About six months ago I blogged about VMware Identity Manager (VIDM) federation with vCloud Director. That article is still fully valid (and start there if you have not read it yet), however with the introduction of the new tenant HTML 5 user interface I want to describe how you can now chose which UI (legacy or new HTML5) the user will be redirected to.
When a vCloud Director organization is federated with an external IdP there are two different workflows for the login process:
- In the first workflow the user goes to vCloud Director URL and is redirected to the external IdP to authenticate. After the authentication the user is redirected back to vCloud Director. Now depending on which URL the user initially used, she will be redirected to legacy UI (https://vcloud.example.com/cloud/org/coke) or HTML 5 UI (https://vcloud.example.com/tenant/coke).
- In the second workflow, the user authenticates to the external IdP first and then is presented with catalog of federated apps and accessible through Single SignOn. Below is an example of VMware Workspace One catalog.
Clicking a tile with of an app will redirect and sign-in the user directly to the particular app.
The VIDM integration as described in the previous post will however always redirect the user to the legacy UI. So how to force the usage of the new HTML 5 UI?
The is done by adding the Relay State URL to the config of the Web App in VIDM. The tricky part is that (at least as of version 9.5) vCloud Director expects the parameter to be Base64 encoded.
So in my example, the HTML 5 URL for the particular organization I want the user to be redirected to is: https://vcloud.fojta.com/tenant/coke which is Base64 encoded to: aHR0cHM6Ly92Y2xvdWQuZm9qdGEuY29tL3RlbmFudC9jb2tl and that is what must be entered in the Relay State URL field.
I can now create two Web App tiles for the user, so she can choose to which UI to go.
5 thoughts on “vCloud Director 9.5 and VMware Identity Manager Integration”
Thanks so much Tom, we’ve been struggling over this as we ran into issues using the html5 endpoint for the saml assertion post config on our IDP. This helped us get past that hurdle.(can confirm that 9.1 is also happy with base64 encoded relaystate url)
Thanks for your article and i have some queries about vCloud director HA setup.Could you please help
We have setup vcloud director software(VCD 9.5.0) on 2
VMs(active/passive) with Centos 7.10 also installed Postgress on 2
VMs(active/passive) with Centos 7.10.
Setup is as follows:-
VCD application Setup
2 nodes, with CentOS-7.10, active/passive
/Opt filesystem for vCloud binary installation used, which is managed
by DRBD to replicate to other node
Clustering software used
Using pacemaker,Virtual IP will be assigned for https service.
1) 2 nodes, with CentOS-7.10, active/passive
2) /var/lib/pgsql filesystem for postgresql-9.5 database, which is
managed by DRBD to replicate to other node
3) Clustering software used :
Corosync, pacemaker & DRBD
Using pacemaker Virtual IP will be assigned for DB instance
Can we go with this setup or it should be routed through NFS mount
point only ? Please let me know which approach is correct one ?
VCD Cells should be all in active x active mode with LB. Shared NFS transport is mounted to transfer share path on all cells (/opt/vmware/vcloud-director/data/transfer).
For DB use any PSQL HA solution that you are comfortable with. VMware does not prescribe (nor support) any.
Thank you Tom for reply.
rest api available for saas web application creation?