This topic describes how you can log into VMware Tanzu Operations Manager for the first time after deploying Tanzu Operations Manager. It also describes how you can configure the Tanzu Operations Manager default authentication with either SAML, LDAP, or internal authentication.

About login and authentication methods

When you have a new installation of Tanzu Operations Manager, you choose the default authentication and login method.

When you log in for the first time, you go to the fully qualified domain name (FQDN) in your web browser. You configure the FQDN when you first deploy Tanzu Operations Manager. To log in, see Log In to Tanzu Operations Manager For the First Time below.

Your login method and authentication choices are:

• Internal Authentication: Tanzu Operations Manager maintains and manages your user database.

• SAML Identity Provider: An external identity server maintains your user database.

• LDAP Server: An external identity server maintains your user database.

Log in to Tanzu Operations Manager for the first time

To log in to Tanzu Operations Manager for the first time with a new Tanzu Operations Manager deployment:

1. In a web browser, navigate to Tanzu Operations Manager using your FQDN. You set your FQDN when you configure Tanzu Operations Manager before deployment.

2. When Tanzu Operations Manager starts for the first time, choose one of the following procedures below:

   • Internal Authentication
   • SAML Identity Provider
   • LDAP Server

Log in to Tanzu Operations Manager with internal authentication

To set up internal authentication that Tanzu Operations Manager maintains:

1. When redirected to the Internal Authentication page:

   • Enter a Username, Password, and Password confirmation to create an Admin user.
   • Enter a Decryption passphrase and the Decryption passphrase confirmation. This passphrase encrypts the Tanzu Operations Manager datastore and is not recoverable.
   • If you are using an HTTP proxy or HTTPS proxy, follow the instructions in Configuring Proxy Settings for the BOSH CPI.
   • Read the End User License Agreement, and select the check box to accept the terms.
   • Click Setup Authentication.

2. Log in to Tanzu Operations Manager with the Admin username and password you created in the previous step.

Log in to Tanzu Operations Manager with SAML identity provider

To configure Tanzu Operations Manager to log in by default using a SAML identity provider for user authentication:

1. Log in to your identity provider console and download the identity provider metadata XML. Optionally, if your identity provider supports metadata URL, you can copy the metadata URL instead of the XML.

2. Do one of the following, depending on if you use a separate identity provider for BOSH:

   • For the same identity provider: Copy the identity provider metadata XML or URL to the Tanzu Operations Manager SAML Identity Provider login page.
     
     
   • For a separate identity provider: Copy the metadata XML or URL from that identity provider and enter it into the BOSH identity provider metadata text box in the Tanzu Operations Manager login page.

3. Enter values for the following text boxes. Failure to provide values in these text boxes results in a 500 error.

   • SAML admin group: Enter the name of the SAML group that contains all Tanzu Operations Manager administrators. This text box is case-sensitive.
   • SAML groups attribute: Enter the groups attribute tag name with which you configured the SAML server. This text box is case sensitive.

4. Enter your Decryption passphrase. Read the End User License Agreement, and select the check box to accept the terms.

5. Your Tanzu Operations Manager login page appears. Enter your username and password and click Login.

6. Download your SAML service provider metadata (SAML Relying Party metadata) by navigating to the following URLs:

   • Tanzu Operations Manager SAML service provider metadata: https://OPS-MAN-FQDN:443/uaa/saml/metadata
   • BOSH Director SAML service provider metadata: https://BOSH-IP-ADDRESS:8443/saml/metadata.
     Where BOSH-IP-ADDRESS is in the Status pane of the BOSH Director tile.

7. Import the Tanzu Operations Manager SAML provider metadata to your identity provider. If your identity provider does not support importing, provide the values below.

   • Single sign on URL: https://OPS-MAN-FQDN:443/uaa/saml/SSO/alias/OPS-MAN-FQDN
   • Audience URI (SP Entity ID): https://OP-MAN-FQDN:443/uaa
   • Name ID: Email Address
   • SAML authentication requests are always signed

8. Import the BOSH Director SAML provider metadata to your identity provider. If the identity provider does not support an import, provide the values below.

