vCloud Director Federation with VMware Identity Manager

Although in the past I have already blogged about vCloud Director federation with VMware Workspace and Microsoft AD FS I still have not wrote a guide how to achieve organization federation with VMware Identity Manager.

VMware Identity Manager (VIDM) is Single Sign-On solution that integrates with multiple identity providers (such as Active Directory) and offers App Store like access to multiple subscribed services with adaptive access (including multi factor authentication such as VMware Verify, DUO or RSA SecurID).

Users can easily log in into multiple different cloud services from a single page thanks to SSO. One such service can be vCloud Director and this article describes how to achieve this.

VIDM is provided as virtual appliance that can be deployed in  a load balanced distributed or simple configuration with external Microsoft SQL database or for evaluation purposes with embedded PostgreSQL. It is also provided as a cloud service.

I have deployed in my lab VIDM 3.2 in a single embedded database configuration and connected it to my lab Active Directory. VIDM also provides its own internal IdP (System Domain) so can be used also without an external AD/LDAP.

  1. In vCloud Director Organization enable Federation by setting Entity ID to Org Name (or any other unique string), generate fresh certificate and download Metadata from the link provided (file spring_saml_metadata.xml). This can be done as system or Organization Administrator.
  2. In VIDM go to Catalog and create new web application. You have to be logged in as VIDM Administrator. Write application name, description and upload nice icon and choose category. 
  3. In the next screen keep Authentication Type SAML 2.0 and paste the xml metadata from step #1 into the URL/XML window. Scroll down to Advanced Properties. 
  4. In Advanced Properties we will keep the defaults but add Custom Attribute Mappings which describe how VIDM user attributes will translate to VCD user attributes. Here is the list:
Name                                                               Value
UserName                                                           ${user.userName}
EmailAddress                                                       ${}      ${user.lastName}    ${user.firstName}
Groups                                                             CokeAdmins
Roles                                                              ${user.employeeID}

Format is always basic and namespace is blank. Let me explain what is going on here. The first two mappings should be clear. UserName specify how will the user be recognized by vCloud Director and EmailAddress will be his/her email address for notifications. The next two parameters contain given name and surname which VCD will combine into full name. Not sure why the assertion name needs to be specified in such long format but only this way it worked for me. In theory you could also pass ‘fullname’ if you have field in your directory that contains full name (my Active Director does not).

Next we have Groups. I do not know how to pass AD groups in a dynamic way, so this is a hardcoded example – all users who use this SaaS definition will belong to CokeAdmins group. You can obviously omit this if you will only import users by name.

The last property is Role – again this is optional and should be used only if we want to manage roles in IdPs and not in VCD, where we would import the user with Defer to Identity Provider role – see here for more details. I am using here unused AD Employee ID field. 

  1. Now we can finish the wizard by clicking next, select access policy (keep default) and reviewing the Summary on the next screen. As last step we can click Save & Assign, where we are presented to select users that should have this newly created App in their catalog.
  2. Next we need to retrieve metadata configuration of VIDM – this is by going back to Catalog (all the way up) and clicking Settings. From SAML Metadata download Identity Provider (IdP) metadata. 
  3. Now we can finalize SAML configuration in vCloud Director. Still on Federation page click Use SAML Identity Provider checkbox and import the downloaded metadata (idp.xml) with Browse and Upload buttons and click Apply. 
  4. From now on, login screen will default to SAML authentication, but you can always revert to local authentication with: https://<vcloud_fqdn>/cloud/org/<org-name>/login.jsp
    However, we first need to import some users/groups to be able to use SAML. You might need to re-login to see the option to add SAML users and groups. You can import VIDM users by their user name or group (the hardcoded name CokeAdmins). We can assign role or optionally leverage Defer to IdP (if you have role field populated in AD). 
  5. Login to VIDM and click on the application tile to be logged straight into VCD Organization (the Flex legacy UI). 

You can also directly enter the Flex or HTML 5 URL and you will be redirected to VIDM login screen.

As mentioned in step 4, I am managing user roles from Active Directory so I just need to import one group into VCD with Defer to IdP role and I am done with user management in VCD. The role field that VIDM uses is EmployeeID, however that field in AD can have only numerical value and VCD expects role as text string. The workaround I am using is that in AD I actually use User Description field and then in VIDM I have changed the mapping. So lets first have a look how it looks in AD:

Here is my VIDM custom AD IdP mapping:



20 thoughts on “vCloud Director Federation with VMware Identity Manager

  1. Great information, thanks for this. One question. Where did you deploy the VIDM in your lab? Was it inside a VDC or a separate cluster accessible by the VDC?

    1. Outside of VCD. VIDM can be deployed on prem by the tenant in their own datacenter as it needs to have connectivity to tenant IdPs. Alternatively SP can deploy it in their DC and make it accessible from the internet while having internal connection to SPs IdPs.

