In the past in vCloud Director 8.20 (and older versions) system admins (the provider context) could use local, LDAP and vSphere SSO accounts. vCloud Director 9.0 now replaces vSphere SSO accounts with more generic SAML2 accounts which means you can have the same IdP mechanism in the tenant and system context.
This change however breaks the previous vSphere SSO federation which was as simple as entering the vSphere Lookup Service URL and enabling the vSphere Single Sign-On with a check box (which in vCloud Director 9.0 is no longer there).
Here is the procedure how to enable vSphere Single Sign-On in vCloud Director 9.0.
- Login to vCloud Director as system admin and from administration>System Settings/Federation download the metadata document (spring_saml_metadata.xml) from the link provided (../cloud/org/System/saml/metadata/alias/vcd). Make sure the certificate (below) is valid.
- Login to vSphere Web Client as SSO admin and go to Administration/Single Sign-On/Configuration/SAML Service Providers
- Import the metadata from step #1
- Download the vsphere.local.xml metadata from the link below.
- Go back to VCD, check use SAML Identity Provider and upload metadata from #4.
Note that Import Users/Group source now changes from vSphere SSO to SAML.
Update 6-27-2018
Some additional notes about issues you might experience in order to get proper functionality of vCenter SSO federation:
- Make sure that Public Addresses section contains correct FQDN of vCloud Director (pointing to the VIP of the load balancer)
- Also make sure that the full certificate chain is uploaded as well (cert+intermediate+root)
- Make sure vCloud Director is registered in vCenter SSO Lookup Service (Federation section – vSphere Services)
- If you change vCloud Director public name or certificate, re-register vCloud Director to Lookup Service
- If you change vCloud Director public name you must regenerate federation certificate by clicking Regenerate button to update endpoint addresses in the Metadata document.
- The federation certificate has 1 year duration. You can use vCloud API to upload your own certificate with extended duration (PUT /admin/org/{id}/settings/federation)
Update 2/22/2021
vSphere 7 does not have the UI to export IdP and import service provider SAML metadata. You can still use vCenter CLI to achieve the same:
/opt/vmware/bin/sso-config.sh -get_sso_saml2_metadata -t vsphere.local /tmp/vsphere.local.xml /opt/vmware/bin/sso-config.sh -register_sp -t vsphere.local /tmp/spring_saml_metadata.xml
Tom Fojta's Blog 
Very useful guide Tomas, thanks a lot! You can also use the same federation settings on an Org level to let tenants use a central vSphere SSO instance. This only adds to the possibilities that were already available in vCD.
Yes, just do not forget to expose vSphere Web Client to such org. Probably useful just for internal (admin) orgs.
Hi Tomas,
interesting post. A larger question around vCD and 2FA. We are using F5 for this but it is poorly documented by F5 and somewhat poorly integrated. Several workarounds are required for pass-through authentication and to get the VMRC to work. Are there any views on this you would like to share or solutions on vCD Portal login with 2FA?
regards
Ross
Use SAML2 federation. The external IdP should provide 2FA and the authentication to VCD. vIDM for example supports 2FA with VMware Verify, DUO, etc.
Hi Tom I have tried this to configure vCAV but every time i try to authenticate i got an error that it says that the endpoint did not match. It had happened to you?
2018-04-16 16:52:28,482 | ERROR | pool-jetty-63 | BaseSAMLMessageDecoder | SAML message intended destination endpoint ‘http://vcloud.soluciones.com.ar/cloud/saml/SSO/alias/vcd’ did not match the recipient endpoint ‘https://vcloud.soluciones.com.ar//saml/SSO/alias/vcd’ | requestId=4193462a-5ad5-4496-886f-31d982405fb1,request=POST https://vcloud.soluciones.com.ar/cloud/saml/SSO/alias/vcd,requestTime=1523908348471,remoteAddress=10.10.0.121:54715,userAgent=Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100…,accept=text/html application/xhtml+xml application/xml;q 0.9 */*;q 0.8
2018-04-16 16:52:28,483 | DEBUG | pool-jetty-63 | SAMLProcessingFilter | Incoming SAML message is invalid | requestId=4193462a-5ad5-4496-886f-31d982405fb1,request=POST https://vcloud.soluciones.com.ar/cloud/saml/SSO/alias/vcd,requestTime=1523908348471,remoteAddress=10.10.0.121:54715,userAgent=Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100…,accept=text/html application/xhtml+xml application/xml;q 0.9 */*;q 0.8
org.opensaml.xml.security.SecurityException: SAML message intended destination endpoint did not match recipient endpoint
This usually happens if you change public addresses section in VCD after you register it to SSO Lookup Service. The fix is to unregister VCD from SSO LS and register it again. Then redo the SAML2 config.
Can I give a TIP?
After the configuration, close all browser Windows or use another browser to test, if you use the same window use can get some invalid tokens from the last authentications and the error message “SAML Failed to authenticate org” and you will loose a lot of time of troubleshotting for a simple cookie or token thing…..
I found some instruction about vCloud SAML integration with Keycloak and 2FA Google Authenticator:
https://digaround.cloud/vcloud_2fa_google_authenticator/
Tested on 9.7, it works very well.