/vio/custom
sudo cp /var/lib/vio/ansible/custom/custom.yml.sample /opt/vmware/vio/custom/custom.yml
  3. Open the /opt/vmware/vio/custom/custom.yml file in a text editor.
  4. Add the following parameters.
    Option Description
    federation_protocol

    Enter saml2.

    federation_idp_id

    Enter a name for the identity provider. This name is used in OpenStack Management Server command-line operations and cannot include special characters or spaces.

    federation_idp_name

    Enter a display name for the identity provider. This name is shown to users under Authenticate using when they log in to the VMware Integrated OpenStack dashboard.

    federation_idp_metadata_url

    Enter https://identity-mgr-fqdn/SAAS/API/1.0/GET/metadata/idp.xml.

    federation_group

    Enter a group to contain federated users.

    federation_group_description

    Enter a description for the federated users group.

    vidm_address

    Enter the FQDN of your VMware Identity Manager instance (for example, https://vxlan-vm-2-10.network.example.com).

    vidm_user

    Enter the user name of a VMware Identity Manager administrator.

    vidm_password

    Enter the password for the VMware Identity Manager administrator.

    vidm_insecure

    Enter false to verify TLS certificates or true to disable certificate verification.

    vidm_group

    Enter the user group in VMware Identity Manager to use for federation.

  5. Deploy the updated configuration. 
    sudo viocli deployment configure

    Deploying the configuration briefly interrupts OpenStack services.

  6. Assign projects and roles to federated users or groups.
    1. Log in to the VMware Integrated OpenStack dashboard as a cloud administrator.
    2. Select the admin project from the drop-down menu in the title bar.
    3. Select Identity > Projects.
    4. Click Manage Members next to the desired project.
    5. Add federated users or groups and specify the desired roles.
    6. Click Save.

Results

VMware Integrated OpenStack is integrated with VMware Identity Manager, and federated users and groups are imported into OpenStack. When you access the VMware Integrated OpenStack dashboard, you can choose the VMware Identity Manager identity provider to log in as a federated user.