vCloud Director and Single-Sign-On (SAML)

In December last year i wrote a blog post about vCloud Director and SSPI Authentication. In the post I stated that besides using SSPI – which is Microsoft proprietary interface on top of Active Directory, the tenants can use Security Assertion Markup Language (SAML) standard to integrate with their identity provider. VMware has tested SAML2 integration with OpenAM (described in detail in vCloud Architecture Toolkit Implementation Examples) and Active Directory Federation Services (ADFS). However just recently there appeared another supported identity provider – our own VMware Horizon Workspace. The following whitepaper describes the integration in detail: Using VMware Horizon Workspace to Enable SSO in VMware vCloud Director 5.1.

In this post I will provide short step-by-step description of all the necessary steps that you as the vCloud Organization Administrator must take. The assumption is that you have on premise Horizon Workspace integrated with company Active Directory and want to use it for connecting private or public vCloud Director organizations.

  1. Download Horizon Identity provider metadata XML file from: https://<horizon_workspace_URL>/SAAS/API/1.0/GET/metadata/idp.xml
  2. In the target cloud go to Administration > Settings > Federation menu and check Use SAML Identity Provider and upload the idp.xml file
  3. Still on the same page regenerate the certificate and click apply
  4. Download the certificate from the url: https://<vcloud_URL>/cloud/org/<orgname>/saml/metadata/alias/vcd
  5. Log out from the cloud
  6. Log back in, you will need to change the URL to go directly to the local authentication: https://<vcloud_URL>/cloud/org/<orgname>/login.jsp
  7. In the Administration > Members > Users (or Groups) import Users (or Groups) by clicking the icon with arrow. Change the Source to SAML and type the user names or group names.
  8. Back in Horizon Workspace admin interface create a new Web Application in the catalog
  9. Fill in the following data:
    • Authentication Profile: SAML 2.0 POST profile
    • Login Redirection URL: https://<vcloud_URL>/cloud/org/<orgname>/
    • Check: Include Destination
    • Check: Sign Response
    • Check: Sign the Assertion
    • Configure via Metadata XML
    • Paste the certificate from point 4 into the Meta-data XML box
    • Add Attribute Mapping as seen in the screenshot
      Attribute Mapping
    • Save the page
  10. Edit the newly created Web Application and assign Entitlements (either specific users or a group). These should be the same users as in step 7.
  11. Now log into the Horizon as the entitled user and click the application icon. You should now get direct access into the vCloud Director.

Horizon Workspace

 

Edit 2 July 2013: In order to get SAML Groups working following is needed.

In step 9 create also group mapping. The group name must be hardcoded, but that should not be such a problem as a different web application in Horizon Workspace can be created for each group/role mapping. I have created hardcoded mapping to group name OrgAdministrators.

Attribute Mapping with Group

 

Then in step 7 the group can be imported and the correct role assigned.

SAML Group Import

Advertisements

9 thoughts on “vCloud Director and Single-Sign-On (SAML)

  1. Hi,

    We are trying to see if vCloud can be setup to do authentication with a 3rd party SAML provider and SSO as well. I found your post very useful, and feel like we might be able to get our use case working. However, I am not quite sure if we could get seamless SSO working as well.

    The scenario is somewhat like this: There are three actors
    1. Web portal
    2. CAS/SAML server for identity management
    3. vCloud

    A user logs into the portal application, but sometimes needs to go to vCloud to manage their account. The portal will provide a link to the organization’s login page. When the user clicks on the link, the user should ideally be directly signed into vCloud.

    The portal application can acquire a proxy ticket (for proxying vCloud) from the SAML server. However, it would need to be able to call some service URL which will accept the proxy ticket and directly login the user.

    I could not find such a URL in the documentation.

    Is it possible to achieve SSO with a proxy ticket with vCloud ?

    1. CAS’s support of SAML is primitive, it’s unlikely you’ll be able to accomplish this with just CAS. Shoot us an email if you want to know about other options that could work (even factoring in CAS).

  2. Yes, this is possible and for example vCloud Hybrid Service has the functionality you describe.
    You have to configure every vCloud organization for (your) SSO federation, basically taking that feature away from the tenant (you have to create a new Org Admin role without the right to edit/view SSO federation settings). You will redirect the user from your portal to a vCloud Director URL. VCD will know that this org (ACME) is using SSO federation and will redirect the browser session to your IdP to provide SAML2 token. It is verified by VCD. vCloud token is issued for the user and he is logged in..

  3. @adaptivejournal – I recently setup vCloud Director to use the SafeNet Authentication Service using SAML. This is so we could offer two factor authentication (in our case SMS) but I think it can be setup for “normal” passwords as well. Then if you can use SafeNet to secure both your web app portal and the vCD portal then you should get single sign on.

    1. I try to configure vCloud to use the SafeNet Authentication Service using SAML and I can`t import groups to authenticate. How could you do it? Do the groups has to be configured in the VMware SSO?
      I`ll be more than happy for your assistance.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s