If you have an existing vRealize Automation or VMware Identity Manager deployment, you can use VMware Identity Manager as an identity provider solution.
This integration applies to VMware Identity Manager users who authenticate with OpenStack Horizon. Authentication using the OpenStack CLI is not supported.
If you previously integrated your VMware Integrated OpenStack deployments with VMware Identity Manager as a single sign-on solution using the custom.yml file, you must reconfigure integration after upgrading to VMware Integrated OpenStack 5.0.
- Add VMware Identity Manager as the Identity Provider on the OpenStack Management Server deployment.
viocli federation identity-provider add
Enter input for prompts.
Identity provider type
Enter vidm. Value is case insensitive.
Identity provider name
Unique name to identify the Identity Provider. Name must not include special characters or spaces that the URL cannot interpret.
Identity provider display name
Human readable name to identify the Identity Provider in Horizon. Appears in the Horizon drop down menu.
VMware Identity Manager
Human readable name to identify the Identity Provider in Keystone and VMware Integrated OpenStack.
VMware Identity Manager @ vio-identity-manager.eng.vmware.com
vIDM endpoint address
Endpoint address of the vIDM deployment
vIDM admin user
User must have permission to list users.
vIDM admin password
Do not verify certificates when establishing TLS/SSL connections.
Enter True or False. True disables certificate verification when establishing TLS/SSL connections.
Tenant name to be used when registering the Keystone instance in vIDM.
If integrating with vIDM, the value can be left blank.
If integrating with vRA, enter vsphere.local.
Enter the name of the domain that federated users associate with.
Name of the domain to which all federated users belong. If uncertain of the domain, enter Default. If it does not exist, VMware Integrated OpenStack creates the domain.
Enter the name of the groups that federated users associate with (separated by commas ",").
Name of the groups to which all federated users belong. If using a customized mapping file, include all defined groups. If no mapping file exists, VMware Integrated OpenStack creates the groups within the domain.
- Configure the deployment
viocli identity configure
Following configuration, expect a period of downtime to your VMware Integrated OpenStack deployment.
What to do next
If you do not want to use the default mapping, you can customize mapping. See Customize Mapping.