VMware google cloud Secuirty

Configure vCloud Director to use Google Identity as SAML provider

If you want to import users and groups from a SAML identity provider to your vCloud organization, you need to configure your system organization with a SAML identity provider to establish a mutual trust by exchanging metadata.. Imported users can log in to the system organization with the credentials established in the SAML identity provider.

In a previous post we covered how configure IBM Cloud Identity as Identity Provider in vCloud Director, this time is Google Cloud Identity turn

Prerequisites

  • A vCloud Director Org account with permissions to configure SAML
  • A Google Cloud Identity account
  • An XML file with the following metadata from your SAML identity provider.

Prepare vCloud Director

As Organization Administrator we must prepare the organization for federation.

Procedure:
  • From the main menu, select Administration/Federation
  • In the left panel, under Identity Providers, click SAML and click Edit. The current SAML settings are displayed.
  • Enter an Entity ID for the system organization. The Entity ID uniquely identifies your system organization to your Identity Provider.

Configure Google Cloud Identity

Google Cloud Identity is an Identity as a Service (IDaaS) solution that centrally manages users and groups. Users can configure Cloud Identity to federate identities between Google and other identity providers, such as Active Directory and Azure Active Directory.

Google Cloud Identity offers a wide range of application but vCloud Director is not in the list, but don’t worry because you can use the custom identity flow to integrate App ID with vCD.

Set up vCloud Director as your own custom SAML app

1. Sign in to your Google Admin console. Sign in using an administrator account

2. From the Admin console Home page, go to Appsand thenSAML apps.

3. If you are setting up a new custom app for the first time Click Add “Add a service/app to your domain”, otherwise Click the plus button at bottom right.

4. Click Set up my own custom app.

The Google IDP Information window opens and the SSO URL and Entity ID fields automatically populate.

5. Google Cloud offers the following methods when setting up the service provider:
– Copy the SSO URL and Entity ID and download the Certificate.
– Download the IDP metadata (we will use this option for our vCD configuration)

6. Click Next.

7. In the Basic information window, add an application name and description.

(Optional) Upload a PNG or GIF file to serve as an icon for your custom app. The icon image should be 256 pixels square.

8. Click Next.

9. In the Service Provider Details window, enter an ACS URLEntity ID, and Start URL for your custom app.  

(Optional) Check the Signed Response box if your service provider requires the entire SAML authentication response to be signed. If this is unchecked (the default), only the assertion within the response is signed. 

The default Name ID is the primary email. Multi-value input is not supported.  

10. Click Next.

11. (Optional) Click Add new mapping and enter a new name for the attribute you want to map.

In the drop-down list, select the Category and User attributes to map the attribute from the Google profile.
Note: Google doesn’t let you use Employee ID for attribute mapping.

Google Cloud AttributesvCloud Attributes
Primary emailEmailAddress
First namehttp://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
Last namehttp://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname

12. Click Finish.

13. Download Metadata file. It will required when configuring vCloud Director Identity Provider

Turn on your SAML app

1. Sign in to your Google Admin console. Sign in using an administrator account

2. From the Admin console Home page, go to Appsand thenSAML apps. > Select vCloud Director SAML app.

3. Click User access.

To turn on or off a service for everyone in your organization, click On for everyone or Off for everyone, and then click Save.

Ensure that the email addresses your users use to sign in to the SAML app match the email addresses they use to sign in to your Google domain.

Changes typically take effect in minutes, but can take up to 24 hours. For details, see How changes propagate to Google services.

Verify that SSO is working with your custom app

You can test both Identity Provider (IdP) initiated SSO, and Service Provider (SP) initiated SSO.

IdP-initiated

1. Sign in to your Google Admin console. Sign in using an administrator account

2. From the Admin console Home page, go to Appsand thenSAML apps.

3. Select vCloud Director custom SAML app. 

4. At the top left, click Test SAML login.  Your app should open in a separate tab. If it doesn’t, use the information in the resulting SAML error messages to update your IdP and SP settings as needed, then retest SAML login.

Configure vCloud Director

In vCloud Director go to > Administration > Settings > Federation check Use “SAML Identity Provider”, browse for the file downloaded in the previous steps and select Upload. This completes the exchange of SAML metadata between vSphere and vCloud Director

You can now import SAML users/group by selecting SAML in the Import Users/Groups dialog box and assign their role

If you followed all the steps and didn’t miss any parameter, then you should be able to login both from Google Cloud Identity and vCloud Director with your Identify Provider user.

Additional resources

vCloud Director Federation with SAML parameters refer to vCloud Director API Programming Guide (PDF)

Cloud Identity Help

We hope you enjoyed this post! If you need additional information, please send us your comment clicking the below button.