Use a SAML Identity Provider for the Performance Cloud VMware portal
TABLE OF CONTENTS
- Summary
- Description
- Prerequisites
- Procedure
- Scenario 1 - Microsoft Entra ID (with Azure AD Connect and security groups assignments)
- Scenario 2 - Microsoft Entra ID Free and user assignments (without Azure AD Connect and security group assignments)
- Bypass the SAML Identity Provider authentication
Summary
This KB describes the steps to add an SAML Identity Provider (Security Assertion Markup Language), like Microsoft Entra ID (previously known as Azure AD), to leverage the single sign-on (SSO) authentication.
Description
Single sign-on is an authentication method that allows users to sign in using one set of credentials to multiple independent software systems. Using SSO means a user doesn’t have to sign in to every application they use. With SSO, users can access all needed applications without being required to authenticate using different credentials.
For more information about single sign-on with Microsoft Entra ID, here is the official Microsoft documentation: https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/what-is-single-sign-on
To use an SAML identity provider other than Microsoft Entra ID, please see the prerequisites below.
Prerequisites
General Prerequisites:
- Verify that you have access to an SAML 2.0 compliant identity provider (like Microsoft Entra ID).
- Obtain an XML file with the following metadata from your SAML identity provider.
- The location of the single sign-on service
- The location of the single logout service
- The location of the service’s X.509 certificate
For information on configuring and acquiring metadata from an SAML provider, consult the documentation for your SAML provider and the VMware documentation if needed: https://docs.vmware.com/en/VMware-Cloud-Director/10.4/VMware-Cloud-Director-Service-Provider-Admin-Portal-Guide/GUID-89329614-343E-44AC-9AD3-90A3119D970B.html
Microsoft Entra ID prerequisites
Important Note: Microsoft Entra ID (previously known as Azure AD) can be used as an SAML Identity provider to log in to the Performance Cloud VMware portal without Azure AD Connect and using the Microsoft Entra ID Free license. However, some limitations will apply (details below). Both scenarios are presents in the Procedure section.
Here are the requirements to configure the different assignments using security groups:
- An Active Directory domain using Azure AD Connect Sync 1.2.70.0 or above. Here is the Microsoft documentation to update Azure AD Connect: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-upgrade-previous-version
- Microsoft Entra ID Premium is required to assign security groups on the Enterprise application and create Conditional Access policies.
Some Microsoft 365 services include Microsoft Entra ID Premium. To validate your current Microsoft Entra ID license, log in to the Azure portal and navigate to Microsoft Entra ID. If you see the Microsoft Entra ID Free license, please contact your account manager to get the proper license to enable all the features included with the license.
Procedure
Examples below leveraging Microsoft Entra ID to access the Performance Cloud VMware portal.
For more information or different setup configuration, please visit the official Microsoft documentation:
https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/add-application-portal
https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/add-application-portal-setup-sso
Scenario 1 - Microsoft Entra ID (with Azure AD Connect and security groups assignments)
Security group creation in Active Directory:
1. Log in to your domain controller (DC) (or any computer/server with the proper administrative tools and credentials) and open the Active Directory Users and Computers console.
2. Create a new security group in your Active Directory domain (in an Organizational Unit (OU) included in the Azure AD Connect sync).
3. Add the required members to the group (those who will access the Performance Cloud VMware portal).
4. Wait for the Azure AD Connect sync to complete or force the sync.
How to force Azure AD Connect to sync:
Performance Cloud VMware setup:
1. Log in to the Performance Cloud VMware portal using your credentials.
2. Go to Administration.
3. In the left panel, under under Identity Providers, click SAML, then click on CONFIGURE
4. In the new window, click on Retrieve Metadata
Keep the Performance Cloud VMware portal opened for a later step.
Microsoft Entra ID setup:
1. Log in to the Azure portal (using a user with one of the following roles: Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal).
2. Navigate to the Microsoft Entra ID section, then to the Enterprise applications section.
3. Add a new application.
4. Click on Create your own application then, add an application name, select the Non-gallery option and click on Create.
5. In the new application, assign the new group so the group members can access the application.
6. Navigate back to your application, go to the Single sign-on section, and select SAML to open the SSO configuration page.
7. Click on Upload medadata file.
8. Then browse for the metadata file downloaded from the Performance Cloud VMware portal and click on Add.
On the next screen, copy the Identifier (Entity ID) link and save the information for a later step. Then, click on Save.
9. Edit the attributes to match as below.
a) Remove the line mentioning “surname”.
b) Modify the line mentioning “email address” to change the value user.mail to the new value user.userprincipalname
c) Modify the line mentioning “name” to change the claim name from "name" to "UserName"
d) Then, click on Add a group claim and fill the fields as below, then click on Save.
