You can enhance system security of a basic vRealize Automation Active Directory connection by configuring a bi directional trust relationship between your identity provider and Active Directory Federated Services.

Before you begin

  • Verify that you have configured tenants for your vRealize Automation deployment set up an appropriate Active Directory link to support basic Active Directory user ID and password authentication.

  • Active Directory is installed and configured for use on your network.

  • Obtain the appropriate Active Directory Federated Services (ADFS) metadata.

  • Log in to the vRealize Automation console as a tenant administrator.

About this task

To configure a bi-directional trust relationship between vRealize Automation and Active Directory, you must create a custom identity provider and add Active Directory metadata to this provider. Also, you must modify the default policy used by your vRealize Automation deployment. Finally, you must configure Active Directory to recognize your identity provider.

Procedure

  1. Obtain the Federation Metadata file.

    You can download this file from https://servername.domain/FederationMetadata/2007-06/FederationMetadata.xml

  2. Search for the word logout, and edit the location of each instance to point to https://servername.domain/adfs/ls/logout.aspx

    For example, the following:

    SingleLogoutService
    				Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
    				Location="https://servername.domain/adfs/ls/ "/> 
    			 

    Should be changed to:

    SingleLogoutService
    				Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
    				Location="https://servername.domain/adfs/ls/logout.aspx"/> 
    			 
  3. Create a new Identity Provider for you deployment.
    1. Select Administration > Directories Management > Identity Providers.
    2. Click Add Identity Provider and complete the fields as appropriate.

      Option

      Description

      Identity Provider Name

      Enter a name for the new identity provider

      Identity Provider Metadata (URI or XML)

      Paste the contents of your Active Directory Federated Services metadata file here.

      Name ID Policy in SAML Request (Optional)

      If appropriate, enter a name for the identity policy SAML request.

      Users

      Select the domains to which you want users to have access privileges.

      Process IDP Metadata

      Click to process the metadata file that you added.

      Network

      Select the network ranges to which you want users to have access.

      Authentication Methods

      Enter a name for the authentication method used by this identity provider.

      SAML Context

      Select the appropriate context for your system.

      SAML Signing Certificate

      Click the link beside the SAML Metadata heading to download the Directories Management metadata.

    3. Save the Directories Management metadata file as sp.xml.
    4. Click Add.
  4. Add a rule to the default policy.
    1. Select Administration > Directories Management > Policies.
    2. Click the default policy name.
    3. Click the + icon under the Policy Rules heading to add a new rule.

      Use the fields on the Add a Policy Rule page to create a rule that specifies the appropriate primary and secondary authentication methods to use for a specific network range and device.

      For example, if the user's network range is "My Machine", and the user needs to access content from "All Device Types," then, for a typical deployment, that user must authenticate using the following method: ADFS Username and Password.

    4. Click Save to save your policy updates.
    5. On the Default Policy page, drag the new rule to the top of the table so that it takes precedence over existing rules.
  5. Using the Active Directory Federated Services management console, or another appropriate tool, set up a relying party trust relationship with the vRealize Automation identity provider.

    To set up this trust, you must import the Directories Management metadata that you previously downloaded. See the Microsoft Active Directory documentation for more information about configuring Active Directory Federated Services for bi-directional trust relationships. As part of this process, you must do the following:

    • Set up a Relying Party Trust. When you set up this trust, you must import the VMware Identity Provider service provider metadata XML file that you copied and saved

    • Create a claim rule that transforms the attributes retrieved from LDAP in the Get Attributes rule into the desired SAML format. After you create the rule,. you must edit the rule by adding the following text:

      c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"] 
      => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier"] = "vmwareidentity.domain.com");