You add a SAML service provider to vCenter Single Sign-On, and add vCenter Single Sign-On as the identity provider to that service. Going forward, when users log in to the service provider, the service provider authenticates those users with vCenter Single Sign-On.

Prerequisites

The target service must fully support the SAML 2.0 standard and the SP metadata must have the SPSSODescriptor element.

If the metadata do not follow the SAML 2.0 metadata schema precisely, you might have to edit the metadata before you import it. For example, if you are using an Active Directory Federation Services (ADFS) SAML service provider, you have to edit the metadata before you can import them. Remove the following non-standard elements:

fed:ApplicationServiceType
fed:SecurityTokenServiceType

Procedure

  1. Export the metadata from the service provider to a file.
  2. From a Web browser, connect to the vSphere Web Client or the Platform Services Controller.

    Option

    Description

    vSphere Web Client

    https://vc_hostname_or_IP/vsphere-client

    Platform Services Controller

    https://psc_hostname_or_IP/psc

    In an embedded deployment, the Platform Services Controller host name or IP address is the same as the vCenter Server host name or IP address.

  3. Import the SP metadata into vCenter Single Sign-On.
    1. Select the SAML Service Providers tab.
    2. In the Metadata from your SAML service provider dialog box, import the metadata by pasting the XML string or by importing a file.
  4. Export the vCenter Single Sign-On IDP metadata.
    1. In the Metadata for your SAML service provider text box, click Download.
    2. Specify a file location.
  5. Log in to the SAML SP, for example VMware vRealize Automation 7.0, and follow the SP instructions to add the vCenter Single Sign-On metadata to that service provider.

    See the vRealize Automation documentation for details on importing the metadata into that product.