vCloud Director 9: SAML2 Federation for System Administrators

In the past in vCloud Director 8.20 (and older versions) system admins (the provider context) could use local, LDAP and vSphere SSO accounts. vCloud Director 9.0 now replaces vSphere SSO accounts with more generic SAML2 accounts which means you can have the same IdP mechanism in the tenant and system context.

This change however breaks the previous vSphere SSO federation which was as simple as entering the vSphere Lookup Service URL and enabling the vSphere Single Sign-On with a check box (which in vCloud Director 9.0 is no longer there).

Here is the procedure how to enable vSphere Single Sign-On in vCloud Director 9.0.

  1. Login to vCloud Director as system admin and from administration>System Settings/Federation download the metadata document (spring_saml_metadata.xml) from the link provided (../cloud/org/System/saml/metadata/alias/vcd). Make sure the certificate (below) is valid.
  2. Login to vSphere Web Client as SSO admin and go to Administration/Single Sign-On/Configuration/SAML Service Providers
  3. Import the metadata from step #1
  4. Download the vsphere.local.xml metadata from the link below.
  5. Go back to VCD, check use SAML Identity Provider and upload metadata from #4.

Note that Import Users/Group source now changes from vSphere SSO to SAML.

vCloud Director 8.20
vCloud Director 9.0

 

Update 6-27-2018

Some additional notes about issues you might experience in order to get proper functionality of vCenter SSO federation:

  • Make sure that Public Addresses section contains correct FQDN of vCloud Director (pointing to the VIP of the load balancer)
  • Also make sure that the full certificate chain is uploaded as well (cert+intermediate+root)

  • Make sure vCloud Director is registered in vCenter SSO Lookup Service (Federation section – vSphere Services)
  • If you change vCloud Director public name or certificate, re-register vCloud Director to Lookup Service
  • If you change vCloud Director public name you must regenerate federation certificate by clicking Regenerate button to update endpoint addresses in the Metadata document.
  • The federation certificate has 1 year duration. You can use vCloud API to upload your own certificate with extended duration (PUT /admin/org/{id}/settings/federation)
Advertisements

6 thoughts on “vCloud Director 9: SAML2 Federation for System Administrators

  1. Hi Tomas,

    interesting post. A larger question around vCD and 2FA. We are using F5 for this but it is poorly documented by F5 and somewhat poorly integrated. Several workarounds are required for pass-through authentication and to get the VMRC to work. Are there any views on this you would like to share or solutions on vCD Portal login with 2FA?

    regards
    Ross

  2. Hi Tom I have tried this to configure vCAV but every time i try to authenticate i got an error that it says that the endpoint did not match. It had happened to you?

    2018-04-16 16:52:28,482 | ERROR | pool-jetty-63 | BaseSAMLMessageDecoder | SAML message intended destination endpoint ‘http://vcloud.soluciones.com.ar/cloud/saml/SSO/alias/vcd’ did not match the recipient endpoint ‘https://vcloud.soluciones.com.ar//saml/SSO/alias/vcd’ | requestId=4193462a-5ad5-4496-886f-31d982405fb1,request=POST https://vcloud.soluciones.com.ar/cloud/saml/SSO/alias/vcd,requestTime=1523908348471,remoteAddress=10.10.0.121:54715,userAgent=Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100…,accept=text/html application/xhtml+xml application/xml;q 0.9 */*;q 0.8
    2018-04-16 16:52:28,483 | DEBUG | pool-jetty-63 | SAMLProcessingFilter | Incoming SAML message is invalid | requestId=4193462a-5ad5-4496-886f-31d982405fb1,request=POST https://vcloud.soluciones.com.ar/cloud/saml/SSO/alias/vcd,requestTime=1523908348471,remoteAddress=10.10.0.121:54715,userAgent=Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100…,accept=text/html application/xhtml+xml application/xml;q 0.9 */*;q 0.8
    org.opensaml.xml.security.SecurityException: SAML message intended destination endpoint did not match recipient endpoint

    1. This usually happens if you change public addresses section in VCD after you register it to SSO Lookup Service. The fix is to unregister VCD from SSO LS and register it again. Then redo the SAML2 config.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.