If you want to import users and groups from a SAML identity provider to your vCloud organization, you need to configure your system organization with a SAML identity provider to establish a mutual trust by exchanging metadata.. Imported users can log in to the system organization with the credentials established in the SAML identity provider.
In this post we are going to cover how to configure IBM Cloud Identity as Identity Provider in vCloud Director 9.7. We will share how to do the Federation Configuration with Cloud Director 10.1 soon, so stay tuned!
- Verify that you have access to a SAML 2.0 compliant identity provider.
- Obtain an XML file with the following metadata from your SAML identity provider.
- The location of the single sign-on service
- The location of the single logout service
- The location of the service’s X.509 certificate
Prepare vCloud Director
As Organization Administrator we must prepare the organization for federation.
- From the main menu, select Administration/Federation
- In the left panel, under Identity Providers, click SAML and click Edit. The current SAML settings are displayed.
- From the Service Provider tab, download the vCloud Director SAML service provider metadata.
- Enter an Entity ID for the system organization. The Entity ID uniquely identifies your system organization to your Identity Provider.
- Examine the certificate expiration date and, if expiring soon, regenerate the certificate by clicking Regenerate. The certificate is included in the SAML metadata, and is used for both encryption and signing. Either or both of these might be required depending on how trust is established between your organization and your SAML IDP.
- Click the Metadata link. The link is similar to https://VCD_host_name/cloud/org/System/saml/metadata/alias/vcd. Your browser downloads the SAML service provider metadata, an XML file which you must provide to your identity provider.
- You will need extract the federation certificate from spring_saml_metadata.xml and saved as PEM file:
Configure IBM Cloud Identity
IBM Cloud Identity is a service that allows you to connect your users (and things) to any application that you have running either inside or outside of the enterprise. That means anything from legacy apps running in your data center to the new cloud native applications you are building for multicloud environments.
IBM Cloud Identity offers a wide range of application but vCloud Director is not in the list, but don’t worry because you can use the custom identity flow to integrate App ID with vCD.
- First step is to configure Certificates. Go to Menu/Configuration/Certificates
Note: SAML single sign-on uses X.509 certificates to provide digital signing and encryption of a SAML assertion. It secures data and establishes trust between the SAML identity provider and the service provider
- Upload the .pem file that contains the X.509 certificate. Click Add file to browse and select the file, click OK
- As we mentioned before, vCD doesn’t appear as a predefined Apps, so we need to create new application in Applications. Select Add Application\Custom Application.
- Set up General details like Description, icon and Application Owners
- Move to Sign-on Tab, there are few section you need to complete using vCloud Director details
– Sign-on Method: SAML2.0
– Provider ID:
– Assertion Consumer Service URL
– optionally check Use identity provider initiated single sign-on checkbox and provide Target URL
- Check “Sign authentication response” and pick Signature Algorithm RSA_SHA256 (which is the imported *.pem certificate). Optionally you can check Encrypt assertion
- Configure the SAML subject in the SAML assertion to identify the authenticated user
- Optionally you can tick the Uncheck box to Send all known user attributes in the SAML assertion and instead provide custom list of Attributes to be used. vCloud Director supports the following attributes:
You can configure the mapping to each
If a user is assigned the Defer to Identity Provider role but no matching role or group name is available in your organization, the user can log in to the organization but has no rights. If an Identity Provider associates a user with a system-level role such as System Administrator, the user can log in to the organization but has no rights. You must manually assign a role to such users (for more information please refer to vCD Admin Guide)
- Configure Access Policies and Entitlements to specify which users/groups can use vCloud Director
Note: There are other parameters you can configure not covered in this post. We recommend you to contact IBM Cloud Identity team for further assistance
- Save the configuration and retrieve the SAML2.0 federation metadata from the link provided on the right side of the Sign-On screen.
Configure vCloud Director
In vCloud Director go to > Administration > Settings > Federation check Use “SAML Identity Provider”, browse for the file downloaded in the previous steps and select Upload. This completes the exchange of SAML metadata between vSphere and vCloud Director
You can now import SAML users/group by selecting SAML in the Import Users/Groups dialog box and assign their role
If you followed all the steps and didn’t miss any parameter, then you should be able to login both from IBM Cloud Identity and vCloud Director with your Identify Provider user.
We hope you enjoyed this post! If you need additional information, please send us your comment clicking the below button.