vRealize Automation is supplied with a default identity provider instance. Users may want to create additional identity provider instances.

About this task

vRealize Automation is supplied with an default identity provider. In most cases, the default provider is sufficient for customer needs. If you use an existing enterprise identity management solution, you can set up a custom identity provider to redirect users to your existing identity solution.

When using a custom identity provider, Directories Management uses SAML metadata from that provider to establish a trust relationship with the provider. After this relationship is established, Directories Management maps the users from the SAML assertion to the list of internal vRealize Automation users based the subject name ID.

Prerequisites

  • Configure the network ranges that you want to direct to this identity provider instance for authentication. See Add or Edit a Network Range.

  • Access to the third-party metadata document. This can be either the URL to the metadata or the actual metadata.

  • Log in to the vRealize Automation console as a tenant administrator.

Procedure

  1. Navigate to the Administration > Directories Management > Identity Providers.

    This page displays all configured Identity Providers.

  2. Click Add Identity Provider and edit the identity provider instance settings.

    Form Item

    Description

    Identity Provider Name

    Enter a name for this identity provider instance.

    SAML Metadata

    Add the third party IdPs XML-based metadata document to establish trust with the identity provider.

    1. Enter the SAML metadata URL or the xml content into the text box.

    2. Click Process IdP Metadata. The NameID formats supported by the IdP are extracted from the metadata and added to the Name ID Format table.

    3. In the Name ID value column, select the user attribute in the service to map to the ID formats displayed. You can add custom third-party name ID formats and map them to the user attribute values in the service.

    4. (Optional) Select the NameIDPolicy response identifier string format.

    Users

    Select the Directories Management directories of the users that can authenticate using this identity provider.

    Network

    The existing network ranges configured in the service are listed.

    Select the network ranges for the users, based on their IP addresses, that you want to direct to this identity provider instance for authentication.

    Authentication Methods

    Add the authentication methods supported by the third-party identity provider. Select the SAML authentication context class that supports the authentication method.

    SAML Signing Certificate

    Click Service Provider (SP) Metadata to see URL to Directories Management SAML service provider metadata URL . Copy and save the URL. This URL is configured when you edit the SAML assertion in the third-party identity provider to map Directories Management users.

    Hostname

    If the Hostname field displays, enter the hostname where the identity provider is redirected to for authentication. If you are using a non-standard port other than 443, you can set this as Hostname:Port. For example, myco.example.com:8443.

  3. Click Add.

What to do next

  • Copy and save the Directories Management service provider metadata that is required to configure the third-party identity provider instance. This metadata is available either in the SAML Signing Certificate section of the Identity Provider page.

  • Add the authentication method of the identity provider to the services default policy.

See the Setting Up Resources in Directories Management guide for information about adding and customizing resources that you add to the catalog.