You add a SAML service provider to vCenter Single Sign-On, and add vCenter Single Sign-On as the identity provider to that service. Going forward, when users log in to the service provider, the service provider authenticates those users with vCenter Single Sign-On.

About this task

Use this process if you want to integrate the Single Sign-On solution that is included with VMware vRealize Automation 7.0 and later with the vCenter Single Sign-On identity provider, or if you are working with another external SAML Service Provider.

The process involves importing the metadata from your SAML service provider into vCenter Single Sign-On, and importing the vCenter Single Sign-On metadata into your SAML service provider so the two providers share all data.

Prerequisites

The target service must fully support the SAML 2.0 standard.

If the metadata do not follow the SAML 2.0 metadata schema precisely, you might have to edit the schema before you import it. For example, if you are using an Active Directory Federation Services (ADFS) SAML service provider, you have to edit the metadata before you can import them. Remove the following non-standard elements:

fed:ApplicationServiceType
fed:SecurityTokenServiceType

You cannot currently import SAML IDP metadata from the vSphere Web Client.

Procedure

  1. Export the metadata from your service provider to a file.
  2. Import the service provider's metadata into vCenter Single Sign-On.
    1. Log in to the vSphere Web Client as administrator@vsphere.local or as another user with vCenter Single Sign-On administrator privileges.

      Users with vCenter Single Sign-On administrator privileges are in the Administrators group in the vsphere.local domain.

    2. Browse to Single Sign-On > Configuration.
    3. Select the SAML Service Providers tab.
    4. In the Metadata from your SAML service provider field, click Import and paste the XML strings into the dialog, or click Import from File to import a file and then click Import.
  3. Export the vCenter Single Sign-On metadata.
    1. In the Metadata for your SAML service provider field, click Download.
    2. Specify a file location.
  4. Go to the SAML service provider, for example VMware vRealize Automation 7.0 or later, and follow the instructions for your SAML service provider to add the vCenter Single Sign-On metadata to that service provider.

    See the vRealize Automation documentation for details on importing the metadata.