The guide was initially written for vCloud Director 9.7. From vCloud Director version 10 the SAML assertion sent from VCD for service initiated login has changed (AssertionConsumerServiceIndex with index value 0 is used instead of ProtocolBinding). To accommodate the change, the steps 3 and 6 of the guide have small changes. The IdP initiated login will still work.
IBM Cloud Identity is a cloud SaaS Single Sign-On solution supporting multifactor authentication and identity governance. In this article I will describe how to integrate it with vCloud Director, where vCloud Director acts as a service provider and IBM Cloud Identity as an identity provider.
I have already wrote numerous posts how to federate vCloud Director with Microsoft Active Director Federation Service, VMware Identity Manager and vCenter Single Sign-On. What makes the integration different for IBM Cloud Identity is that it does not accept vCloud Director metadata XML for simple service provider setup and thus the integration requires more steps.
IBM Cloud Identity is a SaaS service and can be for free set up in a few minutes. It is pretty straight forward and I will skip that part.
As usual, in vCloud Director as Organization Administrator we must prepare the organization for federation. It means making sure that in the in the Administration > Settings > Federation the Entity ID is not empty and up-to-date certificate is generated that will be used to trust and secure the SAML2 assertion exchange between IdP and vCloud Director. The vCloud Director autogenerated self-signed certificate has always 1 year validity, which means once a year it must be regenerated (and the IdP reconfigured). The Organization Administrator is alerted via email when the expiration date is approaching. With vCloud API it is possible to provide your own publicly trusted certificate (with possibly longer validity).
Now we can download the metadata XML from the link provided on the same screen. As mentioned above we unfortunately cannot just upload it to IBM Cloud Identity, instead we need to manually retrieve the correct information from the downloaded spring_saml_metadata.xml file.
We will need the federation certificate (<ds:X509Certificate>) saved as properly formated PEM file:
Assertion consumer service URL which is in my case: https://vcloud.fojta.com/cloud/org/ibm/saml/SSO/alias/vcd
and entityID – in my case IBM.
Now in IBM Cloud Identity we can set up the application:
- Upload the vCloud Director federation certificate in Settings > Certificates > Add Signer Certificate:
- Create new application in Applications > Add > Custom Application and set up General details like Description, icon and Application Owners.
- Now in Sign-On submenu we can enter all details we have collected from vCloud Director:
– Sign-on Method: SAML2.0
– Provider ID: <EntityID>
– Assertion Consumer Service URL
– optionally check Use identity provider initiated single sign-on checkbox and provide Target URL in BASE64 encoded string (in my case I used H5 tenant endpoint URL: https://vcloud.fojta.com/tenant/ibm which base64 encoded translates to: aHR0cHM6Ly92Y2xvdWQuZm9qdGEuY29tL3RlbmFudC9pYm0
– Service Provider SSO URL (same as Assertion Consumer Service URL)
– check Sign authentication response and pick Signature Althorithm RSA_SHA256
– check Validate SAML request signature and pick the certificate from step #1
– optionally check Encrypt assertion
– Name Identifier: preferred_username
– NameID Format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
vCloud Director 10+ changes:
– Check Use unique ID.
– Click on Add another URL.
– Type a valid dummy URL that is different than the first one. For example: https://vcloud.fojta.com/login/org/ibm/saml/alias/vcd
– Adjust Index values so they start from 0.
- Uncheck: Send all known user attributes in the SAML assertion and instead provide custom list of Attributes to be used. vCloud Director supports the following attributes:
You can configure the mapping to each. I used preferred_username to be used for vCloud Director username (but alternatively email could be used as well) and did not map Role attribute as I will manage roles in vCloud Director and not leverage Defer to Indentity Provider Role.
- Configure Access Policies and Entitlements to specify which users/groups can use vCloud Director.
- After saving the application configuration, we can retrieve its SAML2.0 federation metadata from the link provided on the right side of the Sign-On screen.
vCloud Director 10+ change:
Use the (Unique ID) link below:
- Back in vCloud Director > Administration > Settings > Federation check Use SAML Identity Provider and upload the downloaded metadata.xml file from the previous step.
- Finally we need to import SAML users/groups and assign their role.
If everything done correctly you should be able to login both from IBM Cloud Identity and vCloud Director with the IdP user.