VMware Open Source Secuirty

Configure vCloud Director to use Keycloak Identity as SAML provider

If you want to import users and groups from a SAML identity provider to your vCloud organization, you need to configure your system organization with a SAML identity provider to establish a mutual trust by exchanging metadata.. Imported users can log in to the system organization with the credentials established in the SAML identity provider. In this post we are going to cover how to integrate vCD with Keycloak as SSO Identity.

What is Keycloak?

Keycloak is an open source sponsored by REDHAT Identity and Access Management solution aimed at modern applications and services. It makes it easy to secure applications and services with little to no code.

Keycloak Deployment Options

Keycloak on OpenJDK
Keycloak on Docker
Keycloak on Podman
Keycloak on Kubernetes
Keycloak on Openshift
Keycloak Operator on Kubernetes
Keycloak Operator on Openshift

For instructions on installation in a production environment and full details on all product features, see Keycloak documentation

Note: In this post we are not going to cover how to install Keycloak, but if you want more details how to do it, send us your comment.

Prerequisites to Configure Your System to Use Keycloak as SAML Identity Provider

  • A vCloud Director Org account with permissions to configure SAML
  • Keycloak Administration console access
  • An XML file with the following metadata from your SAML identity provider. The metadata must include the following information:

The location of the single sign-on service
– The location of the single logout service
– The location of the service’s X.509 certificate

Prepare vCloud Director

As Organization Administrator we must prepare the organization for federation.

Procedure:
  • From the main menu, select Administration/Identity Provider
  • Click SAML and select Edit. The current SAML settings are displayed.
  • Enter an Entity ID for the system organization and click save. The Entity ID uniquely identifies your system organization to your Identity Provider
  • Download Cloud Director SAML service provider metadata from SAML configuration. You will spring_saml_metadata.xml when configuring keycloak.

Important! Verify the certificate expiration date and regenerate it if expiration date is too close.

Keycloak Configuration

As the admin in the master realm, you will have to create the realm to create users and vCloud application

Create new realm for Cloud Director Organization

1- Go to http://youkeycloakaddress:8080/auth/admin/ and log in to the Keycloak admin console using the admin account.

2- From the Master menu, click Add Realm. When you are logged in to the master realm, this menu lists all other realms.

3.Type vCloud in the Name field.

Create Keycloak Client

1- Click Clients in the left side menu to open the Clients page.
2- On the right side, click Create.

3- On the Add Client dialog. Click Select File and provide the metadata XML downloaded from vCloud Director, and click Save.

Retrieve SAML endpoint metadata from Keycloak Realm

Now that you have created the realm you need to retrieve the metadata associated with it so the Cloud Director recognizes it.
Click Realm Settings and Download the endpoint metadata under SAML 2.0 Identity Provider Metadata

Note: Once your realm is created and If you planning to not use SSL, navigate to the login TAB and set Require SSL to none

Create a local User in Keycloak

The created users will be later mapped to vCloud Director and assign specific user roles.

In the vCloud realm, you create a new user and a password for that new user. Procedure

1- From the menu, click Users to open the user list page.
2- On the right side of the empty user list, click Add User to open the Add user page.
3- Enter a name in the Username field. This is the only required field. Add user page

4. Create a password for the User. Navigate to the Credentials tab. Enter and confirm the new password and deselect Temporary. Then click Reset Password

Configure vCloud Director

1- In vCloud Director Organization go to Administration/Identity Provider/ SAML.

2- On the Identity Provider tab, enable the Use SAML Identity Provider toggle. Upload the SAML metadata file downloaded previously from Keycloak identity provider. Click Save

You can now import SAML users/group by selecting SAML in the Import Users/Groups dialog box and assign their role
User names must be in the name identifier format supported by the SAML identity provider configured for this organization.

Import SAML users/group

1- In the top navigation bar, click Administration.
2- In the left panel, under Access Control, click Users. The list of users appears.
3- Click Import Users.
4- Select SAML as source to import the users.
5- Select the role which you want to assign to the users that you import.
6- Click Save

If you followed all the steps and didn’t miss any parameter, then you should be able to login vCloud Director with your Identify Provider user.

Reference Links

https://www.keycloak.org/getting-started
https://www.keycloak.org/about
https://www.keycloak.org/docs/latest/getting_started/index.html#creating-a-realm-and-a-user
Enable Your Organization to Use a SAML Identity Provider

We hope you enjoyed this post! If you need additional information, please send us your comment clicking the below button.