You can establish federation between vRealize Automation Directories Management and systems that use SSO2.

About this task

Establish federation between Directories Management and SSO2 by creating a SAML connection between the two parties. Currently, the only supported end-to-end flow is where SSO2 acts as the Identity Provider (Idp) and Directories Management acts as the service provider (SP).

For users to be authenticated by SSO2, the same account must exist in both Directories Management and SSO2. At least the UserPrinicpalName (UPN) of the user has to match on both ends. Other attributes can differ as they are required to identify the SAML subject.

For local users in SSO2, such as admin@vsphere.local, corresponding accounts must be created in Directories Management as well (where at least the UPN of the user matches). For now, this must be done manually or by a script using the Directories Management local user creation APIs.

Setting up SAML between SSO2 and Directories Management involves configuration on the Directories Management and SSO components.

Table 1. SAML Federation Component Configuration

Component

Configuration

Directories Management

Configure SSO2 as a third-party Identity Provider on Directories Management and update the default authentication policy. You can create an automated script to set up Directories Management.

SSO2 component

Configure Directories Management as a service provider by importing the Directories Management sp.xml file. This file enables you to configure SSO2 to use Directories Management as the Service Provider (SP).

Prerequisites

  • You have configured tenants for your vRealize Automation deployment set up an appropriate Active Directory link to support basic Active Directory user ID and password authentication.

  • Active Directory is installed and configured for use on your network.

  • Obtain the appropriate Active Directory Federated Services (ADFS) metadata.

  • Log in to the vRealize Automation console as a tenant administrator.

Procedure

  1. Download SSO2 Identity Provider metadata through the SSO2 user interface.
    1. Login to vCenter as a an Administrator at https://<cloudvm-hostnamte>/.
    2. Click the Log in to vSphere Web Client link
    3. On the left navigation pane, select Administration > Single Sign On > Configuration.
    4. Click Download adjacent to the Metadata for your SAML service provider heading.

      The vsphere.local.xml file should begin downloading.

    5. Copy the contents of the vsphere.local.xml file.
  2. Use the vRealize Automation Directories Management Identity Providers page to create a new Identity Provider.
    1. Log in to vRealize Automation as a tenant administrator.
    2. Select Administration > Directories Management > Identity Providers.
    3. Click Add Identity Provider.
    4. Enter a name for the new Identity Provider in the Identity Provider Name text box.
    5. Paste the contents of your SSO2 idp.xml metadata file into the Identity Provider Metadata (URI or XML) text box.
    6. Click Process IDP Metadata.
    7. Enter the following in the Name ID Policy in SAML Request (Optional) text box.

      http://schemas.xmlsoap.org/claims/UPN

    8. Select the domains to which you want users to have access privileges in the Users text box.
    9. Select the network ranges from which you want users to have access privileges to this identity provider in the Network text box.

      If you want to authenticate users from an IP addresses, select All Ranges.

    10. Enter a name for the authentication method in the Authentication Methods text box.
    11. Use the SAML Context drop down menu to the right of the Authentication Methods text box to map the authentication method to urn:oasis:names:tc:SAML:2.0:ac:classes:Password.
    12. Click the link beside the SAML Metadata heading under the SAML Signing Certificate text box, to download the Directories Management metadata.
    13. Save the Directories Management metadata file as sp.xml.
    14. Click Add.
  3. Update the relevant authentication policy using the Directories Management Policies page to redirect authentication to the third party SSO2 identity provider.
    1. Select Administration > Directories Management > Policies.
    2. Click the default policy name.
    3. Click authentication method under the Policy Rules heading to edit the existing authentication rule.

      Use the fields on the Edit a Policy Rule page to change the authentication method from password to the appropriate method. In this case, the method should be SSO2.

    4. Click Save to save your policy updates.
  4. On the left navigation pane, select Administration > Single Sign On > Configuration, and click Update to upload the sp.xml file to vSphere.