So today I will show you how to setup vCloud SAML authentication using Azure AD. You can also use on prem AD’s with ADFS but I do not have that available at the moment. And as Azure AD services get used more and more I figured this would be a nice thing to try.
So lets get started shall we? First of let me tell you the components involved that I used to make this setup work:
- vCloud Directory 10.0.0.15449638
- Azure AD Premium P2
Setting up Azure AD
Adding an Enterprise application
First lets get started with configuring Azure AD. Once I am logged in to the Azure portal I will have to add an Enterprise application. To do so I have to go over to “Azure Active Directory‘” and select “Enterprise applications“.
Now I click on “New application” and I select “Non-galery application”.
Next I give the application a name and click on “Add” to add the application.
In the new window that opens I have to complete a couple of steps to get things up and running.
Adding users and or groups
First I add the user that will be able to login to vCloud. If you do not have a user created yet now is the time to do this.
I already have a user created so I simply add the user by clicking on “Assing users and groups”.
And now I Add the user
Setting up Single sign on
Next up I have to setup Single sign on.
I now select “SAML” to actually start the SAML configuration.
In the newly opened setup page I need to add the metadate information from vCloud. This information is something that I can find in vCloud director so lets open up vCloud and go to Administration –> Identity providers –> SAML
Now I will add the identity ID by clicking “Edit” and filling out the vCloud tenant URL as the id like so:
After I click on save I can download the Metadata by clicking on the Metadate link.
Now I have to go back to the Azure portal and upload the Metadata information I just downloaded.
Now I need to add some user/group parameters that vCloud can validate (see the VMware vCloud documentation for more info). I do this by clicking on the “User Attributes & Claims” edit button.
Here I have to add some additional claims. So I click on “Add new claim” and I add the “user.assignedroles” claim
Next up is user.email (this will be the second user.email claim).
And finally I have to add a “Group claim“.
Now All i need to do is download the Azure AD metadata and import it into vCloud.
To do so I go back to the “SIngle Sign on with SAML” by clicking on the link in Azure.
Now download the “Federation Metadata XML” file.
Setting up vCloud
So now that I am all done with the Azure AD part I can finally get vCloud ready.
To do this I need to go back to the SAML configuration page I visited earlier and upload the metadata file I just downloaded.
Now all that is left to do for me is to add the user I created earlier and see if I can login to vCloud using Azure AD.
To do so I go to “Users” and select “Import Users“
Now I have to add the user I created earlier in the Azure AD like so:
Testing the login
Yes success !! I am able to login to vCloud using SAML authentication with Azure AD as the authentication source.
If you need to login without SAML authentication just go the the vCloud tenant URL and add /login to the end of the URL.
Group authentication not working
I also tried to use groups instead of users but I run into SSO problems with vCloud, I keep getting SSO authentication failed returns from vCloud.
If you have any suggestions or ideas on how to also authorise groups please leave a command down below so I can try to make it work with not only Users but also with Groups from Azure AD.
If you like this article and want to know more about vCloud please have a look at our other vCloud related articles by clicking here.