7. vCloud Security Examples : 7.2 Single Sign-On (SSO) – Consumer : 7.2.3 Example
7.2.3 Example
This example covers a consumer single sign-on deployment architecture, as illustrated in the following figure.
Figure 36. Consumer Logical Single Sign-On Deployment Architecture
This example shows how enterprise customers can log in to vCloud Director with their existing identity management software, whether they are connecting to an internal cloud or to a vCloud Director powered service provider. To demonstrate this behavior you must set up a separate Identity Provider (IdP) using either OpenAM or ADFS. This example uses vCloud Director to create an organization named vCAT and sets the OpenAM IdP as the IdP of that organization. Thereafter, when you log in to your organization, you will be redirected to OpenAM where you can authenticate and be directed back to the vCloud Director portal.
To set up single sign-on with OpenAM IdP
1. Set up OpenAM as an enterprise IdP. As an example, using a web browser, go to: http://openam.corp.local:8080/openam/saml2/jsp/exportmetadata.jsp?realm=labs
This page provides XML text that must be copied and pasted to a text area in vCloud Director in a later step.
a. Right-click the browser window and select View Source.
b. Select and copy the entire text and paste it into a text editor such as Notepad. Make sure that there are no blank lines at the top or bottom of the text. Keep this information easily available, as you will need it in step 9 (where it is pasted in the organization’s Federation settings under the Administration section).
2. Create a vCloud Director organization named vCAT and set up the IdP configuration to point to the OpenAM IDP server.
3. Log in to vCloud Director as administrator.
4. Create a vCloud Director organization named vCAT.
5. Click Finish after you enter the name.
6. Go to your organization.
7. Go to Administration > Federation.
8. Select Use SAML Identity Provider.
9. Paste the XML text that was copied from OpenAM in step 1, and click Apply to apply the changes.
10. Remove any extra spaces at the beginning and end of the SAML text. One way to accomplish this is to remove the XML header at the top up to the opening angle bracket.
11. Go to users > Import and import some of the users that were created in OpenAM.
a. Specify <username>@<domain name>.com in the text area, where <username> is either orguser or orgadmin.
b. Assign an organization administrator role to orgadmin and an vAppuser role to orguser.
c. Log out from vCloud Director.
12. Open another browser tab and go to: Error! Hyperlink reference not valid.https://<vcd-server>/cloud/org/Lab/saml/metadata/alias/vcd. This downloads a file called vcd. Perform the following steps:
a. Access openam.corp.local:8080/openam from your browser.
b. Log in as amadmin, password: <password>
c. Go to the Federation tab.
d. Under the Entity Providers list, click Import Entity.
e. Select labs as the realm name.
f. Upload the vcd file. (Select the first upload button.)
g. Under the Circle of Trust list, click the name of the realm with which you are federating (labs).
h. Under the list of Available entity providers, locate the vCloud Director entity. Click Add, and click Save.
i. Log out from OpenAM.
j. Log out from vCloud Director.
13. Type the vCloud Director organization URL:C:\Users\drichey\Documents\SharePoint Drafts\vmshare.vmware.com\gts\InitiativeIP\vCAT\vCAT 3.1\Delivery IP\Source\ https://<vCloud Director server>/cloud/org/Lab.
You are redirected to the OpenAM IdP where you can log in as one of the following users:
*orgadmin (password: <password>).
*orguser (password: <password>).
The user is redirected to vCloud Director after a successful authentication.