Skip to content

vBlog.nl

All about technology

Menu
  • Home
  • VMware Cloud Director
  • vSphere
  • Automation
    • PowerCLI
    • PowerShell
    • Terraform
  • NSX
  • Horizon DaaS
  • About Us
Menu

vCloud SAML authentication using Azure AD

Posted on May 7, 2020

So today I will show you how to setup vCloud SAML authentication using Azure AD. You can also use on prem AD’s with ADFS but I do not have that available at the moment. And as Azure AD services get used more and more I figured this would be a nice thing to try.

So lets get started shall we? First of let me tell you the components involved that I used to make this setup work:

  • vCloud Directory 10.0.0.15449638
  • Azure AD Premium P2

Table of Contents

  • Setting up Azure AD
      • Adding an Enterprise application
      • Adding users and or groups
      • Setting up Single sign on
  • Setting up vCloud
  • Testing the login
  • Group authentication not working

Setting up Azure AD

Adding an Enterprise application

First lets get started with configuring Azure AD. Once I am logged in to the Azure portal I will have to add an Enterprise application. To do so I have to go over to “Azure Active Directory‘” and select “Enterprise applications“.

Now I click on “New application” and I select “Non-galery application”.

Next I give the application a name and click on “Add” to add the application.

In the new window that opens I have to complete a couple of steps to get things up and running.

Adding users and or groups

First I add the user that will be able to login to vCloud. If you do not have a user created yet now is the time to do this.
I already have a user created so I simply add the user by clicking on “Assing users and groups”.

And now I Add the user

As you can see I added the user “VCD”

Setting up Single sign on

Next up I have to setup Single sign on.

I now select “SAML” to actually start the SAML configuration.

In the newly opened setup page I need to add the metadate information from vCloud. This information is something that I can find in vCloud director so lets open up vCloud and go to Administration –> Identity providers –> SAML

Now I will add the identity ID by clicking “Edit” and filling out the vCloud tenant URL as the id like so:

After I click on save I can download the Metadata by clicking on the Metadate link.

Now I have to go back to the Azure portal and upload the Metadata information I just downloaded.

In the newly opened config sceen I entered the location of the previsously downloaded file and clicked “Add“


Now I need to add some user/group parameters that vCloud can validate (see the VMware vCloud documentation for more info). I do this by clicking on the “User Attributes & Claims” edit button.


Here I have to add some additional claims. So I click on “Add new claim” and I add the “user.assignedroles” claim

Fill in the “Name” for the claim: Roles
Fill in the “Namespace” for the claim: http://schemas.xmlsoap.org/ws/2005/05/Roles
Select the user.assignedroles from the drop down menu for Source attribute and click “Save“

Next up is user.email (this will be the second user.email claim).


Fill in the “Name” for the claim: Username
Fill in the “Namespace” for the claim: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/UserName
Select the user.email from the drop down menu for “Source attribute” and click “Save“

And finally I have to add a “Group claim“.

Select “All groups” and click “Save“



Now All i need to do is download the Azure AD metadata and import it into vCloud.
To do so I go back to the “SIngle Sign on with SAML” by clicking on the link in Azure.

Now download the “Federation Metadata XML” file.


Setting up vCloud

So now that I am all done with the Azure AD part I can finally get vCloud ready.

To do this I need to go back to the SAML configuration page I visited earlier and upload the metadata file I just downloaded.

Administration –> Identity providers –> SAML –> Identity provider –> Enable the check box –>Upload metadate file –> Save

Now all that is left to do for me is to add the user I created earlier and see if I can login to vCloud using Azure AD.

To do so I go to “Users” and select “Import Users“

Now I have to add the user I created earlier in the Azure AD like so:

Enter the user name and select the Role for the user

Testing the login

Yes success !! I am able to login to vCloud using SAML authentication with Azure AD as the authentication source.

If you need to login without SAML authentication just go the the vCloud tenant URL and add /login to the end of the URL.

Group authentication not working

I also tried to use groups instead of users but I run into SSO problems with vCloud, I keep getting SSO authentication failed returns from vCloud.

If you have any suggestions or ideas on how to also authorise groups please leave a command down below so I can try to make it work with not only Users but also with Groups from Azure AD.

If you like this article and want to know more about vCloud please have a look at our other vCloud related articles by clicking here.

Loading

Share on Social Media
x facebook linkedin reddit emailwhatsapptelegram

4 thoughts on “vCloud SAML authentication using Azure AD”

  1. Jitse Hijlkema says:
    May 8, 2020 at 4:29 pm

    Thanks for your article.
    I configured this as test-case and your instructions were very helpful.
    After setting up I also tried to use Groups but that’s not working because of unrecognizable Groups SAML return attribute.
    I din’t found a way to get the SAML response from Azure right, but found a ‘workaround’:

    To prevent ‘pre-staging’ users in vCD you can create a group, like ‘Admins’ in vCD with the correct role.
    When you configure Azure to send the attribute ‘Groups’ with value “Admins” you’re done.

    Now you can assign the Azure application to users without having to create users inside vCD by hand.

    Reply
    1. Arjen Kloosterman says:
      October 22, 2020 at 8:01 am

      Thanks Jitse, I will give this a try.

      Glad the article was useful.

      Reply
  2. Petri Uusitalo says:
    May 22, 2020 at 6:03 pm

    Customize the name of the group claim to “Groups” in Azure AD (it’s case sensitive).

