You can configure VMware Integrated OpenStack to use VMware Identity Manager as an identity provider solution.

Users can authenticate with VMware Identity Manager over the Security Association Markup Language (SAML) 2.0 protocol. Federated users must authenticate using the VMware Integrated OpenStack dashboard. The OpenStack command-line interface is not supported.

Prerequisites

  • Deploy and configure VMware Identity Manager 2.8 or later.
  • Ensure that your VMware Identity Manager instance can communicate with the VMware Integrated OpenStack management network.

If you want to import custom mappings instead of using the default mappings, prepare the mapping files in advance.

  • Create a mapping file in JSON format and save it on the OpenStack Management Server. For more information, see Mapping Combinations in the OpenStack documentation.
  • In your mapping file, do not use federated as the domain name. This name is reserved by Keystone.
  • Create an SAML attribute mapping file in JSON format and save it on the OpenStack Management Server. Use the following structure: 
    [
    {
        "name": "attribute-1",
        "id": "id-1"
    },
    {
        "name": "attribute-2",
        "id": "id-2"
    },
    ...
]

Procedure

  1. Log in to the OpenStack Management Server as viouser.
  2. Add VMware Identity Manager as an identity provider. 
    sudo viocli federation identity-provider add --type vidm
  3. Enter the following information as prompted.
    Option Description
    Identity provider name

    Enter a name for the identity provider. This name is used in OpenStack Management Server command-line operations and cannot include special characters or spaces.

    Identity provider display name (for Horizon)

    Enter a display name for the identity provider. This name is shown to users under Authenticate using when they log in to the VMware Integrated OpenStack dashboard.

    Description

    (Optional) Enter a description of the identity provider.

    vIDM endpoint address

    Enter the FQDN of your VMware Identity Manager instance (for example, https://vxlan-vm-2-10.network.example.com).

    vIDM admin user

    Enter the user name of a VMware Identity Manager administrator.

    vIDM admin password

    Enter the password for the VMware Identity Manager administrator.

    Do not verify certificates when establishing TLS/SSL connections

    Enter false to verify TLS certificates or true to disable certificate verification.

    vIDM tenant name

    If you are using VMware Identity Manager within a vRealize Automation deployment, enter vsphere.local. Otherwise, leave the value blank and press Enter.

    Enter the name of the domain that federated users associate with

    Enter the Keystone domain to which all federated users will belong. The domain will be created if it does not exist.

    Note: Do not enter federated for the domain name. This name is reserved by Keystone.
    Enter the name to the groups that federated users associate with (separated by commas ",")

    Enter one or more groups that contain federated users. If you want to use custom mappings, enter all groups that are included in your mapping file. Groups that you enter will be created if they do not exist.

    Do you want to change advanced settings?

    Enter n to use default mappings or y to specify mapping files.

    If you chose to change advanced settings, enter the following information as prompted.
    Option Description
    Do you wish to use a static file or template file for mapping rules

    Enter static to use a static mapping file or template to use a mapping template.

    Enter the local path of mapping rules file

    Enter the path to the mapping rules file on your local system.

    Do you wish to use a static file or template file for attribute mapping

    Enter static to use a static mapping file or template to use a mapping template.

    Enter the local path of attribute mapping file

    Enter the path to the attribute mapping file on your local system.

  4. Deploy the updated identity configuration. 
    sudo viocli identity configure

    Deploying the identity configuration briefly interrupts OpenStack services.

Results

VMware Integrated OpenStack is integrated with VMware Identity Manager, and federated users and groups are imported into OpenStack. When you access the VMware Integrated OpenStack dashboard, you can choose the VMware Identity Manager identity provider to log in as a federated user.