Earlier this week I came to learn about a really cool enhancement that was just added to our VMware Cloud Services Console called Connector-less Self-Service Enterprise Federation Setup, it's a bit of a mouth full, but it basically makes configuring identity federation between the VMware Cloud Services Console and other third party identity provider extremely easy.
Identity federation is not a new feature in VMware Cloud and it has been supported for some time now, but it required customers to deploy the Workspace ONE Access connector into their on-premises environment for federating with either their local or third party identity provider. The new method that was introduced is "connector-less" because it does not require any additional infrastructure to be deployed and it also leverages SAML JIT (Just-in-Time) dynamic provisioning.
While looking at the some the pre-defined identity providers, I noticed that AWS Single Sign-On (SSO) was not listed and since we have customers that use both VMware Cloud on AWS and native AWS services, this would certainly be a nice way to provide a common logon experience. Another benefit is also for customers using the new VMware Cloud with Tanzu services with Tanzu Mission Control (TMC), they can now easily manage secure access and provide their their end users the ability to provision and consume Tanzu Kubernetes Clusters (TKC) without the need of exposing them to the underlying infrastructure which is managed by the Cloud Administrators.
This was certainly a few good reasons to try out this new feature, especially as I have never worked with AWS SSO before.
Here is a quick video for those interested in the final logon experience when VMware Cloud is using AWS SSO as the identity provider:
Before getting started, make sure to familiarize yourself with the VMware Cloud Enterprise Federation documentation.
You will be performing 3 key steps:
- Verify your domain(s) that will be used for federation
- This will require you to access your DNS domain to add specific TXT record
- Configure your identity provider
- This will require you to access your desired identity provider to create SAML application
- Verify logon and link to your Customer Connect ID (MyVMware)
- This will require that you have MyVMware account
When setting up Enterprise Federation, you will need to have a user that has the Org Admin role to initiate the configuration but the federation itself is not organization specific. This means that after federation is setup, you can add users from your identity provider across multiple organizations that you are a part of, which I think is really neat.
Step 1 - Login to the VMware Cloud Services Console and then click on your username and select View My Organization button you should see the Enterprise Federation tab. Click on the Set Up button to get started
Step 2 - Specify the user who will configure Enterprise Federation, this can be the same user who is currently logged in, assuming they have the Org Admin role and click on the Submit button. This will then invite the user into a special Federation Organization that will be created and associated with the domain that you will use for federation. In the example below, I will be using williamlam.com
Step 3 - To verify the domain you wish to use for identity federation, you will be asked to add DNS TXT record. Simply follow the self-service wizard and confirm once you have made the changes. For customers with internal (non-public) domains, a manual verification can be performed by filing a support request with VMware.
Step 4 - Select the connector-less option and then click continue.
Step 5 - Select one of the identity providers or "Other" if you are using AWS SSO
Step 6 - You will be provided with the Service Provider (SP) Metadata URL for VMware Cloud, you will need to download the XML file which will then be used to create the SAML application within AWS SSO
Step 7 - Login to your AWS Console and head over to the AWS SSO service and create a new custom SAML 2.0 application
Step 8 - Once the SAML application has been created, head to the bottom of that page under Application metadata upload your Service Provider XML file from Step 5 and click save changes
Step 9 - Navigate to the Attribute mappings tab and add the following SAML assertions which will map the list of expected attributes from VMware Cloud to AWS SSO identity provider. AWS SSO actually supports three types of directories: Active Directory, AWS Directory and External Directory and following document lists all the supported attribute variables which can be used. VMware Cloud expects the following attributes: firstName, lastName, userName and email. If you wish to use use group construct, then you will also need to define a group attribute which you will define at a later point.
In the example below, I will assume you will want to use groups to make it easier to manage your users and I will be use keyword Group (notice it is case-sensitive which you can specify when we return to the VMware Cloud page).
Note: Although AWS SSO Directory supports groups, it looks like the Group ID is used instead of the Group Name and this means when searching for groups within VMware Cloud, you will need to filter by the [email protected]
Step 10 - Next, navigate to Assigned users to add your AWS SSO user and/or groups that you wish to grant access to VMware Cloud. A VMware Cloud Org Admin will still need to assign service roles within VMware Cloud console before users will actually have actual access to any of the VMware Cloud Services.
Step 11 - Lastly, head back to the Configuration tab and download the AWS SSO SAML metadata file which will need to complete the identity provider configuration in VMware Cloud.
Step 12 - Proceed to Step 3 in the identity provider wizard by providing a name for your identity provider and then past the contents of the metadata file (XML) that was downloaded from the previous steps. If there are no errors in the metadata file, the wizard will automatically parse out and display several fields which you can leave as the default and should match the screenshot below.
Step 13 - You can click next on the User Attributes, these were already described in Step 8 and the required fields.
Step 14 - If you recall in Step 8, we mentioned that if you wish to use groups from your identity provider, we also need to add a group attribute mapping which can have several formats, which is selected here. For this example, I am simply using Group (case-sensitive) and in Step 8, we simply mapped that to AWS SSO group variable. Simply click next to proceed
Step 15 - Finally, the last step is to select the format in which users will use to sign into VMware Cloud, which I have defaulted to email.
Once the identity provider section has been completed, the last step is to verify that can login using your identity provider. Click on the Start button to proceed.
Step 16 - Click on the Validate Login button and ensure that you can login. If this is successful, you should see a green checkbox under status and then click next.
Step 17 - Before an account can access VMware Cloud Services, it must be linked to a Customer Connect (MyVMware) email account. Ensure that you specify the correct email, which ideally would be the same email from your identity provider. If you do not have a Customer Connect account, you can simply create it for free by clicking on the link below.
At this point, you have successfully enabled Enterprise Federation with AWS SSO and VMware Cloud!
If you need to view or make any changes to your Enterprise Federation configuration, make sure to select the Federated Organization, which can be changed by click on the upper right hand corner. The Federated Organization will be denoted with a shield-icon to distinguish between regular VMware Cloud Organizations.
To begin assigning VMware Cloud Service roles to users and groups from your identity provider. Switch to any one of your VMware Cloud Organization and then head to Identity and Access Management tab on the left hand side.
As a best practice, customers should consider leveraging Groups to assign roles rather than managing individual users. In addition to simplifying user management, as users are added or removed from your identity provider group, they will automatically inherit the VMware Cloud Service roles that have been assigned, so you do not have to worry about certain users not having access or needing to have certain VMware Cloud Service roles removed.
To add a group, navigate to the Groups tab and then click on the Add Groups button. As mentioned in Step 8, AWS SSO Groups do not publish the friendly group name but rather their Group ID which is what you will need to use to search. The easiest method is to login to AWS SSO and click on the desired group you wish to add and you can find the ID and use that to search. Once you have identified the specific group, you can add the specific set of VMware Cloud Service roles.
Note: Before a group from your identity provider can be discovered by VMware Cloud, a user from that group must login
As you can see from the screenshot below, I have three AWS SSO groups which I have assigned different VMware Cloud Service roles mapping to popular services such as VMware Cloud on AWS, Tanzu Mission Control and VMware Marketplace to just name a few.