- Export vCloud Director Metadata
- Configure RSA Via Manually For vCloud Director
- Prepare SAML Metadata XML for vCloud Director
- Adding the Attributes Entries into the SAML XML
- Add SAML User to vCloud Director
- Logging Directly to vCloud Director After Federation is Enabled
This guide is intended to provide instructions on how to configure vCloud Director as an SP (Service Provider) and RSA Via Access as an IdP (Identity Provider). Before we get started I will use these URLs throughout the guide:
- vCloud_Org_URL: https://VCLOUD_HOST/cloud/org/VCLOUD_ORGANIZATION/ for my internal testing it will be: https://myvcloud.com/cloud/org/via-saml/
- RSA_Via_Portal_URL: https://portal.PDN for my internal testing it will be https://portal.singlepoint66.com
Export vCloud Director Metadata
If you would like you can also export the metadata from vCloud director. The URL for the metadata is the following:
- vCloud_ORG_URL/saml/metadata/alias/vcd in my case that's https://myvcloud.com/cloud/org/via-saml/saml/metadata/alias/vcd
If you export the metadata you will get something like this:
<?xml version="1.0" encoding="UTF-8"?>
<md:EntityDescriptor entityID="https://myvcloud.com:443/cloud/org/via-saml/saml/metadata/alias/vcd" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
<md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIB3T=</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:KeyDescriptor use="encryption">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIB3TC=</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://myvcloud.com:443/cloud/org/via-saml/saml/SingleLogout/alias/vcd"/>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://myvcloud.com:443/cloud/org/via-saml/saml/SingleLogout/alias/vcd"/>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://myvcloud.com:443/cloud/org/via-saml/saml/SingleLogout/alias/vcd"/>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</md:NameIDFormat>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://myvcloud.com:443/cloud/org/via-saml/saml/SSO/alias/vcd" index="0" isDefault="true"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser" Location="https://myvcloud.com:443/cloud/org/via-saml/saml/HoKSSO/alias/vcd" hoksso:ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" index="1" xmlns:hoksso="urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser"/>
</md:SPSSODescriptor>
</md:EntityDescriptor>
If you import the metadata it will configure the connector to be Encrypt the Assertion and to validate the signed AuthN Request, but you can actually get without those.Here is how the import will look like:
Configure RSA Via Manually For vCloud Director
The VMware site Enable Your Organization to Use an SAML Identity Provider has most of the requirements:
Create an XML file with the following metadata from your SAML identity provider...Configure your SAML provider to provide tokens with the following attribute mappings.
- The location of the single sign-on service
- The location of the single logout service
- The location of the service's X.509 certificate
- email address = "EmailAddress"
- user name = "UserName"
- full name = "FullName"
- user's groups = "Groups"
Let's start on the RSA SecurID side and create the connector, for the configuration we can use the following:
- Connection Flow: IDP-initiated
- Identity Provider URL: RSA_VIA_PORTAL_URL/IdPServlet?idp_id=vdirector_via in my case (https://portal.singlepoint66.com/IdPServlet?idp_id=vdirector_via)
- Issuer Entity ID: www.rsa.com
- ACS URL: vCloud_ORG_URL/saml/SSO/alias/vcd in my case ( https://myvcloud.com/cloud/org/via-saml/saml/SSO/alias/vcd )
- I noticed in some cases it included the https port as seen in the Exported Metadata so in that case this was like this
- Audience Entity ID: vCloud_ORG_URL/saml/metadata/alias/vcd in my case ( https://myvcloud.com/cloud/org/via-saml/saml/metadata/alias/vcd )
- I noticed in some cases it included the https port as seen in the Exported Metadata so in that case this was like this
- NAME_ID
- Identifier Type: Subject or EmailAddress
- UserStore: AD
- Property: mail or sAMAccountName
- Include Certificate in Outgoing Assertion: Yes
- Sign Outgoing Assertion: Assertion within response
- Extended Attributes:
Attribute Name User Store Property UserStore EmailAddress AD mail UserStore FullName AD cn UserStore UserName AD mail or sAMAccountName UserStore Groups AD virtualGroups
Prepare SAML Metadata XML for vCloud Director
After the RSA SecurID application is created we can export the SAML metadata and modify it to be successfully imported into vCloud director. After the application is created you can go back to Application -> My Applications you can click on the drop down menu for the application and click Export Metadata:
By default the XML will look like this:
<?xml version="1.0" encoding="UTF-8"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="vdirector_via">
<md:IDPSSODescriptor>
