This topic describes how to log into VMware Tanzu Operations Manager (Ops Manager) for the first time after a new Ops Manager deployment.

This topic also describes how to configure the Ops Manager default authentication with either SAML, LDAP, or internal authentication.

Overview

When you have a new installation of Ops Manager, you choose the default authentication and login method.

When you log in for the first time, you go to the fully qualified domain name (FQDN) in your web browser. You configure the FQDN when you first deploy Ops Manager. To log in, see Log In to Ops Manager For the First Time below.

Your login method and authentication choices are:

• Internal Authentication: Ops Manager maintains and manages your user database.

• SAML Identity Provider: An external identity server maintains your user database.

• LDAP Server: An external identity server maintains your user database.

Log In to Ops Manager For the First Time

To log in to Ops Manager for the first time with a new Ops Manager deployment:

1. In a web browser, navigate to Ops Manager using your FQDN. You set your FQDN when you configure Ops Manager before deployment.

2. When Ops Manager starts for the first time, choose one of the following procedures below:

   • Internal Authentication
   • SAML Identity Provider
   • LDAP Server

Log In to Ops Manager with Internal Authentication

To set up internal authentication that Ops Manager maintains:

1. When redirected to the Internal Authentication page:

   • Enter a Username, Password, and Password confirmation to create an Admin user.
   • Enter a Decryption passphrase and the Decryption passphrase confirmation. This passphrase encrypts the Ops Manager datastore and is not recoverable.
   • If you are using an HTTP proxy or HTTPS proxy, follow the instructions in Configuring Proxy Settings for the BOSH CPI.
   • Read the End User License Agreement, and select the check box to accept the terms.
   • Click Setup Authentication.

2. Log in to Ops Manager with the Admin username and password you created in the previous step.

Log In to Ops Manager with SAML Identity Provider

To configure Ops Manager to log in by default using a SAML identity provider for user authentication:

1. Log in to your identity provider console and download the identity provider metadata XML. Optionally, if your identity provider supports metadata URL, you can copy the metadata URL instead of the XML.

2. Do one of the following, depending on if you use a separate identity provider for BOSH:

   • For the same identity provider: Copy the identity provider metadata XML or URL to the Ops Manager SAML Identity Provider login page.
     
     
   • For a separate identity provider: Copy the metadata XML or URL from that identity provider and enter it into the BOSH identity provider metadata text field in the Ops Manager login page.

3. Enter values for the fields listed below. Failure to provide values in these fields results in a 500 error.

   • SAML admin group: Enter the name of the SAML group that contains all Ops Manager administrators. This field is case-sensitive.
   • SAML groups attribute: Enter the groups attribute tag name with which you configured the SAML server. This field is case-sensitive.

4. Enter your Decryption passphrase. Read the End User License Agreement, and select the checkbox to accept the terms.

5. Your Ops Manager login page appears. Enter your username and password and click Login.

6. Download your SAML service provider metadata (SAML Relying Party metadata) by navigating to the following URLs:

   • Ops Manager SAML service provider metadata: https://OPS-MAN-FQDN:443/uaa/saml/metadata
   • BOSH Director SAML service provider metadata: https://BOSH-IP-ADDRESS:8443/saml/metadata.
     Where BOSH-IP-ADDRESS is in the Status pane of the BOSH Director tile.

7. Import the Ops Manager SAML provider metadata to your identity provider. If your identity provider does not support importing, provide the values below.

   • Single sign on URL: https://OPS-MAN-FQDN:443/uaa/saml/SSO/alias/OPS-MAN-FQDN
   • Audience URI (SP Entity ID): https://OP-MAN-FQDN:443/uaa
   • Name ID: Email Address
   • SAML authentication requests are always signed

8. Import the BOSH Director SAML provider metadata to your identity provider. If the identity provider does not support an import, provide the values below.

   • Single sign on URL: https://BOSH-IP:8443/saml/SSO/alias/BOSH-IP
   • Audience URI (SP Entity ID): https://BOSH-IP:8443
   • Name ID: Email Address
   • SAML authentication requests are always signed

Log In to Ops Manager with LDAP

To configure Ops Manager to log in by default using an LDAP server for user authentication:

1. For Server URL, enter the URL that points to your LDAP server. With multiple LDAP servers, separate their URLs with spaces. Each URL must include one of the following protocols:

   • ldap://: This specifies that the LDAP server uses an unencrypted connection.
   • ldaps://: This specifies that the LDAP server uses SSL for an encrypted connection and requires that the LDAP server holds a trusted certificate or that you import a trusted certificate to the JVM truststore.

2. For LDAP Username and LDAP Password, enter the LDAP Distinguished Name (DN) and the password for binding to the LDAP Server. Example DN: cn=administrator,ou=Users,dc=example,dc=com

   Note: VMware recommends that you provide LDAP credentials that grant read-only permissions on the LDAP Search Base and the LDAP Group Search Base. In addition to this, if the bind user belongs to a different search base, you must use the full DN.

   Caution: VMware recommends against reusing LDAP service accounts across environments. LDAP service accounts should not be subject to manual lockouts, such as lockouts that result from users utilizing the same account. Also, LDAP service accounts should not be subject to automated deletions, since disruption to these service accounts could prevent user logins.

3. For User Search Base, enter the location in the LDAP directory tree from which any LDAP User search begins. The typical LDAP Search Base matches your domain name. For example, a domain named “cloud.example.com” typically uses the following LDAP User Search Base: ou=Users,dc=example,dc=com

4. For User Search Filter, enter a string that defines LDAP User search criteria. These search criteria allow LDAP to perform more effective and efficient searches. For example, the standard LDAP search filter cn=Smith returns all objects with a common name equal to Smith.
   
   In the LDAP search filter string that you use to configure your runtime, use {0} instead of the username. For example, use cn={0} to return all LDAP objects with the same common name as the username.
   
   In addition to cn, other attributes commonly searched for and returned are mail, uid and, in the case of Active Directory, sAMAccountName.

   Note: For instructions for testing and troubleshooting your LDAP search filters, see Configuring LDAP Integration in the Knowledge Base.

5. For Group Search Base, enter the location in the LDAP directory tree from which the LDAP Group search begins. For example, a domain named “cloud.example.com” typically uses the following LDAP Group Search Base: ou=Groups,dc=example,dc=com

6. For Group Search Filter, enter a string that defines LDAP Group search criteria. The standard value is member={0}.

7. For Email Attribute, enter the attribute name in your LDAP directory that corresponds to the email address in each user record. For example, mail.

8. For LDAP RBAC Admin Group Name, enter the DN of the LDAP group you want to have admin permissions in Ops Manager.

9. From the dropdown, select how the UAA handles LDAP server referrals out to other external user stores. The UAA can:

   • Automatically follow any referrals.
   • Ignore referrals and return partial result.
   • Throw exception for each referral and abort.

10. For Server SSL Cert, paste in the root certificate from your CA certificate or your self-signed certificate.

11. Enter a Decryption passphrase and the Decryption passphrase confirmation. This passphrase encrypts the Ops Manager datastore, and is not recoverable.

12. If you are using an HTTP proxy or HTTPS proxy, follow the instructions in Configuring Proxy Settings for the BOSH CPI.

13. Read the End User License Agreement, and select the checkbox to accept the terms.

14. Select Provision an admin client in the BOSH UAA. You can use this to enable BOSH automation with scripts and tooling. For more information, see Provision Admin Client in Creating UAA Clients for BOSH Director.

15. Click Setup Authentication.