Configuring the System organization to use the vSphere SAML provider enables you to import system administrators from vSphere.

About this task

Using the vSphere SSO service as the SAML identity provider for the vCloud Director System organization can be a more secure alternative to LDAP or a local account. To use the vSphere SAML provider, you must have the credentials necessary to log in to vCloud Director and vSphere as an administrator, export each platform's SAML metadata to a local file on your client, and finally import that metadata into the SAML client on the other platform.

Prerequisites

This operation is restricted to system administrators.

You must also have the credentials needed to log in to vSphere as an SSO Administrator.

Procedure

  1. Click the Administration tab and click System Settings > Federation in the left pane.
  2. Download the vCloud Director SAML Service Provider metadata.
    1. In the Service Provider area of the Federation tab, verify the certificate expiration date.

      You can click Regenerate to regenerate the certificate and reset its expiration date.

      Note:

      If you need to supply your own key and certificate chain, you can use the vCloud API.

    2. If the certificate expiration date meets your needs, click the Metadata link.

      The vCloud Director SAML Service Provider metadata (an XML file) downloads to the folder where your browser saves downloads.

  3. Import the vCloud Director SAML metadata into vSphere.
    1. Log in to the vSphere Web client as a vSphere SSO administrator.
    2. Click Home > Administration to open the Administration menu, then click Single Sign-On > Configuration to display the SSO Configuration page.
    3. Under SAML v2.0 Identity Providers, click the Import button to the right of Metadata from your SAML service provider.
    4. On the Import Service Provider SAML Metadata page, click Import from File and browse the vCloud Director SAML metadata you downloaded in 2.
  4. Download the VMware Identity provider metadata from vSphere.

    While you are still logged in to the vSphere Web client as a vSphere administrator, open the SSO Configuration page, then click the Download button to the right of Metadata for your SAML service provider. The vSphere SAML metadata (an XML file) downloads to the folder where your browser saves downloads.

  5. Upload the vSphere identity provider metadata to vCloud Director

    In the Identity Provider area of the Federation tab, select Use SAML Identity Provider, then upload the vSphere SAML metadata you downloaded in 4. This completes the exchange of SAML metadata between vSphere and vCloud Director.

Results

You can now import users from vSphere by selecting SAML in the Import Users dialog box. You can also use the Open in vSphere Web Client option to access vSphere resources on a vCenter Server in the same SSO domain.