Use a SAML Identity Provider for the Performance Cloud VMware portal
- Summary
- Description
- Prerequisites
- Procedure
- Scenario 1 - Azure AD (with Azure AD Connect and security groups assignments)
- Scenario 2 - Azure AD Free and user assignments (without Azure AD Connect and security group assignments)
- Bypass the SAML Identity Provider authentication
Summary
This KB describes the steps to add an SAML Identity Provider (Security Assertion Markup Language), like Azure Active Directory (Azure AD), to leverage the single sign-on (SSO) authentication.
Description
Single sign-on is an authentication method that allows users to sign in using one set of credentials to multiple independent software systems. Using SSO means a user doesn’t have to sign in to every application they use. With SSO, users can access all needed applications without being required to authenticate using different credentials.
For more information about single sign-on with Azure Active Directory, here is the official Microsoft documentation: https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/what-is-single-sign-on
To use an SAML identity provider other than Azure AD, please see the prerequisites below.
Prerequisites
General Prerequisites:
- Verify that you have access to an SAML 2.0 compliant identity provider (like Azure AD).
- Obtain an XML file with the following metadata from your SAML identity provider.
- The location of the single sign-on service
- The location of the single logout service
- The location of the service’s X.509 certificate
For information on configuring and acquiring metadata from an SAML provider, consult the documentation for your SAML provider and the VMware documentation if needed: https://docs.vmware.com/en/VMware-Cloud-Director/10.4/VMware-Cloud-Director-Service-Provider-Admin-Portal-Guide/GUID-89329614-343E-44AC-9AD3-90A3119D970B.html
Azure Active Directory prerequisites
Important Note: Azure AD can be used as an SAML Identity provider to log in to the Performance Cloud VMware portal without Azure AD Connect and using the Azure AD Free license. However, some limitations will apply (details below). Both scenarios are presents in the Procedure section.
Here are the requirements to configure the different assignments using security groups:
- An Active Directory domain using Azure AD Connect Sync 1.2.70.0 or above. Here is the Microsoft documentation to update Azure AD Connect: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-upgrade-previous-version
- Azure AD Premium is required to assign security groups on the Enterprise application and create Conditional Access policies.
Some Microsoft 365 services include Azure AD Premium. To validate your current Azure AD license, log in to the Azure portal and navigate to Azure Active Directory. If you see the Azure AD Free license, please contact your account manager to get the proper license to enable all the features included with the license.
Procedure
Examples below leveraging Azure Active Directory to access the Performance Cloud VMware portal.
For more information or different setup configuration, please visit the official Microsoft documentation:
https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/add-application-portal
https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/add-application-portal-setup-sso
Scenario 1 - Azure AD (with Azure AD Connect and security groups assignments)
Security group creation in Active Directory:
1. Log in to your domain controller (DC) (or any computer/server with the proper administrative tools and credentials) and open the Active Directory Users and Computers console.
2. Create a new security group in your Active Directory domain (in an Organizational Unit (OU) included in the Azure AD Connect sync).
3. Add the required members to the group (those who will access the Performance Cloud VMware portal).
4. Wait for the Azure AD Connect sync to complete or force the sync.
How to force Azure AD Connect to sync:
Performance Cloud VMware setup:
1. Log in to the Performance Cloud VMware portal using your credentials.
2. Go to Administration.
3. In the left panel, under under Identity Providers, click SAML, then click on CONFIGURE
4. In the new window, click on Retrieve Metadata
Keep the Performance Cloud VMware portal opened for a later step.
Azure Active Directory setup:
1. Log in to the Azure portal (using a user with one of the following roles: Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal).
2. Navigate to the Azure Active Directory section, then to the Enterprise applications section.
3. Add a new application.
4. Click on Create your own application then, add an application name, select the Non-gallery option and click on Create.
5. In the new application, assign the new group so the group members can access the application.
6. Navigate back to your application, go to the Single sign-on section, and select SAML to open the SSO configuration page.
7. Click on Upload medadata file.
8. Then browse for the metadata file downloaded from the Performance Cloud VMware portal and click on Add.
On the next screen, copy the Identifier (Entity ID) link and save the information for a later step. Then, click on Save.
9. Edit the attributes to match as below.
a) Remove the line mentioning “surname”.
b) Modify the line mentioning “email address” to change the value user.mail to the new value user.userprincipalname
c) Modify the line mentioning “name” to change the claim name from "name" to "UserName"
d) Then, click on Add a group claim and fill the fields as below, then click on Save.
10. Go back to SAML settings on the enterprise application and click on download for the Federation Metadata XML (in the SAML Signing Certificate section) .
11. OPTIONAL – Set conditional access to improve security (You can personalize as needed).
Navigate to the Security section in the Azure Active Directory, then Conditional Access.
Then, click on New Policy and Create new policy.
Name the new policy (example: vCloud-TokenLifeTime), set a session control with 2h for the sign-in frequency, select the Performance Cloud VMware application, enable the policy and click on Create.
Performance Cloud VMware – Final Steps
12. Go back to the Performance Cloud VMware portal.
13. Enter the URL saved in step #8 in the field named Entity ID.
14. Go to the Identity Provider tab and enable the Use SAML Identity Provider feature.
Then, click on SELECT METADATA XML FILE.
Browse and the select the file you downloaded from the Azure portal.
16. Click on SAVE.
17. In the left panel, under Access Control, go into Groups and click on IMPORT GROUPS
18. Enter the group name as previously created in the Azure portal, assign the Organization Administrator role for the “Full Control” permissions and click on SAVE
19. OPTIONAL – Quotas can also be put in place
Select the group and click on SET QUOTA
Click on ADD and set the desired quota. Then click on SAVE.
At this point, at the Performance Cloud VMware portal login, you should get the Microsoft login box instead of the previous VMware Cloud Director login box. You should also be able to log in with a user that is a member of the authorized group.
- Without the SAML Identity Provider feature enabled:
- With the SAML Identity Provider feature enabled:
Scenario 2 - Azure AD Free and user assignments (without Azure AD Connect and security group assignments)
Performance Cloud VMware setup:
1. Log in to the Performance Cloud VMware portal using your credentials.
2. Go to Administration.
3. In the left panel, under under Identity Providers, click SAML, then click on CONFIGURE
4. In the new window, click on Retrieve Metadata
Keep the Performance Cloud VMware portal opened for a later step.
Azure Active Directory Setup:
1. Log in to the Azure portal (using a user with one of the following roles: Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal).
2. Navigate to the Azure Active Directory section, then to the Enterprise applications section.
3. Add a new application.
4. Click on Create your own application, add an application name, select the Non-gallery option and click on Create.
5. In the new application, assign the users that will connect to the Performance Cloud VMware portal.
6. Navigate back to your application, go to the Single sign-on section, and select SAML to open the SSO configuration page.
7. Click on Upload medadata file.
8. Then browse for the metadata file downloaded from the Performance Cloud VMware portal and click on Add.
On the next screen, copy the Identifier (Entity ID) link and save the information for a later step. Then, click on Save.
9. Edit the attributes to match as below.
a) Remove the line mentioning “surname”
b) Modify the line mentioning “email address” to change the value user.mail to the new value user.userprincipalname
c) Modify the line mentioning “name” to change the claim name from "name" to "UserName"
10. Go back to SAML settings on the enterprise application and download the Federation Metadata XML in the SAML Signing Certificate section.
Performance Cloud VMware – Final Steps
11. Go back to the Performance Cloud VMware portal.
12. Enter the URL saved in step #8 in the field named Entity ID.
13. Go to the Identity Provider tab and enable the Use SAML Identity Provider feature.
Then, click on SELECT METADATA XML FILE.
Browse and the select the file you downloaded from the Azure portal.
14. Click on SAVE.
15. In the left panel, under Access Control, go to Users and click on IMPORT USERS.
16. Enter the user names (email format) for users that will connect to the Performance Cloud VMware portal. Assign the Organization Administrator role for the “Full Control” permissions and click on SAVE.
17. OPTIONAL – Quotas can also be put in place for users.
Select the user and click on SET QUOTA
Click on ADD and set the desired quota. Then click on SAVE.
At this point, at the Performance Cloud VMware portal login, you should get the Microsoft login box instead of the previous VMware Cloud Director login box and you should be able to login as an authorized user.
- Without the SAML Identity Provider feature enabled:
- With the SAML Identity Provider feature enabled:
Bypass the SAML Identity Provider authentication
It is possible to authenticate on the portal using local users once the SAML configuration is in place. To proceed, use the following URL and replace [orgname] with the provided organization name to login to the portal:
- USA: https://performancecloud-vdcusa.sherweb.com/tenant/[orgname]/login
- Canada: https://performancecloud-vdc.sherweb.com/tenant/[orgname]/login
The login screen will now offer to authenticate using local credentials even if a SAML Identity Provider is in place for authentication.