You can enhance system security of a basic vRealize Automation Active Directory connection by configuring a bi directional trust relationship between your identity provider and Active Directory Federated Services.
To configure a bi-directional trust relationship between vRealize Automation and Active Directory, you must create a custom identity provider and add Active Directory metadata to this provider. Also, you must modify the default policy used by your vRealize Automation deployment. Finally, you must configure Active Directory to recognize your identity provider.
- Verify that you have configured tenants for your vRealize Automation deployment set up an appropriate Active Directory link to support basic Active Directory user ID and password authentication.
- Active Directory is installed and configured for use on your network.
- Obtain the appropriate Active Directory Federated Services (ADFS) metadata.
Log in to vRealize Automation as a tenant administrator.
- Obtain the Federation Metadata file.
You can download this file from https:// servername.domain/FederationMetadata/2007-06/FederationMetadata.xml
- Search for the word logout, and edit the location of each instance to point to https://servername.domain/adfs/ls/logout.aspx
For example, the following:
SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://servername.domain/adfs/ls/ "/>
Should be changed to:
SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://servername.domain/adfs/ls/logout.aspx"/>
- Create a new Identity Provider for you deployment.
- Select .
- Click Add Identity Provider and complete the fields as appropriate.
Option Description Identity Provider Name Enter a name for the new identity provider Identity Provider Metadata (URL or XML) Paste the contents of your Active Directory Federated Services metadata file here. Name ID Policy in SAML Request (Optional) If appropriate, enter a name for the identity policy SAML request. Users Select the domains to which you want users to have access privileges. Process IDP Metadata Click to process the metadata file that you added. Network Select the network ranges to which you want users to have access. Authentication Methods Enter a name for the authentication method used by this identity provider. SAML Context Select the appropriate context for your system. SAML Signing Certificate Click the link beside the SAML Metadata heading to download the Directories Management metadata.
- Save the Directories Management metadata file as sp.xml.
- Click Add.
- Add a rule to the default policy.
- Select .
- Click the default policy name.
- Click the + icon in the Policy Rules heading to add a new rule.
Use the options on the Add a Policy Rule page to create a rule that specifies the appropriate primary and secondary authentication methods to use for a specific network range and device.For example, if your network range is My Machine, and you need to access content from All Device Types then, for a typical deployment, you must authenticate by using the following method: ADFS Username and Password.
- Click OK to save your policy updates.
- On the Default Policy page, drag the new rule to the top of the table so that it takes precedence over existing rules.
- Using the Active Directory Federated Services management console, or another appropriate tool, set up a relying party trust relationship with the vRealize Automation identity provider.
To set up this trust, you must import the Directories Management metadata that you previously downloaded. See the Microsoft Active Directory documentation for more information about configuring Active Directory Federated Services for bi-directional trust relationships. As part of this process, you must do the following:
- Set up a Relying Party Trust. When you set up this trust, you must import the VMware Identity Provider service provider metadata XML file that you copied and saved
- Create a claim rule that transforms the attributes retrieved from LDAP in the Get Attributes rule into the desired SAML format. After you create the rule, edit the rule by adding the following text:
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"] => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier"] = "vmwareidentity.domain.com");