Federated Identity Management

Federated identity management enables electronic identities and attributes from one domain to be accepted and used to access resources in other domains. You can enable federated identity management between vRealize Automation, vRealize Operations Manager,and vSphere Web Client using vCenter Single Sign-On and VMware Identity Manager.

Federated identity environments divide users into categories called personas based on how they interact with federated identity systems. Users use the systems to receive services. Administrators configure and manage federation among systems. Developers create and extend services consumed by users. The following table describes the benefits of federated identity management enjoyed by these persona.

Table 1. Benefits to Persona
User Types	Federated Identity Benefit
Users	Convenient single sign on to multiple applications Fewer passwords to manage Improved security
Administrators	More control over applications entitlements and access Context and policy-based authentication
Developers	Simple integration Benefits of multitenancy, user and group management, extensible authentication, and delegated authorization with little effort

You can set up federation between VMware Identity Manager and vCenter Single Sign-On by creating a SAML connection between the two parties. vCenter Single Sign-On acts as the identity Provider and VMware Identity Manager as the service provider. An identity provider provides an electronic identity. A service provider grants access to resources after evaluating and accepting the electronic identity.

For users to be authenticated by vCenter Single Sign-On, the same account must exist in VMware Identity Manager and vCenter Single Sign-On. Minimally, the userPrinicpalName of the user must match on both ends. Other attributes can differ because they are not used to identify the SAML subject.

For local users in vCenter Single Sign-On such as [email protected], corresponding accounts must be created in VMware Identity Manager where at least the userPrinicpalName of the user matches. The corresponding accounts must be created manually or by a script using the VMware Identity Manager local user creation APIs.

Setting up SAML between SSO2 and vIDM involves the following tasks.

Import the SAML token from vCenter Single Sign-On to VMware Identity Manager before updating the VMware Identity Manager default authentication.
In VMware Identity Manager, configure vCenter Single Sign-On as a third-party identity provider on VMware Identity Manager and update VMware Identity Manager default authentication.
On vCenter Single Sign-On, configure VMware Identity Manager as a service provider by importing the VMware Identity Manager sp.xml file.

See the following product documentation:

For information about Configuring SSO2 as an identity provider for vRealize Automation, see Using VMware vCenter SSO 5.5 U2 with VMware vCloud Automation Center 6.1.
For vRealize Automation VMware Identity Manager documentation, see Update Your Single Sign-On Password for VMware Identity Manager.
For information about how to configure federation between Directories Management and SSO2, see Configure SAML Federation Between Directories Management and SSO2.
For vRealize Operations Manager SSO documentation, see Configure a Single Sign-On Source in vRealize Operations Manager.