This topic describes how you can log into VMware Tanzu Operations Manager for the first time after deploying Tanzu Operations Manager. It also describes how you can configure the Tanzu Operations Manager default authentication with either SAML, LDAP, or internal authentication.

About login and authentication methods

When you have a new installation of Tanzu Operations Manager, you choose the default authentication and login method.

When you log in for the first time, you go to the fully qualified domain name (FQDN) in your web browser. You configure the FQDN when you first deploy Tanzu Operations Manager. To log in, see Log In to Tanzu Operations Manager For the First Time.

Your login method and authentication choices are:

Log in to Tanzu Operations Manager for the first time

To log in to Tanzu Operations Manager for the first time with a new Tanzu Operations Manager deployment:

  1. In a web browser, go to Tanzu Operations Manager using your FQDN. You set your FQDN when you configure Tanzu Operations Manager before deployment.

  2. When Tanzu Operations Manager starts for the first time, choose one of the following procedures:

Log in to Tanzu Operations Manager with internal authentication

To set up internal authentication that Tanzu Operations Manager maintains:

  1. When redirected to the Internal Authentication page:

    • Enter a Username, Password, and Password confirmation to create an Admin user.
    • Enter a Decryption passphrase and the Decryption passphrase confirmation. This passphrase encrypts the Tanzu Operations Manager datastore and is not recoverable.
    • If you are using an HTTP proxy or HTTPS proxy, follow the instructions in Configuring Proxy Settings for the BOSH CPI.
    • Read the End User License Agreement, and select the check box to accept the terms.
    • Click Setup Authentication.
  2. Log in to Tanzu Operations Manager with the Admin username and password you created in the previous step.

Log in to Tanzu Operations Manager with SAML identity provider

To configure Tanzu Operations Manager to log in by default using a SAML identity provider for user authentication:

  1. Log in to your identity provider console and download the identity provider metadata XML. Optionally, if your identity provider supports metadata URL, you can copy the metadata URL instead of the XML.

  2. Do one of the following, depending on if you use a separate identity provider for BOSH:

    • For the same identity provider: Copy the identity provider metadata XML or URL to the Tanzu Operations Manager SAML Identity Provider login page.

    • For a separate identity provider: Copy the metadata XML or URL from that identity provider and enter it into the BOSH identity provider metadata text box in the Tanzu Operations Manager login page.
  3. Enter values for the following fields. Failure to provide values in these text boxes results in a 500 error.

    • SAML admin group: Enter the name of the SAML group that contains all Tanzu Operations Manager administrators. This text box is case-sensitive.
    • SAML groups attribute: Enter the groups attribute tag name with which you configured the SAML server. This text box is case sensitive.
  4. Enter a Decryption passphrase and the Decryption passphrase confirmation. This passphrase encrypts the Tanzu Operations Manager datastore, and is not recoverable.

  5. If you are using an HTTP proxy or HTTPS proxy, see Configuring proxy settings for the BOSH CPI.

  6. Read the End User License Agreement and select the check box to accept the terms.

  7. Click Provision an admin client in the BOSH UAA. You can use this to enable BOSH automation with scripts and tooling. For more information about this option, see Provision admin client in Creating UAA clients for the BOSH Director.

  8. Click Setup Authentication.

  9. Your Tanzu Operations Manager login page appears. Enter your username and password and click Login.

  10. Download your SAML service provider metadata (SAML Relying Party metadata) by navigating to the following URLs:

    • Tanzu Operations Manager SAML service provider metadata: https://OPS-MAN-FQDN:443/uaa/saml/metadata
    • BOSH Director SAML service provider metadata: https://BOSH-IP-ADDRESS:8443/saml/metadata.
      Where BOSH-IP-ADDRESS is in the Status pane of the BOSH Director tile.
  11. Import the Tanzu Operations Manager SAML provider metadata to your identity provider. If your identity provider does not support importing, provide the following values:

    • Single sign on URL: https://OPS-MAN-FQDN:443/uaa/saml/SSO/alias/OPS-MAN-FQDN
    • Audience URI (SP Entity ID): https://OP-MAN-FQDN:443/uaa
    • Name ID: Email Address
    • SAML authentication requests are always signed
  12. Import the BOSH Director SAML provider metadata to your identity provider. If the identity provider does not support an import, provide the following values:

    • Single sign on URL: https://BOSH-IP:8443/saml/SSO/alias/BOSH-IP
    • Audience URI (SP Entity ID): https://BOSH-IP:8443
    • Name ID: Email Address
    • SAML authentication requests are always signed

Log in to Tanzu Operations Manager with LDAP

To configure Tanzu Operations Manager to log in by default using an LDAP server for user authentication:

  1. For Server URL, enter the URL that points to your LDAP server. With multiple LDAP servers, separate their URLs with spaces. Each URL must include one of the following protocols:

    • ldap://: This specifies that the LDAP server uses an unencrypted connection.
    • ldaps://: This specifies that the LDAP server uses SSL for an encrypted connection and requires that the LDAP server holds a trusted certificate or that you import a trusted certificate to the JVM truststore.
  2. For LDAP Username and LDAP Password, enter the LDAP Distinguished Name (DN) and the password for binding to the LDAP Server. Example DN: cn=administrator,ou=Users,dc=example,dc=com

    VMware recommends that you provide LDAP credentials that grant read-only permissions on the LDAP Search Base and the LDAP Group Search Base. In addition to this, if the bind user belongs to a different search base, you must use the full DN.

