This section covers VMware SD-WAN customers managing their user accounts through the VMware Cloud Services Platform (CSP) as the Identity Provider (IdP) for Single Sign On (SSO).

Overview

Customers configured to use Single Sign On (SSO) can use several Identity Providers (IdP) to manage their users. This section covers VMware's IdP: Cloud Services Platform (CSP).
Tip: CSP is a common life cycle management platform for all VMware SaaS offerings. With other VMware SaaS offerings, CSP includes onboarding, authentication, billing, ordering, support, and customer notification. The CSP integration with VMware SASE (including SD-WAN) in Release 5.2.0 is limited to authentication and authorization with additional integration coming in later releases.

CSP consolidates and simplifies user management across multiple Orchestrators while integrating with IdPs that support SAML and OIDC, and provides a single touch point to ensure compliance with governmental regulations.

Important: Customers created on a Release 5.2.0 Hosted Orchestrator who are not assigned to a Partner are automatically configured for SSO using CSP as the IdP. As a result:
  • New administrators are created by an administrator with a Superuser role through the CSP portal.
  • In the event of a CSP outage, the customer is permitted one "break glass" administrator account with local authentication (username/password) to allow them to access their portal.
  • New direct customers will need to use token-based authentication for API access. They will not be able to use cookie-based authentication as user creation moves to CSP.

In a later SD-WAN Release, VMware will require all customers using a Hosted Orchestrator, whether new or existing to configure their enterprise to use CSP as their IdP.

On Premise Orchestrators are not subject to CSP requirements and their customers would continue to use Orchestrator-based authentication.

Prerequisites

Before you can configure your SD-WAN account on their assigned VMware SASE Orchestrator, you must first buy SD-WAN.

Creating a Customer Organization on the Cloud Services Platform

Once the customer's SD-WAN order is confirmed:
  1. VMware sends you an invitation email similar to the one shown below:

    This email includes a link to the Orchestrator you will be using to manage your enterprise along with a link to create your organization on CSP.
    Note: Your customer domain details form the basis for your customer account on the Orchestrator along with determining the Orchestrator to which your enterprise will be assigned based on your geolocation.
  2. Where the email reads "Follow this link to setup your CSP account" click on the link to set up your CSP organization.
  3. Clicking the link redirects you to the CSP site where you will configure your CSP account, this can be an existing organization or a new one.
  4. Under Organization > Details configure the details of your account, including the Organization ID that VMware SASE provided you as part of your order.
    Important: During CSP customer onboarding, you must provide a physical address. In addition, your customer domain name will be validated prior to configuring federation.
    Then click on the Organization > OAuth Apps tab to configure the Domains Linked to Identity Provider along with the other fields and options on this page.

  5. Once you have completed configuring your CSP organization you can now add new users to your CSP organization.

Add Users to Your CSP Organization

  1. Click on the Identity & Access Management tab on the VMware Cloud Services page and then click on Active Users and then click Add New Users.

  2. On the Add New Users page you can add new users by email address. The users will need to be assigned two roles:
    1. Assign them an Organization Role (or roles), this is their role within your CSP Organization.
    2. Assign them a Service Role, this is their role when logged onto the Orchestrator.
  3. Once all roles have been configured, click ADD to add these users to your CSP Organization.

Logging on to the SASE Orchestrator using CSP

Anyone added as a user in the previous step may now log onto their Enterprise on the SASE Orchestrator. To login onto the Orchestrator:
  1. Navigate to the Orchestrator's login page by referring back to the email invite you received and click on the URL link in the section highlighted below:

  2. On the Orchestrator login screen, click SIGN IN WITH YOUR IDENTITY PROVIDER.

  3. On the Sign in using Identity Provider page, enter the domain for your account and click SIGN IN.

  4. You will then be redirected back to CSP.

  5. On the CSP login screen, enter your email address and click NEXT.

    Note: Two Factor Authentication (2FA) is done using Google Authenticator. Twilio is not used for new direct customers.
  6. A successful login with your CSP account will redirect you back to your enterprise home page on the Orchestrator. Your view will be consistent with the view you have been assigned in CSP.

Additional Resources

For more information about using CSP as an IdP in VMware SD-WAN, see Configure VMware CSP for Single Sign On.

For more information about adding new users on the Cloud Services Platform, see Using VMware Cloud Services Console - Identity and Access Management.