vRealize Automation is supplied with a default identity provider connection instance. Users may want to create additional identity provider connections to support just-in-time user provisioning or other custom configurations.
vRealize Automation is supplied with an default identity provider. In most cases, the default provider is sufficient for customer needs. If you use an existing enterprise identity management solution, you can set up a custom identity provider to redirect users to your existing identity solution.
When using a custom identity provider, Directories Management uses SAML metadata from that provider to establish a trust relationship with the provider. After this relationship is established, Directories Management maps the users from the SAML assertion to the list of internal vRealize Automation users based the subject name ID.
Configure the network ranges that you want to direct to this identity provider instance for authentication. See Add or Edit a Network Range.
Access to the third-party metadata document. This can be either the URL to the metadata or the actual metadata.
Log in to vRealize Automation as a tenant administrator.
This page displays all configured Identity Providers.
- Click Add Identity Provider.
A menu appears with Identity Provider options.
- Select Create Third Party IDP.
- Enter the appropriate information to configure the identity provider.
Identity Provider Name
Enter a name for this identity provider instance.
Add the third party IdPs XML-based metadata document to establish trust with the identity provider.
Enter the SAML metadata URL or the xml content into the text box.
Click Process IdP Metadata. The NameID formats supported by the IdP are extracted from the metadata and added to the Name ID Format table.
In the Name ID value column, select the user attribute in the service to map to the ID formats displayed. You can add custom third-party name ID formats and map them to the user attribute values in the service.
(Optional) Select the NameIDPolicy response identifier string format.
Select the Directories Management directories of the users that can authenticate using this identity provider.
Just-in-Time User Provisioning
Select the appropriate options to support just-in-time provisioning using an appropriate third party identity provider.
Enter the Directory Name to use for just-in-time provisioning.
Enter one or more Domains that exist within the external identity provider that you will use for just-in-time provisioning.
The existing network ranges configured in the service are listed.
Select the network ranges for the users, based on their IP addresses, that you want to direct to this identity provider instance for authentication.
Add the authentication methods supported by the third-party identity provider. Select the SAML authentication context class that supports the authentication method.
SAML Signing Certificate
Click Service Provider (SP) Metadata to see URL to Directories Management SAML service provider metadata URL . Copy and save the URL. This URL is configured when you edit the SAML assertion in the third-party identity provider to map Directories Management users.
If the Hostname field displays, enter the hostname where the identity provider is redirected to for authentication. If you are using a non-standard port other than 443, you can set this as Hostname:Port. For example, myco.example.com:8443.
- Click Add.
What to do next
Copy and save the Directories Management service provider metadata that is required to configure the third-party identity provider instance. This metadata is available either in the SAML Signing Certificate section of the Identity Provider page.
Add the authentication method of the identity provider to the services default policy.
See the Setting Up Resources in Directories Management guide for information about adding and customizing resources that you add to the catalog.