Use a SAML Identity Provider for the Performance Cloud VMware portal

Summary

This KB describes the steps to add an SAML Identity Provider (Security Assertion Markup Language), like Azure Active Directory (Azure AD), to leverage the single sign-on (SSO) authentication. 

Description

Single sign-on is an authentication method that allows users to sign in using one set of credentials to multiple independent software systems. Using SSO means a user doesn’t have to sign in to every application they use. With SSO, users can access all needed applications without being required to authenticate using different credentials.

For more information about single sign-on with Azure Active Directory, here is the official Microsoft documentation: https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/what-is-single-sign-on


To use an SAML identity provider other than Azure AD, please see the prerequisites below. 

Prerequisites 

General Prerequisites:

  • Verify that you have access to an SAML 2.0 compliant identity provider (like Azure AD).
  • Obtain an XML file with the following metadata from your SAML identity provider.
    1. The location of the single sign-on service
    2. The location of the single logout service
    3. The location of the service’s X.509 certificate


For information on configuring and acquiring metadata from an SAML provider, consult the documentation for your SAML provider and the VMware documentation if needed: https://docs.vmware.com/en/VMware-Cloud-Director/10.3/VMware-Cloud-Director-Service-Provider-Admin-Portal-Guide/GUID-89329614-343E-44AC-9AD3-90A3119D970B.html


Azure Active Directory prerequisites


Important Note: Azure AD can be used as an SAML Identity provider to log in to the Performance Cloud VMware portal without Azure AD Connect and using the Azure AD Free license. However, some limitations will apply (details below). Both scenarios are presents in the Procedure section.
 

Here are the requirements to configure the different assignments using security groups:
 


Some Microsoft 365 services include Azure AD Premium. To validate your current Azure AD license, log in to the Azure portal and navigate to Azure Active Directory. If you see the Azure AD Free license, please contact your account manager to get the proper license to enable all the features included with the license.

Procedure

Examples below leveraging Azure Active Directory to access the Performance Cloud VMware portal.

For more information or different setup configuration, please visit the official Microsoft documentation:

https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/add-application-portal


https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/add-application-portal-assign-users


https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/add-application-portal-setup-sso

 

Scenario 1 - Azure AD (with Azure AD Connect and security groups assignments)


Security group creation in Active Directory:

 

1. Log in to your domain controller (DC) (or any computer/server with the proper administrative tools and credentials) and open the Active Directory Users and Computers console.
 

2. Create a new security group in your Active Directory domain (in an Organizational Unit (OU) included in the Azure AD Connect sync).



 

3. Add the required members to the group (those who will access the Performance Cloud VMware portal).
 

4. Wait for the Azure AD Connect sync to complete or force the sync.


How to force Azure AD Connect to sync:

https://techcommunity.microsoft.com/t5/itops-talk-blog/powershell-basics-how-to-force-azuread-connect-to-sync/ba-p/887043

 

Performance Cloud VMware setup: 


1. Log in to the Performance Cloud VMware portal using your credentials.
 

2. Go to Administration.

 

3. In the left panel, under under Identity Providers, click SAML


 

4. Then, click on the link to download the metadata XML file.



Keep the Performance Cloud VMware portal opened for a later step.

 

Azure Active Directory setup:


1. Log in to the Azure portal (using a user with one of the following roles: Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal).
 

2. Navigate to the Azure Active Directory section, then to the Enterprise applications section.



 



 

  

3. Add a new application.





4. Click on Create your own application then, add an application name, select the Non-gallery option and click on Create.




5. In the new application, assign the new group so the group members can access the application.






6. Navigate back to your application, go to the Single sign-on section, and select SAML to open the SSO configuration page.


 

7. Click on Upload medadata file.


 

8. Then browse for the metadata file downloaded from the Performance Cloud VMware portal and click on Add.

 

On the next screen, copy the Identifier (Entity ID) link and save the information for a later step. Then, click on Save.

 

9. Edit the attributes to match as below.


 

    a) Remove the line mentioning “surname”.


 

    b) Modify the line mentioning “email address” from value user.mail to new value user.userprincipalname
 

        Modify the line mentioning “name” from value name to new value UserName



    c) Then, click on Add a group claim and fill the fields as below, then click on Save.


