Karim Elatov

VMware vCloud Director integration with RSA SecurID Access

Blog Post created by Karim Elatov Employee on Feb 18, 2016

This guide is intended to provide instructions on how to configure vCloud Director as an SP (Service Provider) and RSA Via Access as an IdP (Identity Provider). Before we get started I will use these URLs throughout the guide:

Export vCloud Director Metadata

If you would like you can also export the metadata from vCloud director. The URL for the metadata is the following:

If you export the metadata you will get something like this:

<?xml version="1.0" encoding="UTF-8"?>
<md:EntityDescriptor entityID="https://myvcloud.com:443/cloud/org/via-saml/saml/metadata/alias/vcd" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
    <md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
        <md:KeyDescriptor use="signing">
            <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                <ds:X509Data>
                    <ds:X509Certificate>MIIB3T=</ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
        </md:KeyDescriptor>
        <md:KeyDescriptor use="encryption">
            <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                <ds:X509Data>
                    <ds:X509Certificate>MIIB3TC=</ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
        </md:KeyDescriptor>
        <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://myvcloud.com:443/cloud/org/via-saml/saml/SingleLogout/alias/vcd"/>      
        <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://myvcloud.com:443/cloud/org/via-saml/saml/SingleLogout/alias/vcd"/>        
        <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://myvcloud.com:443/cloud/org/via-saml/saml/SingleLogout/alias/vcd"/>       
        <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>  
        <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>      
        <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>     
        <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>   
        <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</md:NameIDFormat>   
        
       <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://myvcloud.com:443/cloud/org/via-saml/saml/SSO/alias/vcd" index="0" isDefault="true"/>   
        
      <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser" Location="https://myvcloud.com:443/cloud/org/via-saml/saml/HoKSSO/alias/vcd" hoksso:ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" index="1" xmlns:hoksso="urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser"/>
    </md:SPSSODescriptor>
</md:EntityDescriptor>

 

If you import the metadata it will configure the connector to be Encrypt the Assertion and to validate the signed AuthN Request, but you can actually get without those.Here is how the import will look like:

 

vd-import.png

Configure RSA Via Manually For vCloud Director

The VMware site Enable Your Organization to Use an SAML Identity Provider has most of the requirements:

Create an XML file with the following metadata from your SAML identity provider.
  • The location of the single sign-on service
  • The location of the single logout service
  • The location of the service's X.509 certificate
..Configure your SAML provider to provide tokens with the following attribute mappings.
  • email address = "EmailAddress"
  • user name = "UserName"
  • full name = "FullName"
  • user's groups = "Groups"

Let's start on the RSA SecurID side and create the connector, for the configuration we can use the following:

Prepare SAML Metadata XML for vCloud Director

 

After the RSA SecurID application is created we can export the SAML metadata and modify it to be successfully imported into vCloud director. After the application is created you can go back to Application -> My Applications you can click on the drop down menu for the application and click Export Metadata:

 

ac-export-metadata.png

 

By default the XML will look like this:

 

<?xml version="1.0" encoding="UTF-8"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="vdirector_via">
    <md:IDPSSODescriptor>
        <md:KeyDescriptor use="signing">
            <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                <ds:X509Data>
                    <ds:X509Certificate>MIICsDCCA=</ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
        </md:KeyDescriptor>
    <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
    <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
    <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://portal.singlepoint66.com/IdPServlet?idp_id=vdirector_via"/>
    </md:IDPSSODescriptor>
</md:EntityDescriptor>
For the XML to be valid we need to add two sections the Logout_URL and the Attributes. For the Logout URL we just need to add the following into the XML:
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://RSA_VIA_PORTAL_URL/LogoutServlet"/>
In my case it was this:
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://portal.singlepoint66.com/LogoutServlet"/>

Adding the Attributes Entries into the SAML XML

We have the list from above of what needs to be included in the XML. There is also a page from vCloud air that talks about these: Enabling and Managing Federation, from that page:

Download the appropriate SAML metadata in XML format from your identity provider. The SAML metadata must provide mappings for the user attributes shown in this XML fragment:

<saml:Attribute
    FriendlyName="Groups"
    Name="http://rsa.com/schemas/attr-names/2009/01/GroupIdentity"
    NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
<saml:Attribute
    FriendlyName="givenName"
    Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"
    NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
<saml:Attribute
    FriendlyName="surname"
    Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"
    NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
<saml:Attribute
    FriendlyName="Subject Type"
    Name="http://vmware.com/schemas/attr-names/2011/07/isSolution"
    NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
<saml:Attribute
    FriendlyName="userPrincipalName"
    Name="http://schemas.xmlsoap.org/claims/UPN"
    NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
<saml:Attribute
    FriendlyName="email"
    Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
    NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
So I ended up creating the following attributes in the XML:
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="EmailAddress" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"/>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="FullName" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"/>
<Attribute Name="http://rsa.com/schemas/attr-names/2009/01/GroupIdentity" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Groups" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"/>
<Attribute Name="http://schemas.xmlsoap.org/claims/UPN" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="UserName" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"/>
In the end here is what I ended up with:
<?xml version="1.0" encoding="UTF-8"?>
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="www.rsa.com">
    <IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
        <KeyDescriptor use="signing">
            <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
                <X509Data>
                    <X509Certificate>MIICsDCCAZ=</X509Certificate>
                </X509Data>
            </KeyInfo>
       </KeyDescriptor>
        <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
                             Location="https://portal.singlepoint66.com/LogoutServlet"/>
        <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
        <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>
        <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                             Location="https://portal.singlepoint66.com/IdPServlet?idp_id=vdirector_via"/>
        <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="EmailAddress" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"/>
        <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="FullName" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"/>
        <Attribute Name="http://rsa.com/schemas/attr-names/2009/01/GroupIdentity" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Groups" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"/>
        <Attribute Name="http://schemas.xmlsoap.org/claims/UPN" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="UserName" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"/>
    </IDPSSODescriptor>
</EntityDescriptor>
NOTE: I also noticed that if the SSL certificates any New Line characters then vCloud Director doesn't like that. So make sure you remove any Carriage Returns from the SSL certificate in the XML. I also had to remove the md and ds prefixes on the XML entries.
Enabling SAML SSO in vCloud Director

 

Now for the fun stuff. Login as a Organization Administrator into vCloud director and you will see the administration tab and the federation option within the administration tab:

vd-admin-tab.png

 

Then check the Use SAML Identity Provider check box and either upload the file or just paste the XML (I just pasted it):

 

paste-xml-vd.png

 

Upon hitting Apply it should accept the configuration. If the XML is mis-formed or missing any fields you will just get a generic message saying:

The provided metadata is not a valid SAML 2.0 metadata document

 

vd-fail-import.png

Add SAML User to vCloud Director

After the federation is enabled there will be a new option under Administration -> Users to import users:

saml-import-users-vd.png

After you click import Users you can then enter a list of SAML users you want to add:

vd-import-users.png

 

As you can see I just added one user called devuser. After it's imported you will see the user under the users section:

 

vd-user-added.png

 

You can see the type for my test user is SAML. If you check out the properties of the user you will see they are empty:

vd-user-properties.png

This is expected since the user hasn't logged into vCloud Director with RSA Via as the IdP. Since we configured the connector to send extended attributes those will be sent in the assertion when the user tries to login.

Logging Directly to vCloud Director After Federation is Enabled

You can still login as a local users. By default if you visit the vCloud_ORG_URL in my case: https://myvcloud.com/cloud/org/via-saml/ then you will be forwarded to the IdP. If you go to vCloud_ORG_URL/login.jsp (in my case https://myvcloud.com/cloud/org/via-saml/login.jsp) then you can still login as local users.

Outcomes