    VMware recommends against reusing LDAP service accounts across environments. LDAP service accounts are not subject to manual lockouts. For example, lockouts that result from users using the same account. Also, LDAP service accounts are not subject to automated deletions, since disruption to these service accounts could prevent user logins.

  3. For User Search Base, enter the location in the LDAP directory tree from which any LDAP User search begins. The typical LDAP Search Base matches your domain name. For example, a domain named “cloud.example.com” typically uses the following LDAP User Search Base: ou=Users,dc=example,dc=com

  4. For User Search Filter, enter a string that defines LDAP User search criteria. These search criteria allow LDAP to perform more effective and efficient searches. For example, the standard LDAP search filter cn=Smith returns all objects with a common name equal to Smith.

    In the LDAP search filter string that you use to configure your runtime, use {0} instead of the username. For example, use cn={0} to return all LDAP objects with the same common name as the username.

    In addition to cn, other attributes commonly searched for and returned are mail, uid and, in the case of Active Directory, sAMAccountName.

    For instructions for testing and troubleshooting your LDAP search filters, see Configuring LDAP Integration in the Knowledge Base.

  5. For Group Search Base, enter the location in the LDAP directory tree from which the LDAP Group search begins. For example, a domain named “cloud.example.com” typically uses the following LDAP Group Search Base: ou=Groups,dc=example,dc=com

  6. For Group Search Filter, enter a string that defines LDAP Group search criteria. The standard value is member={0}.

  7. For Email Attribute, enter the attribute name in your LDAP directory that corresponds to the email address in each user record. For example, mail.

  8. For LDAP RBAC Admin Group Name, enter the DN of the LDAP group you want to have admin permissions in Tanzu Operations Manager.

  9. From the drop-down menu, select how the UAA handles LDAP server referrals out to other external user stores. The UAA can:

    • Automatically follow any referrals.
    • Ignore referrals and return partial result.
    • Throw exception for each referral and abort.
  10. For Server SSL Cert, paste in the root certificate from your CA certificate or your self-signed certificate.

  11. Enter a Decryption passphrase and the Decryption passphrase confirmation. This passphrase encrypts the Tanzu Operations Manager datastore, and is not recoverable.

  12. If you are using an HTTP proxy or HTTPS proxy, follow the instructions in Configuring Proxy Settings for the BOSH CPI.

  13. Read the End User License Agreement, and select the check box to accept the terms.

  14. Click Provision an admin client in the BOSH UAA. You can use this to enable BOSH automation with scripts and tooling. For more information, see Provision Admin Client in Creating UAA Clients for BOSH Director.

  15. Click Setup Authentication.

Log in to Tanzu Operations Manager with OIDC Identity Provider

To configure Tanzu Operations Manager to default to an OpenID Connect (OIDC) provider for user authentication:

  1. In your OIDC provider, create a new client for Tanzu Operations Manager to use for authentication.

    • For “Grant Type”, select “Authorization Code”.
    • Register https://OPS-MAN-FQDN/uaa/login/callback/oidc as a valid redirect_uri for the client.
    • If you plan to use OIDC authentication for the BOSH CLI, register https://BOSH-FQDN-OR-IP:8443/uaa/login/callback/oidc as a valid redirect_uri for the client. If you intend to use the BOSH FQDN, you must configure that later in the BOSH Director configuration.
  2. For Discovery URL, enter your OIDC service provider discovery URL.

  3. For Client ID, enter the “Client ID” created in Step 1.

  4. For Client Secret, enter the “Client Secret” created in Step 1.

  5. For Scopes, enter the scopes to request from the OIDC provider as a comma-separated list. You must include the following scopes.

    • The openid scope
    • A scope that allows access to the group claim
    • Standard email and profile scopes, if you plan to use the claims listed in the next step to populate common fields in UAA
  6. Enter the claims used to populate the UAA user store with data from the OIDC provider.

    • Enter the External Groups Claim to populate associated groups for the user in UAA. Enter the OIDC provider’s token claim that contains the groups to which the user belongs. Only the provided OIDC Admin Group Name and the default group names of opsman.full_control, opsman.restricted_control, opsman.full_view and opsman.restricted_view are mapped to UAA groups.
    • (Optional) Enter the Username Claim to populate the username field in UAA. Tanzu Operations Manager uses this to show the current logged-in user.
  7. For OIDC Admin Group Name, enter the OIDC provider group name that corresponds to users who receive admin access. Users in this OIDC group are granted the opsman.admin scope in UAA.

  8. Enter a Decryption passphrase and the Decryption passphrase confirmation. This passphrase encrypts the Tanzu Operations Manager datastore, and is not recoverable.

  9. If you are using an HTTP proxy or HTTPS proxy, see Configuring proxy settings for the BOSH CPI.

  10. Read the End User License Agreement and select the check box to accept the terms.

  11. Click Provision an admin client in the BOSH UAA. You can use this to enable BOSH automation with scripts and tooling. For more information about this option, see Provision admin client in Creating UAA clients for the BOSH Director.

  12. Click Setup Authentication.

check-circle-line exclamation-circle-line close-line
Scroll to top icon