If you have an existing vRealize Automation or VMware Identity Manager deployment, you can use VMware Identity Manager as an identity provider solution.

This integration applies to VMware Identity Manager users who authenticate with OpenStack Horizon. Authentication using the OpenStack CLI is not supported.

Note:

If you previously integrated your VMware Integrated OpenStack deployments with VMware Identity Manager as a single sign-on solution using the custom.yml file, you must reconfigure integration after upgrading to VMware Integrated OpenStack 5.0.

Procedure

  1. Add VMware Identity Manager as the Identity Provider on the OpenStack Management Server deployment.
    viocli federation identity-provider add

    Enter input for prompts.

    Prompt

    Description

    Sample Value

    Identity provider type

    Enter vidm. Value is case insensitive.

    vidm

    Identity provider name

    Unique name to identify the Identity Provider. Name must not include special characters or spaces that the URL cannot interpret.

    vidm

    Identity provider display name

    Human readable name to identify the Identity Provider in Horizon. Appears in the Horizon drop down menu.

    VMware Identity Manager

    Description

    Human readable name to identify the Identity Provider in Keystone and VMware Integrated OpenStack.

    VMware Identity Manager @ vio-identity-manager.eng.vmware.com

    vIDM endpoint address

    Endpoint address of the vIDM deployment

    https://vio-identity-manager.eng.vmware.com

    vIDM admin user

    User must have permission to list users.

    admin

    vIDM admin password

    vmware

    Do not verify certificates when establishing TLS/SSL connections.

    Enter True or False. True disables certificate verification when establishing TLS/SSL connections.

    True

    vIDM Tenant

    Tenant name to be used when registering the Keystone instance in vIDM.

    • If integrating with vIDM, the value can be left blank.

    • If integrating with vRA, enter vsphere.local.

    (blank)

    Enter the name of the domain that federated users associate with.

    Name of the domain to which all federated users belong. If uncertain of the domain, enter Default. If it does not exist, VMware Integrated OpenStack creates the domain.

    Default

    Enter the name of the groups that federated users associate with (separated by commas ",").

    Name of the groups to which all federated users belong. If using a customized mapping file, include all defined groups. If no mapping file exists, VMware Integrated OpenStack creates the groups within the domain.

    (blank)

  2. Configure the deployment
    viocli identity configure

    Following configuration, expect a period of downtime to your VMware Integrated OpenStack deployment.

What to do next

If you do not want to use the default mapping, you can customize mapping. See Customize Mapping.