vCloud Director 9.5 and VMware Identity Manager Integration

About six months ago I blogged about VMware Identity Manager (VIDM) federation with vCloud Director. That article is still fully valid (and start there if you have not read it yet), however with the introduction of the new tenant HTML 5 user interface I want to describe how you can now chose which UI (legacy or new HTML5) the user will be redirected to.

When a vCloud Director organization is federated with an external IdP there are two different workflows for the login process:

• In the first workflow the user goes to vCloud Director URL and is redirected to the external IdP to authenticate. After the authentication the user is redirected back to vCloud Director. Now depending on which URL the user initially used, she will be redirected to legacy UI (https://vcloud.example.com/cloud/org/coke) or HTML 5 UI (https://vcloud.example.com/tenant/coke).
• In the second workflow, the user authenticates to the external IdP first and then is presented with catalog of federated apps and accessible through Single SignOn. Below is an example of VMware Workspace One catalog.
  
  Clicking a tile with of an app will redirect and sign-in the user directly to the particular app.

The VIDM integration as described in the previous post will however always redirect the user to the legacy UI. So how to force the usage of the new HTML 5 UI?

The is done by adding the Relay State URL to the config of the Web App in VIDM. The tricky part is that (at least as of version 9.5) vCloud Director expects the parameter to be Base64 encoded.

So in my example, the HTML 5 URL for the particular organization I want the user to be redirected to is: https://vcloud.fojta.com/tenant/coke which is Base64 encoded to: aHR0cHM6Ly92Y2xvdWQuZm9qdGEuY29tL3RlbmFudC9jb2tl and that is what must be entered in the Relay State URL field.

I can now create two Web App tiles for the user, so she can choose to which UI to go.

Advertisements

Embedding vCloud Availability Portal into vCloud Director UI

Some time ago I blogged about the possibility to link to vCloud Availability Portal directly from vCloud Director UI (here and here). This was done by inserting custom links into the vCloud Director Flex UI.

vCloud Director 9.x tenant HTML5 UI provides much richer possibilities to embed additional links, pages and full websites. My colleague Kelby Valenti wrote two whitepapers and one blog post how to do so.

Extending VMware vCloud Director User Interface Using Portal

ExtensibilityExtending VMware vCloud Director User Interface Using Portal Extensibility – Ticketing Example

Publishing vCloud Director User Interface Extensions

VMware also already released one service that integrates its UI into vCloud Director – vRealize Operations Tenant App.

In the below screenshot you can see VCD UI extended with five new sections that appear as additional menu options next to Datacenters, Libraries and Administration:

Stub Module – default example included in the UI Extensibility SDK providing static page example (Terms of Service, etc.).

Operations Manager – above mentioned vRealize Operations Tenant App

Blog – this blog embedded as iframe.

Documentation – Static page with links to vCloud Director documentation.

The last module is the vCloud Availability 2.0 portal – the subject of this article:

It is also embedded using iframe.

I am attaching the source files so you can download and adapt them for your purposes. You will also need the SDK and I recommend deployment automation created by Kelby as described in his blog post listed above.

Some notes:

• The actual link to the portal is in the src/main/vcav.component.ts file. In my case it is https://portal.proxy.cpsbu.local so replace it with the correct link for your environment.
• For security reasons the vCloud Availability portal prohibits being rendered in browser frame by setting  X-Frame-Options header to DENY. To work around this limitation I am replacing the header with X-Frame-Options: ALLOW-FROM <VCD-url> on the existing load balancer that is load balancing my two vCloud Availability Portal nodes as well as redirecting external port 443 to appliances’ port 8443. This is done with NSX Edge Gateway, SSL termination and the following application rule:
  
• The link to the portal is also passing the vCloud Director session authentication token for Single Sign-On. Note that however in the current release (2.0.1) this functionality is broken.

 

vCloud Director 9: Customize Tenant UI

vCloud Director 9 introduces brand new HTML5 tenant user interface. It currently provides only limited set of operations:

• simplified workflow to create VMs without the need to create vApps
• view and modify (but not create) vApps
• create and configure networks and networking services
• configure multisite organization associations

The legacy (flex) UI is still available and the user can jump to it if needed which is useful especially for Org Administrators.

The new UI can be modified – in the initial release with the following elements:

• Portal name
• Portal color (in RGB HEX format e.g. #EE00EE)
• Portal theme (default/dark)
• Logo (png file of max size 512 KB)

This will expand in the future with tenant granularity, custom themes and custom links, but for now we have only these four elements.

The configuration must be done with new CloudAPI which is JSON based. At the time of writing its documentation has not been yet published.

• Retrieve authentication token with vCloud API or UI
• Use the following call to change logo:

PUT /cloudapi/branding/logo

Content-Type: image/png

x-vcloud-authorization: …

Body: <binary image file>

• Use the following call to change other elements:

PUT /cloudapi/branding

Content-Type: application/json

x-vcloud-authorization: …

Body:
{
    “portalName”: “vCloud Director 9.0”,
    “portalColor”: “#EE00EE”,
    “selectedTheme”: {
        “themeType”: “BUILT_IN”,
        “name”: “Dark”    },
    “customLinks”: []
}

How to Customize vCloud Director UI

Service providers who are offering additional services beyond vanilla vCloud Director IaaS were asking how to add links to them in the existing (Flex) vCloud Director UI.

vCloud Director 8.20 provides very simple way to extend the right column of the Home screen with additional sections and static links. It is really simple extensibility and should be used as interim solution until the new HTML 5 UI will fully replace the existing UI and which will be more extensible.

In the screenshot below you can see that the right section has been extended with vCloud Availability, Backup and Other sections.

The configuration of these links is very simple and is done from cell-management-tool on any vCloud cell.

In my example I used:

./cell-management-tool manage-config -n ui.tenant.customOrgLinks -v “
# vCloud Availability
[Monitor Replications](https://vcloud.fojta.com:8443)
# Backup
[Configure Backup](https://backup.fojta.com)
# Other
[Request Support](https://help.fojta.com)
[Impressum](https://www.fojta.com/impressum)”

Where # denotes the section header, [] the link name and () the link.

It is also possible to pass vCloud session ID as parameter in the URL by including {vcdSession} string.

The CMT manage-config command creates/modifies database entry in the config table tenant-customOrgLinks with the provided value in the quotes. Re-running it will replace the previous entry. The change is immediate, no need to run this on other cells or restart vcd services.

One last note, the right column on the home screen is not visible to all user roles. The role needs to have General > Administrator Control right.