   • Single sign on URL: https://BOSH-IP:8443/saml/SSO/alias/BOSH-IP
   • Audience URI (SP Entity ID): https://BOSH-IP:8443
   • Name ID: Email Address
   • SAML authentication requests are always signed

Log in to Tanzu Operations Manager with LDAP

To configure Tanzu Operations Manager to log in by default using an LDAP server for user authentication:

1. For Server URL, enter the URL that points to your LDAP server. With multiple LDAP servers, separate their URLs with spaces. Each URL must include one of the following protocols:

   • ldap://: This specifies that the LDAP server uses an unencrypted connection.
   • ldaps://: This specifies that the LDAP server uses SSL for an encrypted connection and requires that the LDAP server holds a trusted certificate or that you import a trusted certificate to the JVM truststore.

2. For LDAP Username and LDAP Password, enter the LDAP Distinguished Name (DN) and the password for binding to the LDAP Server. Example DN: cn=administrator,ou=Users,dc=example,dc=com %= vars.company_name %> recommends that you provide LDAP credentials that grant read-only permissions on the LDAP Search Base and the LDAP Group Search Base. In addition to this, if the bind user belongs to a different search base, you must use the full DN.

   VMware recommends against reusing LDAP service accounts across environments. LDAP service accounts are not subject to manual lockouts. For example, lockouts that result from users using the same account. Also, LDAP service accounts are not subject to automated deletions, since disruption to these service accounts could prevent user logins.

3. For User Search Base, enter the location in the LDAP directory tree from which any LDAP User search begins. The typical LDAP Search Base matches your domain name. For example, a domain named “cloud.example.com” typically uses the following LDAP User Search Base: ou=Users,dc=example,dc=com

4. For User Search Filter, enter a string that defines LDAP User search criteria. These search criteria allow LDAP to perform more effective and efficient searches. For example, the standard LDAP search filter cn=Smith returns all objects with a common name equal to Smith.
   
   In the LDAP search filter string that you use to configure your runtime, use {0} instead of the username. For example, use cn={0} to return all LDAP objects with the same common name as the username.
   
   In addition to cn, other attributes commonly searched for and returned are mail, uid and, in the case of Active Directory, sAMAccountName.

   For instructions for testing and troubleshooting your LDAP search filters, see Configuring LDAP Integration.

5. For Group Search Base, enter the location in the LDAP directory tree from which the LDAP Group search begins. For example, a domain named cloud.example.com typically uses the following LDAP Group Search Base: ou=Groups,dc=example,dc=com

6. For Group Search Filter, enter a string that defines LDAP Group search criteria. The standard value is member={0}.

7. For Email Attribute, enter the attribute name in your LDAP directory that corresponds to the email address in each user record. For example, mail.

8. For LDAP RBAC Admin Group Name, enter the DN of the LDAP group you want to have admin permissions in Tanzu Operations Manager.

9. From the drop-down menu, select how the UAA handles LDAP server referrals out to other external user stores. The UAA can:

   • Automatically follow any referrals.
   • Ignore referrals and return partial result.
   • Throw exception for each referral and abort.

10. For Server SSL Cert, paste in the root certificate from your CA certificate or your self-signed certificate.

11. Enter a Decryption passphrase and the Decryption passphrase confirmation. This passphrase encrypts the Tanzu Operations Manager datastore, and is not recoverable.

12. If you are using an HTTP proxy or HTTPS proxy, follow the instructions in Configuring Proxy Settings for the BOSH CPI.

13. Read the End User License Agreement, and select the check box to accept the terms.

14. Click Provision an admin client in the BOSH UAA. You can use this to enable BOSH automation with scripts and tooling. For more information, see Provision Admin Client in Creating UAA Clients for BOSH Director.

15. Click Setup Authentication.