You can establish SAML federation between vRealize Automation Directories Management and systems that use SSO2 to support single sign on.

About this task

Establish federation between Directories Management and SSO2 by creating a SAML connection between the two parties. Currently, the only supported end-to-end flow is where SSO2 acts as the Identity Provider (IdP) and Directories Management acts as the service provider (SP).

For SSO2 user authentication, the same account must exist in both Directories Management and SSO2. Minimally, the UserPrincipalName (UPN) of the user has to match on both ends. Other attributes can differ as they are required to identify the SAML subject.

For local users in SSO2, such as admin@vsphere.local, corresponding accounts must also exist in Directories Management, where at least the UPN of the user matches. Create these accounts manually or with a script using the Directories Management local user creation APIs.

Setting up SAML between SSO2 and Directories Management involves configuration on the Directories Management and SSO components.

Table 1. SAML Federation Component Configuration

Component

Configuration

Directories Management

Configure SSO2 as a third-party Identity Provider on Directories Management and update the default authentication policy. You can create an automated script to set up Directories Management.

SSO2 component

Configure Directories Management as a service provider by importing the Directories Management sp.xml file. This file enables you to configure SSO2 to use Directories Management as the Service Provider (SP).

Prerequisites

  • Configure tenants for your vRealize Automation deployment. See Create Additional Tenants.

  • Set up an appropriate Active Directory link to support basic Active Directory user ID and password authentication.

  • Log in to the vRealize Automation console as a tenant administrator.

Procedure

  1. Download SSO2 Identity Provider metadata through the SSO2 user interface.
    1. Log in to vCenter as an administrator at https://<cloudvm-hostname>/ .
    2. Click the Log in to vSphere Web Client link.
    3. On the left navigation pane, select Administration > Single Sign On > Configuration.
    4. Click Download adjacent to the Metadata for your SAML service provider heading.

      The vsphere.local.xml file should begin downloading.

    5. Copy the contents of the vsphere.local.xml file.
  2. On the vRealize Automation Directories Management Identity Providers page, create a new Identity Provider.
    1. Log in to vRealize Automation as a tenant administrator.
    2. Select Administration > Directories Management > Identity Providers.
    3. Click Add Identity Provider and provide the configuration information.

      Option

      Action

      Identity Provider Name

      Enter a name for the new Identity Provider.

      Identity Provider Metadata (URI or XML) text box

      Paste the contents of your SSO2 idp.xml metadata file in the text box and click Process IDP Metadata.

      Name ID Policy in SAML Request (Optional)

      Enter http://schemas.xmlsoap.org/claims/UPN.

      Users

      Select the domains to which you want users to have access privileges.

      Network

      Select the network ranges from which you want users to have access privileges.

      If you want to authenticate users from an IP addresses, select All Ranges.

      Authentication Methods

      Enter a name for the authentication method. Then, use the SAML Context drop down menu to the right to map the authentication method to urn:oasis:names:tc:SAML:2.0:ac:classes:Password.

      SAML Signing Certificate

      Click the link beside the SAML Metadata heading to download the Directories Management metadata.

    4. Save the Directories Management metadata file as sp.xml.
    5. Click Add.
  3. Update the relevant authentication policy using the Directories Management Policies page to redirect authentication to the third party SSO2 identity provider.
    1. Select Administration > Directories Management > Policies.
    2. Click the default policy name.
    3. Click the authentication method under the Policy Rules heading to edit the existing authentication rule.
    4. On the Edit a Policy Rule page, change the authentication method from password to the appropriate method.

      In this case, the method should be SSO2.

    5. Click Save to save your policy updates.
  4. On the left navigation pane, select Administration > Single Sign On > Configuration, and click Update to upload the sp.xml file to vSphere.