You can configure VMware Integrated OpenStack to use VMware Identity Manager as an identity provider solution.
Users can authenticate with VMware Identity Manager over the Security Association Markup Language (SAML) 2.0 protocol or the OpenID Connect (OIDC) protocol.
- SAML 2.0 users must authenticate using the VMware Integrated OpenStack dashboard. The OpenStack command-line interface is not supported for SAML 2.0.
- OpenID Connect users can authenticate using the VMware Integrated OpenStack dashboard or the OpenStack command-line interface.
Prerequisites
- Deploy and configure VMware Identity Manager. For more information, see the VMware Identity Manager documentation.
- If you want to use the OIDC protocol and your VMware Identity Manager instance is using a self-signed certificate, ensure that the CA is installed as a trusted CA in VMware Identity Manager. For instructions, see Installing Trusted Root Certificates in the Installing and Configuring VMware Identity Manager document.
- Ensure that your VMware Identity Manager instance can communicate with the VMware Integrated OpenStack management network.
- The OpenStack
admin
user and VMware Identity Manageradmin
user cannot be in the same Keystone domain. If you want to import federated users into thedefault
domain, ensure that the VMware Identity Manageradmin
user is not part of the VMware Identity Manager group that you use for federation.
Procedure
- Log in to the Integrated OpenStack Manager web interface as the
admin
user. - In OpenStack Deployment, click the name of your deployment and open the Manage tab.
- On the Identity Federation tab, click Add.
- From the Federation type drop-down menu, select VIDM.
- Enter the required parameters.
Option Description Protocol type Select SAML2 or OIDC as the identity protocol.
Name Enter a name for the identity provider.
Note: The identity provider name cannot be changed after the identity provider has been added.Description Enter a description of the identity provider.
VIDM address Enter the FQDN of your VMware Identity Manager instance without the protocol (for example, vidm.example.com).
Note: The FQDN must be unique. A single VMware Identity Manager instance cannot be added to VMware Integrated OpenStack as two separate identity providers.VIDM username Enter the username of a VMware Identity Manager administrator.
VIDM password Enter the password for the specified administrator.
VIDM validate certs Select the checkbox to validate VMware Identity Manager certificates.
Important: If you have selected the OIDC protocol and your VMware Identity Manager instance is using a self-signed certificate, you must validate certificates. - (Optional) Select the Advanced settings checkbox to configure additional parameters.
- Under Common advanced settings, enter an OpenStack domain, project, and group into which federated users will be imported.
Note:
- If you do not enter a domain, project, or group, the following default values are used:
- Domain:
federated_domain
- Project:
federated_project
- Group:
federated_group
- Domain:
- Do not enter
federated
as the domain name. This name is reserved by Keystone. - If you provide custom mappings, you must enter all OpenStack domains, projects, and groups that are included in those mappings.
- If you do not enter a domain, project, or group, the following default values are used:
- In the Attribute mapping field, enter additional attributes in JSON format or upload a JSON file containing the desired attributes.
- Under VIDM advanced settings, enter a VMware Identity Manager tenant and group from which to import users.
If you are using a VMware Identity Manager instance in a vRealize Automation deployment, enter vsphere.local as the tenant. If you are using a standalone VMware Identity Manager instance, do not enter a tenant.
- Under SAML2 advanced settings, enter the URL to the federation metadata file for your VMware Identity Manager instance.
- In the SAML2 mapping field, enter SAML mappings in JSON format or upload a JSON file containing the desired mappings.
- Under OIDC advanced settings, enter the URL to the federation metadata file for your VMware Identity Manager instance.
- In the OIDC mapping field, enter OIDC mappings in JSON format or upload a JSON file containing the desired mappings.
- In the Mapped mapping field, enter OAuth mappings in JSON format or upload a JSON file containing the desired mappings.
- Under Common advanced settings, enter an OpenStack domain, project, and group into which federated users will be imported.
- Click OK.
Results
VMware Integrated OpenStack is created as a web application in VMware Identity Manager, and federated users and groups are imported from VMware Identity Manager into OpenStack. When you access the VMware Integrated OpenStack dashboard, you can choose the VMware Identity Manager identity provider to log in as a federated user.
Federated users are automatically assigned the member role. You can use the OpenStack command-line interface to assign cloud administrator privileges to federated users if necessary.
What to do next
If you want to create a new identity federation that uses the same VMware Identity Manager instance, delete the configured identity provider and ensure that the deletion is complete before adding it again.
To delete a configured identity provider, first select it in the Integrated OpenStack Manager web interface and click Delete, then wait until the deletion is complete.