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIICsDCCA=</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://portal.singlepoint66.com/IdPServlet?idp_id=vdirector_via"/>
</md:IDPSSODescriptor>
</md:EntityDescriptor>
<SingleLogoutServiceBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"Location="https://RSA_VIA_PORTAL_URL/LogoutServlet"/>
<SingleLogoutServiceBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"Location="https://portal.singlepoint66.com/LogoutServlet"/>
Adding the Attributes Entries into the SAML XML
We have the list from above of what needs to be included in the XML. There is also a page from vCloud air that talks about these: Enabling and Managing Federation, from that page:
Download the appropriate SAML metadata in XML format from your identity provider. The SAML metadata must provide mappings for the user attributes shown in this XML fragment:
<saml:Attribute
FriendlyName="Groups"
Name="http://rsa.com/schemas/attr-names/2009/01/GroupIdentity"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
<saml:Attribute
FriendlyName="givenName"
Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
<saml:Attribute
FriendlyName="surname"
Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
<saml:Attribute
FriendlyName="Subject Type"
Name="http://vmware.com/schemas/attr-names/2011/07/isSolution"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
<saml:Attribute
FriendlyName="userPrincipalName"
Name="http://schemas.xmlsoap.org/claims/UPN"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
<saml:Attribute
FriendlyName="email"
Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
<AttributeName="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"FriendlyName="EmailAddress"xmlns="urn:oasis:names:tc:SAML:2.0:assertion"/>
<AttributeName="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"FriendlyName="FullName"xmlns="urn:oasis:names:tc:SAML:2.0:assertion"/>
<AttributeName="http://rsa.com/schemas/attr-names/2009/01/GroupIdentity"NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"FriendlyName="Groups"xmlns="urn:oasis:names:tc:SAML:2.0:assertion"/>
<AttributeName="http://schemas.xmlsoap.org/claims/UPN"NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"FriendlyName="UserName"xmlns="urn:oasis:names:tc:SAML:2.0:assertion"/>
<?xml version="1.0" encoding="UTF-8"?>
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="www.rsa.com">
<IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<KeyDescriptor use="signing">
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509Data>
<X509Certificate>MIICsDCCAZ=</X509Certificate>
</X509Data>
</KeyInfo>
</KeyDescriptor>
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="https://portal.singlepoint66.com/LogoutServlet"/>
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://portal.singlepoint66.com/IdPServlet?idp_id=vdirector_via"/>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="EmailAddress" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"/>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="FullName" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"/>
<Attribute Name="http://rsa.com/schemas/attr-names/2009/01/GroupIdentity" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Groups" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"/>
<Attribute Name="http://schemas.xmlsoap.org/claims/UPN" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="UserName" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"/>
</IDPSSODescriptor>
</EntityDescriptor>
Now for the fun stuff. Login as a Organization Administrator into vCloud director and you will see the administration tab and the federation option within the administration tab:
Then check the Use SAML Identity Provider check box and either upload the file or just paste the XML (I just pasted it):
Upon hitting Apply it should accept the configuration. If the XML is mis-formed or missing any fields you will just get a generic message saying:
The provided metadata is not a valid SAML 2.0 metadata document
Add SAML User to vCloud Director
After the federation is enabled there will be a new option under Administration -> Users to import users:
After you click import Users you can then enter a list of SAML users you want to add:
As you can see I just added one user called devuser. After it's imported you will see the user under the users section:
You can see the type for my test user is SAML. If you check out the properties of the user you will see they are empty:
This is expected since the user hasn't logged into vCloud Director with RSA Via as the IdP. Since we configured the connector to send extended attributes those will be sent in the assertion when the user tries to login.
Logging Directly to vCloud Director After Federation is Enabled
You can still login as a local users. By default if you visit the vCloud_ORG_URL in my case: https://myvcloud.com/cloud/org/via-saml/ then you will be forwarded to the IdP. If you go to vCloud_ORG_URL/login.jsp (in my case https://myvcloud.com/cloud/org/via-saml/login.jsp) then you can still login as local users.
