I was doing some research on an inquiry that I had received from a customer who was interested in configuring their vRealize Automation (vRA) instance to use vCenter's Platform Services Controller (PSC) as an External Identity Provider (IDP) rather than the default VMware Identity Manager (vIDM) which vRA supports natively out of the box. vIDM already supports a large number of websso applications as seen here and it itself can also be used as an External IDP to integrate with things like Active Directory Federation Services (ADFS) for example.
For some customers who are more familiar with the PSC, this is a convenient way to unify their authentication between the different vRealize products which support vIDM and integrating that directly with PSC. Since both solutions spoke SAML, it was merely figuring out process on setting up the External IDP using the PSC. In reading some of our internal Wikis and working with one of the vIDM Engineers, since I was stuck on a particular step, I was able to finally get this to work which I have outlined the steps below. I also learned that we had officially supported this since vRA 7.0 which was great to hear as well.
I know there are number of customers who would also like to see the reverse of this configuration, where PSC can use vIDM as an External IDP. I know this is something the PSC team is currently looking into for External IDP support. If this is something that you are interested in or would like to see specific External IDP setup/configuration, feel free to leave a comment.
Pre-Requisite:
- Join Platform Services Controller (PSC) to Active Directory (instructions here & here)
- Join vRealize Automation (vRA) Appliance to Active Directory (instructions here)
In my lab environment, I have deployed an Embedded VCSA 6.5 (this also works with an External PSC) and vRealize Automation 7.2 (this was prior to 7.3 getting released but should work as well).
Step 1 - Login to the vSphere Web Client and under Administration->Single Sign-On->Configuration, select the "SAML Service Providers" tab and download the SAML service provider metadata XML file and save that to your desktop.
Step 2 - We need to assign vRA permissions to enable either an AD user/group to authenticate against the external IDP. Login to vRA (https://[VRA]/vcac/org/vsphere.local) using a Tenant Administrator account that you have already configured as part of setting up vRA. Make sure you have also joined vRA to Active Directory, if not, please have a look at the instructions here before proceeding further. Select Administration->Users and Groups->Director Users and Groups and then enter either an AD user and/or group in the search box located in the upper right hand corner. If you have properly configured and sync your AD users, you should see the user or group listed as shown in the screenshot below.
Click on the user/group and under the "General" tab, assign the Tenant Administrator role and then click Finish to save your changes.
Step 3 - Next, we will add our External IDP. Under Administration->Directories Management->Identity Providers, select "Add Identity Provider" button.
a. Start off by providing a name for this IDP, I would recommend being as specific as possible in case you have more than one external IDP.
b. Open the XML file that was downloaded in Step1 and copy that into the Identity Provider Metadata box and then click on the "Process IDP Metadata" button which should automatically pre-fill the three format mappings as shown below.
c. Under "Name ID policy in SAML Request" box, select the urn:oasis:names:tc:SAML:2.0:nameid-format:persistent option.
d. Under "Users", select the AD user and/or group which we had assigned permissions earlier.
e. Under "network" select ALL RANGES if you have not defined specific network ranges for accessing this IDP.
f. Under "Authentication Methods", add an entry with the SAML Context using the urn:oasis:names:tc:SAML:2.0:ac:classes:Password option. Under "Sign Sign-Out Configuration" select Enable check box
g. Before you save the External IDP configuration, at the very bottom right click on the "Service Provider (SP) Metadata" link and save the sp.xml to your desktop which we will need to import into our PSC.
Step 4 - Now, we need to update our access policy to make use of the External IDP that we had just configured. Under Administration->Directories Management->Policies select the default_accesss_policy_set which we will need to edit.
Rather than defaulting to the local vIDM for authentication, we can change the method to use our External IDP. Select the network range/source where you would like the External IDP to be used and then change the method to our IDP which should match the display name that was created in Step 3f. You also have the option of adding a fall back method in the scenario where your External IDP may not be available so you do not lock yourself out as a precaution. Save your changes and you are done with all the vRA specific changes.
Step 6 - Finally, we just need to import the IDP's metadata which we had downloaded from Step 3g. Log back into your vSphere Web Client and under Administration->Single Sign-On->Configuration, click on the "SAML Service Providers" tab and select the Import button and locate the sp.xml file and then click import. If the import was successful, you should not see any type of notification.
Step 7 - To test and verify that logging into vRA will now automatically re-direct to our PSC as our External IDP, logout of vRA and then open a new incognito browser (this is needed as the old session may still be cached). Connect to your vRA endpoint like you normally would (https://[VRA]/vcac/org/vsphere.local) and instead of going to vIDM, it should now take you directly to the PSC UI for authentication. Login with the appropriate AD user and you should now be logged into vRA after successfully authenticating with PSC. Pretty slick!
Sorry if you explained this in the article and I missed it. Does this only work with AD users or can you use this to authenticate a OpenLDAP user to vRA via the PSC?
I have successfully setup this integration for one of my tenants. However I am not able to do it for 2nd or 3rd, is there a limitation on the PSC side. I am facing a issue where where authentication @PSC is good( I see in SSO logs) but redirection back to vRA is failing and user gets "Access denied" message.