    Then import group object id instead of group name in vCloud.

    Reply
  3. Pascal Saul says:
    February 26, 2021 at 2:47 pm

    @Arjan: after long debugging I found out that not all information in the blog are copy & paste proof.

    @Petri: indeed, well found

    User Attributes & Claims:
    Groups => user.groups
    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/UserName => user.mail
    http://schemas.xmlsoap.org/ws/2005/05/identity/Roles => user.assignedroles

    Group Claims
    Customize the name of the group claim: Groups

    Manage claim
    Name: UserName
    Namespace: http://schemas.xmlsoap.org/ws/2005/05/identity/claims
    Source attribute: user.mail

    Name: Roles
    Namespace: http://schemas.xmlsoap.org/ws/2005/05/identity
    Source attribute: user.assignedroles

    You can individual import a user based on email address or import the group by the Azure “Object Id”. After logging in for the first time by a user which is in the group they will automatically added under Users as well.

    I must admit that the VMware documentation is quite poor. Everything works now at last 🙂

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Recent articles

  • Workspace ONE Access services monitoring July 11, 2023
  • vCloud Director API – Couldn’t connect to cloud server with the provided session id May 24, 2023
  • Horizon DaaS – Maximum sessions exceeded May 9, 2023
  • VMware Cloud on AWS with FSx for NetApp ONTAP December 28, 2022
  • Workspace ONE Access – Change certificate December 22, 2022
  • UI themes for VMware Cloud Director 10.4.1 and later December 16, 2022
  • VMware Tanzu Kubernetes Grid December 15, 2022
  • Workspace One Access – Not logged in to server FQDN. Please invoke Save before Sync December 12, 2022
  • NSX Edge configuration has failed. 1G hugepage support required. December 7, 2022
  • Horizon DaaS – Unable to connect to Desktop November 24, 2022

Tags

Automation bootstrapping Container Service Extension Credential Manager Desktone.log ESXi EUC EXi GPU Horizon DaaS Instant-Clone Logging NSX nsx-t PowerCLI PowerShell Putty Raspberry PI SSL Tanzu Terraform update vcd-cli vCenter vCloud vCloud Availability vCloud Director VDI vGPU VMware VMworld vSAN vSphere vVols workspace one Zerto

VMware Cloud Provider Blog

  • Ransomware Recovery for Cloud Providers Using VMware Cloud Director Availability
    by Nikolay Patrikov on September 28, 2023 at 10:30 am

    According to multiple reports, one of the biggest challenges for organizations is being targeted by Ransomware attacks. It is now happening more frequently than ever, which leads to several complications such as re-infection during recovery, prolonged recovery period, etc.  One of the most efficient ways to counteract this is to implement an effective Disaster Recovery policy. It … Continued The post Ransomware Recovery for Cloud Providers Using VMware Cloud Director Availability appeared first on VMware Cloud Provider Blog.

  • Tanzu Mission Control Self-Managed Now Available for Cloud Services Providers and Sovereign Cloud Providers
    by Christopher Wong on September 28, 2023 at 10:00 am

    Tanzu Mission Control, VMware’s centralized Kubernetes management platform, is evolving quickly from its initial release in 2020 to adapt to industry trends and changing customer needs. As observed in the VMware State of Kubernetes 2023 report, over 50% of respondents indicated they wanted to leverage multiple clouds to reduce vendor dependency, while 42% wanted to … Continued The post Tanzu Mission Control Self-Managed Now Available for Cloud Services Providers and Sovereign Cloud Providers appeared first on VMware Cloud Provider Blog.

  • End of NSX Migration for VMware Cloud Director…! What Should I Know?
    by Jaikishan Tayal on September 26, 2023 at 5:03 pm

    In May 2023, VMware unveiled the 7th major release of the VMware NSX Migration for VMware Cloud Director 1.4.2 tool, introducing an extensive array of functionalities and elevating the tool’s capabilities to encompass a comprehensive set of features, facilitating the migration of VMware Cloud Director Networking from NSX for vSphere to VMware NSX (formerly known … Continued The post End of NSX Migration for VMware Cloud Director…! What Should I Know? appeared first on VMware Cloud Provider Blog.

  • Alternative Solutions for Unsupported Features in VMware NSX Migration for VMware Cloud Director…!
    by Jaikishan Tayal on September 26, 2023 at 4:30 pm

    The VMware NSX Migration tool for VMware Cloud Director has seen multiple updates aimed at improving its capabilities and keeping pace with the evolving nature of both VMware Cloud Director and VMware NSX releases. However, it’s worth mentioning that there are certain features that remain unsupported. This could be attributed to their intricate nature or … Continued The post Alternative Solutions for Unsupported Features in VMware NSX Migration for VMware Cloud Director…! appeared first on VMware Cloud Provider Blog.

  • Understanding vGPU functionality with VMware Cloud Director
    by Jaikishan Tayal on September 26, 2023 at 2:02 pm

    VMware Cloud Director (VCD) is a cloud management platform that enables service providers to offer multi-tenant cloud services to their customers. When it comes to using Virtual Graphics Processing Units (vGPUs) with VCD, here are the key details and advantages: VMware Cloud Director (VCD) with vGPU support offers advantages not only for virtual machines (VMs) … Continued The post Understanding vGPU functionality with VMware Cloud Director appeared first on VMware Cloud Provider Blog.

©2023 vBlog.nl | Design: Newspaperly WordPress Theme