  2. Great article as usual, Tomas! I gave it a try and got it running in a really short time so thanks!
    There’s just one that doesn’t appear to be working – the logout. No matter if I logout from vCloud or vIDM side and close both tabs, if i reopen vCloud’s tab I am still logged in. Any idea?
    I am on vCloud 8.20 and vIDM 3.3, if that makes any difference.
    Thanks in advance!

  3. Hi Tom,

    Do you have any idea on duo security?
    I mean vcloud director integration with duo security?


      1. Thanks Tom for update.If you have any inputs,please share me.

        There are totally 3 areas we need to concentrate.
        1) DUO(DUO access Gateway machine).I created a new name with this host name as “”

        2) DUO admin console.

        3) vCloud director federation(identity manager)—>My vCloud director URL is “””

        We are not using VIDM(as an identity provider)however we are using DUO SAML only.
        I.e In my setup,there is no AD setup as of now and using Duo Access Gateway(we installed this DAG on one linux machine) and it acts as a SAML identity provider (IdP).

        1) DUO(DUO access Gateway machine).

        *Source type(Specify the authentication source to configure) —>SAML(idp)

        *Entity ID(idp-entity-id)—>””
        The global, unique name for your SAML entity. This is provided by your primary authentication identity provider.

        *Single sign-on URL——>””
        URL to use when performing primary authentication. This is provided by your primary authentication identity provider.

        *Single logout URL——->””
        URL to use when logging out. This is provided by your primary authentication identity provider.

        After configuring this,we uploaded the JSON file in to it.(we got the JSON file after configuring the service provider under DUO admin console) and at the same time we got the XML file from here to get uploaded in to vCloud director SAML(under federation)

        2) DUO admin console. Service provider configuration.

        *service provider name——->vCloud director
        The name of the service provider being configured.

        *Entity ID——————>””
        The unique identifier of the service provider.

        Assertion Consumer Service—->”…” —->Taken from VCD federation(metadata link)
        The service provider endpoint that receives and processes SAML assertions.

        Single Logout URL—->”
        Optional: The service provider endpoint that receives and processes SAML logout requests.

        Service Provider Login URL——>” ”
        Optional: A URL provided by your service provider that will start a SAML authentication. Leave blank if unsure.

        After configuring service provider,we got JSON file from this.

        2) Vcloud director:-We got the XML file from DAG and uploaded in to vCloud director(under federation).

        we have configured like this however when im trying to open the VCD(it is re-reouting to DAG),im getting some message as “Oops! We could not authenticate you to the requested site”

        Any ideas ? I have misconfigured any where ?

        Thank you,
        Manivel R

      1. Hi Tom,
        We completed the setup with VCD/DUO(with ADFS)–>First auth is AD credentials and second auth will be DUP push(to my mobile).Everything is working fine.After approving the DUO push from my mobile,it is landing to VCD page where we are getting error “SAML authentication failed for this organization”
        “Use integrated authentication”.If i use this Integrated auth(VCD local account),everything will work.How to mitigate the SAML auth issue ? Any ideas?

        Manivel R

  4. Im using AD as a authentication source so i need to get the metadata xml file from ADFS and then I need to import on vcloud director.
    Instead of this, I taken xml file from my DAG(linux gateway) and imported on vcloud director federation.
    I think this is wrong procedure.
    As per your above link, I need to install ADFS and need to get thr metadata xml file which can be imported on vcloud director.
    Am I right?

  5. Hi Tomas,

    The issue has been fixed.


    Identity provider:- AD only. ADFS is not required. We just need to create users with email I’d.

    Service provider;- vcloud director.

    DAG;- This is linux Duo access gateway enables two factor authentication. Here authentication source has been set as AD.By default, it will provide xml file, we just need to download this xml file and need import in vcloud director saml federation. Also you need to import JSON file here(This will be taken from duo admin console)

    Duo admin console;-we need to create a new service provider in which service provider name, ACS, SSO login, logout should be defined. Here the saml attribute mentioned as email. After providing this information, you need to save the service provider configuration also you can get JSON file.

    In AD user properties, we need to set the email I’d and also in vcloud director user section, we need to import user(Saml) as “”.

    I was given the user name only earlier in saml user section (vcd). Now the email I’d has been given “” and issue has been fixed.

    Thank you for your time.

    Thank you,
    Manivel RR

  6. Wonderful Article Tomas. Thumbs up for you. Please how can use IDM to setup 2FA for my tenant in vcloud using VMware Verify at my Data Center. The tenant should be able to login their portal using their local username accounts and then 2nd authentication provided IDM with VMware Verify on their mobile phone.

    Thanks for your prompt response

    David A

  7. Thank you Tomas for this brilliant post. We need to manage rights given by “GROUPS”. Did you find any solution to federate vcloud with vIDM groups ? Actually a static group hard coded is not a solution for us. Thank you Tomas.

  8. Hi Tom,

    Have you got information about licensing for VCPP Service Providers ? I cannot find any relevant information about the product for SP, the VCPP usage guide did not mention this product (vIDM or new name VMware Workspace ONE Access) but we have licenses in under our VCPP contract…

    Is the product free for SP ?


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.