You can enhance system security of a basic vRealize Automation Active Directory connection by configuring a bi directional trust relationship between your identity provider and Active Directory Federated Services.
About this task
To configure a bi-directional trust relationship between vRealize Automation and Active Directory, you must create a custom identity provider and add Active Directory metadata to this provider. Also, you must modify the default policy used by your vRealize Automation deployment. Finally, you must configure Active Directory to recognize your identity provider.
Verify that you have configured tenants for your vRealize Automation deployment set up an appropriate Active Directory link to support basic Active Directory user ID and password authentication.
Active Directory is installed and configured for use on your network.
Obtain the appropriate Active Directory Federated Services (ADFS) metadata.
Log in to the vRealize Automation console as a tenant administrator.
- Obtain the Federation Metadata file.
You can download this file from https://servername.domain/FederationMetadata/2007-06/FederationMetadata.xml
- Search for the word logout, and edit the location of each instance to point to https://servername.domain/adfs/ls/logout.aspx
For example, the following:
SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://servername.domain/adfs/ls/ "/>
Should be changed to:
SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://servername.domain/adfs/ls/logout.aspx"/>
- Create a new Identity Provider for you deployment.
- Select .
- Click Add Identity Provider and complete the fields as appropriate.
Identity Provider Name
Enter a name for the new identity provider
Identity Provider Metadata (URI or XML)
Paste the contents of your Active Directory Federated Services metadata file here.
Name ID Policy in SAML Request (Optional)
If appropriate, enter a name for the identity policy SAML request.
Select the domains to which you want users to have access privileges.
Process IDP Metadata
Click to process the metadata file that you added.
Select the network ranges to which you want users to have access.
Enter a name for the authentication method used by this identity provider.
Select the appropriate context for your system.
SAML Signing Certificate
Click the link beside the SAML Metadata heading to download the Directories Management metadata.
- Save the Directories Management metadata file as sp.xml.
- Click Add.
- Add a rule to the default policy.
- Select .
- Click the default policy name.
- Click the + icon under the Policy Rules heading to add a new rule.
Use the fields on the Add a Policy Rule page to create a rule that specifies the appropriate primary and secondary authentication methods to use for a specific network range and device.
For example, if the user's network range is "My Machine", and the user needs to access content from "All Device Types," then, for a typical deployment, that user must authenticate using the following method: ADFS Username and Password.
- Click Save to save your policy updates.
- On the Default Policy page, drag the new rule to the top of the table so that it takes precedence over existing rules.
- Using the Active Directory Federated Services management console, or another appropriate tool, set up a relying party trust relationship with the vRealize Automation identity provider.
To set up this trust, you must import the Directories Management metadata that you previously downloaded. See the Microsoft Active Directory documentation for more information about configuring Active Directory Federated Services for bi-directional trust relationships. As part of this process, you must do the following:
Set up a Relying Party Trust. When you set up this trust, you must import the VMware Identity Provider service provider metadata XML file that you copied and saved
Create a claim rule that transforms the attributes retrieved from LDAP in the Get Attributes rule into the desired SAML format. After you create the rule,. you must edit the rule by adding the following text:
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"] => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier"] = "vmwareidentity.domain.com");