10. Go back to SAML settings on the enterprise application and click on download for the Federation Metadata XML (in the SAML Signing Certificate section) .
11. OPTIONAL – Set conditional access to improve security (You can personalize as needed).
Navigate to the Security section in the Azure Active Directory, then Conditional Access.
Then, click on New Policy and Create new policy.
Name the new policy (example: vCloud-TokenLifeTime), set a session control with 2h for the sign-in frequency, select the Performance Cloud VMware application, enable the policy and click on Create.
Performance Cloud VMware – Final Steps
12. Go back to the Performance Cloud VMware portal.
13. Enter the URL saved in step #8 in the field named Entity ID.
14. Go to the Identity Provider tab and enable the Use SAML Identity Provider feature.
Then, click on SELECT METADATA XML FILE.
Browse and the select the file you downloaded from the Azure portal.
16. Click on SAVE.
17. In the left panel, under Access Control, go into Groups and click on IMPORT GROUPS
18. Enter the group name as previously created in the Azure portal, assign the Organization Administrator role for the “Full Control” permissions and click on SAVE
19. OPTIONAL – Quotas can also be put in place
Select the group and click on SET QUOTA
Click on ADD and set the desired quota. Then click on SAVE.
At this point, at the Performance Cloud VMware portal login, you should get the Microsoft login box instead of the previous VMware Cloud Director login box. You should also be able to log in with a user that is a member of the authorized group.
- Without the SAML Identity Provider feature enabled:
- With the SAML Identity Provider feature enabled:
Scenario 2 - Microsoft Entra ID Free and user assignments (without Azure AD Connect and security group assignments)
Performance Cloud VMware setup:
1. Log in to the Performance Cloud VMware portal using your credentials.
2. Go to Administration.
3. In the left panel, under under Identity Providers, click SAML, then click on CONFIGURE
4. In the new window, click on Retrieve Metadata
Keep the Performance Cloud VMware portal opened for a later step.
Microsoft Entra ID Setup:
1. Log in to the Azure portal (using a user with one of the following roles: Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal).
2. Navigate to the Microsoft Entra ID section, then to the Enterprise applications section.
3. Add a new application.
4. Click on Create your own application, add an application name, select the Non-gallery option and click on Create.
5. In the new application, assign the users that will connect to the Performance Cloud VMware portal.
6. Navigate back to your application, go to the Single sign-on section, and select SAML to open the SSO configuration page.
7. Click on Upload medadata file.
8. Then browse for the metadata file downloaded from the Performance Cloud VMware portal and click on Add.
On the next screen, copy the Identifier (Entity ID) link and save the information for a later step. Then, click on Save.
9. Edit the attributes to match as below.
a) Remove the line mentioning “surname”
b) Modify the line mentioning “email address” to change the value user.mail to the new value user.userprincipalname
c) Modify the line mentioning “name” to change the claim name from "name" to "UserName"
10. Go back to SAML settings on the enterprise application and download the Federation Metadata XML in the SAML Signing Certificate section.
Performance Cloud VMware – Final Steps
11. Go back to the Performance Cloud VMware portal.
12. Enter the URL saved in step #8 in the field named Entity ID.
13. Go to the Identity Provider tab and enable the Use SAML Identity Provider feature.
Then, click on SELECT METADATA XML FILE.
Browse and the select the file you downloaded from the Azure portal.
14. Click on SAVE.
15. In the left panel, under Access Control, go to Users and click on IMPORT USERS.
16. Enter the user names (email format) for users that will connect to the Performance Cloud VMware portal. Assign the Organization Administrator role for the “Full Control” permissions and click on SAVE.
17. OPTIONAL – Quotas can also be put in place for users.
Select the user and click on SET QUOTA
Click on ADD and set the desired quota. Then click on SAVE.
At this point, at the Performance Cloud VMware portal login, you should get the Microsoft login box instead of the previous VMware Cloud Director login box and you should be able to login as an authorized user.
- Without the SAML Identity Provider feature enabled:
- With the SAML Identity Provider feature enabled:
Bypass the SAML Identity Provider authentication
It is possible to authenticate on the portal using local users once the SAML configuration is in place. To proceed, use the following URL and replace [orgname] with the provided organization name to login to the portal:
- USA: https://performancecloud-vdcusa.sherweb.com/tenant/[orgname]/login
- Canada: https://performancecloud-vdc.sherweb.com/tenant/[orgname]/login
The login screen will now offer to authenticate using local credentials even if a SAML Identity Provider is in place for authentication.