 

10. Go back to SAML settings on the enterprise application and click on download for the Federation Metadata XML (in the SAML Signing Certificate section) .



 

11. OPTIONAL – Set conditional access to improve security (You can personalize as needed).

Navigate to the Security section in the Azure Active Directory, then Conditional Access.
 


 

Then, click on New Policy and Create new policy.

 


Name the new policy (example: vCloud-TokenLifeTime), set a session control with 2h for the sign-in frequency, select the Performance Cloud VMware application, enable the policy and click on Create.


Performance Cloud VMware – Final Steps


12. Go back to the Performance Cloud VMware portal.

 

13. Still in the SAML section click on EDIT.


14. Enter the URL saved in step #8 in the field named Entity ID.


15. Go to the Identity Provider tab and enable the Use SAML Identity Provider feature.

 

16. Then, click on the Browse icon (up arrow) and select the XML file you downloaded for the Azure portal and click on SAVE.




17. In the left panel, under Access Control, go into Groups and click on IMPORT GROUPS



18. Enter the group name as previously created in the Azure portal, assign the Organization Administrator role for the “Full Control” permissions and click on SAVE



19. OPTIONAL – Quotas can also be put in place


Select the group and click on SET QUOTA

 


Click on ADD and set the desired quota. Then click on SAVE.



At this point, at the Performance Cloud VMware portal login, you should get the Microsoft login box instead of the previous VMware Cloud Director login box. You should also be able to log in with a user that is a member of the authorized group.

- Without the SAML Identity Provider feature enabled:



- With the SAML Identity Provider feature enabled:


 

Scenario 2 - Azure AD Free and user assignments (without Azure AD Connect and security group assignments) 


Performance Cloud VMware setup:


1. Log in to the Performance Cloud VMware portal using your credentials.


2. Go to Administration.


 

3. In the left panel, under Identity Providers, click SAML.


 

4. Then, click on the link to download the metadata XML file.



Keep the Performance Cloud VMware portal opened for a later step.
 

Azure Active Directory Setup:


5. Log in to the Azure portal (using a user with one of the following roles: Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal).


6. Navigate to the Azure Active Directory section, then to the Enterprise applications section.



 

 

 7. Add a new application.


8. Click on Create your own application, add an application name, select the Non-gallery option and click on Create.




9. In the new application, assign the users that will connect to the Performance Cloud VMware portal.





10. Navigate back to your application, go to the Single sign-on section, and select SAML to open the SSO configuration page.




11. Click on Upload medadata file.



12. Then browse for the metadata file downloaded from the Performance Cloud VMware portal and click on Add.



On the next screen, copy the Identifier (Entity ID) link and save the information for a later step. Then, click on Save.

 


13. Edit the attributes to match as below.
    

    a) Remove the line mentioning “surname”


 

    b) Modify the line mentioning “email address” from value user.mail to new value user.userprincipalname.


    c) Modify the line mentioning “name” from value name to new value UserName


 

14. Go back to SAML settings on the enterprise application and download the Federation Metadata XML in the SAML Signing Certificate section.



Performance Cloud VMware – Final Steps


15. Go back to the Performance Cloud VMware portal.


16. Still in the SAML section, click on EDIT.

 

17. Enter the URL saved in step #12 in the field named Entity ID.

 

 18. Go to the Identity Provider tab and enable the Use SAML Identity Provider feature.



19. Then, click on the Browse icon (up arrow) and select the XML file you downloaded for the Azure portal and click on Save.



 

20. In the left panel, under Access Control, go to Users and click on IMPORT USERS.




21. Enter the user names (email format) for users that will connect to the Performance Cloud VMware portal. Assign the Organization Administrator role for the “Full Control” permissions and click on SAVE.
 


22. OPTIONAL – Quotas can also be put in place for users.

Select the user and click on SET QUOTA



Click on ADD and set the desired quota. Then click on SAVE.
 


At this point, at the Performance Cloud VMware portal login, you should get the Microsoft login box instead of the previous VMware Cloud Director login box and you should be able to login as an authorized user.


- Without the SAML Identity Provider feature enabled:


 


- With the SAML Identity Provider feature enabled: