As a follow-up to my recent blog post on how to configure identity federation between VMware Cloud and AWS SSO using our the new Just-in-Time (JiT) provisioning method, I was also interested to see what the process looked like with Microsoft Azure Active Directory (AD), which is another popular identity provider, which can also benefit our Azure VMware Solution (AVS) customers leveraging VMware Cloud Services. Similar to AWS SSO, I had never worked with Azure AD before and this was a good opportunity to check out their service.
Here is a quick video for those interested in the final logon experience when VMware Cloud is using Azure AD as the identity provider:
Before getting started, make sure to familiarize yourself with the VMware Cloud Enterprise Federation documentation.
You will be performing 3 key steps:
- Verify your domain(s) that will be used for federation
- This will require you to access your DNS domain to add specific TXT record
- Configure your identity provider
- This will require you to access your desired identity provider to create SAML application
- Verify logon and link to your Customer Connect ID (MyVMware)
- This will require that you have MyVMware account
When setting up Enterprise Federation, you will need to have a user that has the Org Admin role to initiate the configuration but the federation itself is not organization specific. This means that after federation is setup, you can add users from your identity provider across multiple organizations that you are a part of, which I think is really neat.
Step 1 - Login to the VMware Cloud Services Console and then click on your username and select View My Organization button you should see the Enterprise Federation tab. Click on the Set Up button to get started
Step 2 - Specify the user who will configure Enterprise Federation, this can be the same user who is currently logged in, assuming they have the Org Admin role and click on the Submit button. This will then invite the user into a special Federation Organization that will be created and associated with the domain that you will use for federation. In the example below, I will be using williamlam.com
Step 3 - To verify the domain you wish to use for identity federation, you will be asked to add DNS TXT record. Simply follow the self-service wizard and confirm once you have made the changes. For customers with internal (non-public) domains, a manual verification can be performed by filing a support request with VMware.
Step 4 - Select the connector-less option and then click continue.
Step 5 - Select Azure Active Directory as the identity provider and then click next to proceed.
Step 6 - You will be provided with the Service Provider (SP) Metadata and Reply URL for VMware Cloud, record these two URLs as they will be needed in the next step.
Step 7 - Login to your Azure Portal and head over to the Azure AD service and on the left hand side select Enterprise applications.
At the very top, click on the banner to switch to the "legacy app gallery experience", which is required to be able to create a custom SAML application.
You should now see a different screen allowing you to select a Non-gallery application to create a SAML application
Provide a name and then click save to complete the initial creation of your SAML application.
Step 8 - Once the SAML application has been created, go ahead and assign users/groups by clicking on the 1st tile, this should be straight forward and I will not be covering in the tutorial.
Next, click on the 2nd tile to begin setting up the SAML SSO configuration.
Click on the SAML option and then proceed to next step.
Step 9 - At the top of the Basic SAML configuration section, click on the edit button and remove any default entries that may exists under the Identifier and Reply URL. Add the VMware Cloud SP and Reply URL retrieved from Step 2 as shown in the screenshot below and then click on the Save button
Step 10 - Navigate to the Attributes and Claims section and click on edit and add the following SAML assertions which will map the list of expected attributes from VMware Cloud to Azure AD identity provider. The list of available attributes from Azure AD can be selected from a pre-defined drop down list within Azure AD. I have not found the exact documentation that clearly states what each property actually means. VMware Cloud expects the following attributes: firstName, lastName, userName and email. If you wish to use use group construct, then you will also need to define a group attribute which you will define at a later point.
In the example below, I will assume you will want to use groups to make it easier to manage your users and I will be use keyword Group (notice it is case-sensitive which you can specify when we return to the VMware Cloud page).
|Unique User Identifier||user.userprincipalname||Group|
Once you have completed attributes mapping, navigate back to the SSO page to proceed to final step of setting up your SAML application within Azure AD.
Note: Although Azure AD supports groups, it looks like the Group ID is used instead of the Group Name and this means when searching for groups within VMware Cloud, you will need to filter by the Object ID, which can be found next to the Azure AD Group Name as shown in screenshot below.
Step 11 - Below is an example of what your SSO configuration should look like. Lastly, under SAML Signing Certificate section, copy the App Federation Metadata URL which we will need to complete the identity provider configuration in VMware Cloud.
Step 12 - Proceed to Step 3 in the identity provider wizard by providing a name for your identity provider and then past the metadata URL from the previous step. Once the wizard has successfully parsed the metadata URL, ensure that the Name ID Format is using urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress and Name ID Value is using userName. The rest can be left as the default and should match the screenshot below.
Step 13 - You can click next on the User Attributes, these were already described in Step 9 and the required fields.
Step 14 - If you recall in Step 9, we mentioned that if you wish to use groups from your identity provider, we also need to add a group attribute mapping which can have several formats, which is selected here. For this example, I am simply using Group (case-sensitive) and in Step 9, we simply mapped that to the Azure AD group variable. Simply click next to proceed
Step 15 - Finally, the last step is to select the format in which users will use to sign into VMware Cloud, which I have defaulted to email.
Once the identity provider section has been completed, the last step is to verify that can login using your identity provider. Click on the Start button to proceed.
Step 16 - Click on the Validate Login button and ensure that you can login. If this is successful, you should see a green checkbox under status and then click next.
Step 17 - Before an account can access VMware Cloud Services, it must be linked to a Customer Connect (MyVMware) email account. Ensure that you specify the correct email, which ideally would be the same email from your identity provider. If you do not have a Customer Connect account, you can simply create it for free by clicking on the link below.
At this point, you have successfully enabled Enterprise Federation with Azure AD and VMware Cloud!
If you need to view or make any changes to your Enterprise Federation configuration, make sure to select the Federated Organization, which can be changed by click on the upper right hand corner. The Federated Organization will be denoted with a shield-icon to distinguish between regular VMware Cloud Organizations.
To begin assigning VMware Cloud Service roles to users and groups from your identity provider. Switch to any one of your VMware Cloud Organization and then head to Identity and Access Management tab on the left hand side.
As a best practice, customers should consider leveraging Groups to assign roles rather than managing individual users. In addition to simplifying user management, as users are added or removed from your identity provider group, they will automatically inherit the VMware Cloud Service roles that have been assigned, so you do not have to worry about certain users not having access or needing to have certain VMware Cloud Service roles removed.
To add a group, navigate to the Groups tab and then click on the Add Groups button. As mentioned in Step 9, Azure AD groups do not publish the friendly group name but rather their Object ID which is what you will need to use to search. The easiest method is to login to Azure AD and under the Group management, you can find the ID and use that to search. Once you have identified the specific group, you can add the specific set of VMware Cloud Service roles.
Note: Before a group from your identity provider can be discovered by VMware Cloud, a user from that group must login
As you can see from the screenshot below, I have two Azure AD groups which I have assigned different VMware Cloud Service roles mapping to popular services such as VMware Cloud on AWS, vRealize log Intelligence, Tanzu Mission Control and VMware Marketplace to just name a few.