There are 3 authentication methods that are supported by vCloud Director:
1: Local: These are the local users which are created at the time of installing vCD or creating any new organization. If you have configured vCD with default configuration, then the first local account that is created is “administrator” user who is system admin for the vCD.
2: LDAP service: A LDAP service enables the organization to use their own LDAP servers for authentication. Users can then be imported into vCD from the configured LDAP. If you have a multi-tenant based vCD deployment, then each organization can use their own LDAP service for authentication.
I wrote an article in past on how to use LDAP authentication with vCD.
3: SAML Identity Provider: A SAML Identity Provider can be used to authenticate users in an organization. SAML v2.0 metadata is required for the service to be configured. The metadata must include the location of the single sign-on service, the single logout service, and the X.509 certificate for the service.
For SAML authentication a number of solution can be used including VMware Horizon Workspace, vCenter SSO, ADFS etc. In this post I will be covering only how to federate vCenter SSO with vCloud Director.
What happens when vCD is configured to use vCenter SSO?
When vCD is federated with vCenter SSO, you can import your vCenter SSO users in vCD . These users will be assigned system administrator role and when these users wants to log into the vCloud Director by typing URL https://vCD-FQDN/cloud, they will be redirected to vSphere Web Client where they authenticates against SSO and post that they will be redirected back to vCloud Director.
- SSO integration for System Admin authentication: This type of integration supports all types of identity providers in SSO.
- SSO integration for Client authentication: For this type of integration, only OpenLDAP is supported as identity provider.
How to configure vCloud Director to use vCenter Single Sign On?
This article from VMware describes high level overview of how to use vCenter SSO with vCD. Lets navigate through each step:
1: Login to vCD as system admin user and navigate to Administration > System Settings > Federation and click on Register button.
2: Provide the vCenter server lookup URL. If you are running vCenter 6.0, then lookupservice port is 443. For vCenter 5.X, you have to use port 7444.
Provide the SSO admin details. Typically it is administrator@your-sso-domain (if you have not configured any custom sso admin)
3: Make sure “Use vSphere Single Sign On” box is checked.
4: Select “Users” under System Administrators & Roles and click on Import users.
5: Type the name of the user which you want to import from vCenter SSO. I have only one user created i.e the default administrator. User name should be in UPN format.
Hit OK to continue.
Now when I try to open my vCD URL (https://mgmt-vcd-a.alex.local), I am being redirected to vCenter Web Client.
See how the URL changed and its pointing to my vCenter which I registered with vCD.
and now I am inside vCD via my SSO user
One more advantage of integrating vCenter SSO with vcd is, you can open any vCD object in Web Client directly. If you right click on any vCD object and select “open in vSphere Web Client”, and if vCD is not registered with vCenter SSO, it will prompt you to enter credentials of a vCenter user.
But when vCenter SSO is integrated with vCD, opening any vCD object do not needs any vCenter credentials. This simplifies the manageability of vCD objects from vSphere Web Client. No more searching for vCD objects in Web Client 😉
What to do if SSO server is down?
If your SSO server is down, you won’t be able to login to vCD using SSO credentials. In this case you can bypass SSO authentication by typing vCD URL as https://vCD-FQDN/cloud/login.jsp and login via system admin or any LDAP user (if vCD has been configured to use LDAP)
Sources and Inspirations
And that’s it for this post. I hope you find this post informational. Feel free to share this on social media if it is worth sharing. Be sociable 🙂