When you configure the vCloud Director plug-in, you must select an authentication method for managing users when they log in to your vCloud Director instance.

Basic Authentication

The basic authentication method provides a way to log in with user name and password.

SAML Authentication

The Security Assertion Markup Language (SAML) authentication method provides a token log in. This token is shared between all instances used by the user.

If you decide to use Basic Authentication and Session per user methods, ensure that the Orchestrator server is configured for LDAP authentication. The vCloud Director plug-in uses the user name and password of the current user to log in to vCloud Director.

If you decide to use SAML Authentication and Session per user methods, ensure that the Orchestrator server is configured for Single Sign On authentication. The plug-in uses the Single Sign On token provided by the Orchestrator server to log in to vCloud Director.

The following figure shows the Session per user method to connect vCenter Orchestrator, vCloud Director plug-in, LDAP server or Single Sign On Server, and vCloud Director, when using SAML or Basic authentication.

Figure 1. Session Per User Method


The instances connected to the vCenter Orchestrator are graphically represented as boxes. The vCloud plug-in box is inside the vCenter Orchestrator box and is directly connected with an arrow to the vCloud Director box. A double sided arrow, labeled "Basic Authentication", connects the Orchestrator box with the LDAP box. A double sided arrow labeled "SAML Authentication", connects the Orchestrator box with the SSO box. vCloud Director box is connected to the same LDAP and SSO boxes, each with one sided arrow.

If you decide to use Basic Authentication and Shared session methods, the Orchestrator server authentication mode is ignored and the plug-in uses a predefined user name and password to log in to vCloud Director.

If you decide to use SAML Authentication and Shared session methods, the Orchestrator server authentication mode is ignored and the plug-in uses the SAML token provided by a callback action to log in to vCloud Directorr. You must implement the callback action in your Orchestrator client.

Scripting example of the callback action

String acquireSamlToken() {
   var tokenKey = "cd5727e0-b5fd-11e1-afa6-0800200c9a66";
   var properties = new VclSharedProperties();
   var token = properties.getProperty(tokenKey);
   if (token == null) {
      var tokenLifetime = 600000; // 10 min lifetime
      token = // TODO: your logic to acquire the token
      properties.putProperty(tokenKey, token, tokenLifetime);
   }
   return token;
}

The following figure shows the Shared session method to connect vCloud Director plug-in, LDAP server or Single Sign On Server, and vCloud Director when using SAML or Basic authentication.

Figure 2. Shared Session Method


The instances connected to the vCenter Orchestrator are graphically represented as boxes. The vCloud plug-in box is inside the vCenter Orchestrator box and is directly connected with an arrow to the vCloud Director box. A line, labeled "Basic Authentication", connects the vCloud Director plug-in box with the LDAP box. A dashed line labeled "Basic Authentication", connects the vCloud Director plug-in box with the Database box. A double sided arrow labeled "SAML Authentication", connects the Orchestrator box with the SSO box. vCloud Director box is connected to the same LDAP and SSO boxes, each with one sided arrow, and with double sided arrow with the Database box.