This section covers VMware SD-WAN customers managing their user accounts through the VMware Cloud Services Platform (CSP) as the Identity Provider (IdP) for Single Sign On (SSO).
Overview
CSP consolidates and simplifies user management across multiple Orchestrators while integrating with IdPs that support SAML and OIDC, and provides a single touch point to ensure compliance with governmental regulations.
- New administrators are created by an administrator with a Superuser role through the CSP portal.
- In the event of a CSP outage, the customer is permitted one "break glass" administrator account with local authentication (username/password) to allow them to access their portal.
- New direct customers will need to use token-based authentication for API access. They will not be able to use cookie-based authentication as user creation moves to CSP.
In a later SD-WAN Release, VMware will require all customers using a Hosted Orchestrator, whether new or existing to configure their enterprise to use CSP as their IdP.
On Premise Orchestrators are not subject to CSP requirements and their customers would continue to use Orchestrator-based authentication.
Prerequisites
Before you can configure your SD-WAN account on their assigned VMware SASE Orchestrator, you must first buy SD-WAN.
Creating a Customer Organization on the Cloud Services Platform
- VMware sends you an invitation email similar to the one shown below:This email includes a link to the Orchestrator you will be using to manage your enterprise along with a link to create your organization on CSP.
Note: Your customer domain details form the basis for your customer account on the Orchestrator along with determining the Orchestrator to which your enterprise will be assigned based on your geolocation.
- Where the email reads "Follow this link to setup your CSP account" click on the link to set up your CSP organization.
- Clicking the link redirects you to the CSP site where you will configure your CSP account, this can be an existing organization or a new one.
- Under Important: During CSP customer onboarding, you must provide a physical address. In addition, your customer domain name will be validated prior to configuring federation.
configure the details of your account, including the Organization ID that VMware SASE provided you as part of your order.
- Once you have completed configuring your CSP organization you can now add new users to your CSP organization.
Add Users to Your CSP Organization
- Click on the Identity & Access Management tab on the VMware Cloud Services page and then click on Active Users and then click Add New Users.
- On the Add New Users page you can add new users by email address. The users will need to be assigned two roles:
- Assign them an Organization Role (or roles), this is their role within your CSP Organization.
- Assign them a Service Role, this is their role when logged onto the Orchestrator.
- Once all roles have been configured, click ADD to add these users to your CSP Organization.
Logging on to the SASE Orchestrator using CSP
- Navigate to the Orchestrator's login page by referring back to the email invite you received and click on the URL link in the section highlighted below:
- On the Orchestrator login screen, click SIGN IN WITH YOUR IDENTITY PROVIDER.
- On the Sign in using Identity Provider page, enter the domain for your account and click SIGN IN.
- You will then be redirected back to CSP.
- On the CSP login screen, enter your email address and click NEXT.
Note: Two Factor Authentication (2FA) is done using Google Authenticator. Twilio is not used for new direct customers.
- A successful login with your CSP account will redirect you back to your enterprise home page on the Orchestrator. Your view will be consistent with the view you have been assigned in CSP.
Additional Resources
For more information about using CSP as an IdP in VMware SD-WAN, see Configure VMware CSP for Single Sign On.
For more information about adding new users on the Cloud Services Platform, see Using VMware Cloud Services Console - Identity and Access Management.