By Abhinav Katiyar, Product Manager, vCloud Air
As discussed yesterday, VMware is focused on helping IT to modernize their data centers by seamlessly integrating them with vCloud Air. A key aspect of integration is in extending the corporate IT infrastructure, specifically identity and access management, to vCloud Air. In this blog, I’ll share how vCloud Air supports identity federation to your preferred corporate identity provider solution through SAML 2.0.
Key Benefits of Identity Federation
Employee Privacy: Supporting federated identity allows you to centrally manage all users and their respective access rights to vCloud Air through your corporate directory service. From a security and governance perspective, since authentication is granted through the corporate identity solution, user information is not kept in vCloud Air which protects employee privacy.
Dynamic User Management: Instead of relying on account administrators to add new users to the service, new users can be automatically on-boarded with appropriate role-based rights. Authentication through your corporate identity solution also ensures that vCloud Air access is appropriately and dynamically granted as employees join, move, or leave teams.
Improved Role-Based Access: With the support for identity federation, vCloud Air is also increasing the granularity of role-based privileges that can be assigned to different groups. Instead of the standard 5 roles that are provided out-of-the-box to vCloud Air, customers have 8 different roles that can be assigned to different directory groups.
Single Sign-On Experience: With support for SAML 2.0, companies can integrate vCloud Air with their Single Sign-On (SSO) experience so that employees are granted access to multiple corporate applications with a single login, including vCloud Air. This minimizes the need for employees to set up multiple logins and remember multiple passwords. One of the benefits for the company is that they can decide on the password strength rules as well as how often employees are required to change them.
Support for Multi-Factor or Password-less Authentication: As access is granted via the identity provider solution, companies can choose to employ different login methods such as the use of multi-factor authentication (e.g. RSA tokens, mobile phone, catchphrase) or password-less authentication (e.g. biometrics).
How This Works
Security Assertion Markup Language (SAML) is an XML-based open standard to securely exchange authentication and authorization information. Highly interoperable, VMware is leveraging SAML 2.0 to transfer the authentication request and response to any supported Identity Provider solution including VMware Identity Manager, Active Directory Federation Services (ADFS), Okta, Shibboleth, OneLogin, or countless others.
In a common SAML 2.0 Single Sign-On design, the below describes what will happen:
- A user in your organization requests access to vCloud Air.
- vCloud Air redirects user to your corporate Identity Provider solution for authentication.
- The Identity Provider authenticates the user based on your authentication and authorization policies. For example, if your organization requires two-factor authentication to vCloud Air, the Identity Provider prompts the user to comply.
- Once authentication is successful, the Identity Provider posts an XML document which is signed by a certificate to vCloud Air. This serves as the SAML assertion.
- Once vCloud Air receives this response and validates the assertion, access is granted to the user with the correct role-based privileges
Setting Up Your SAML 2.0 Authentication with vCloud Air
Before you can use SAML 2.0-based Single Sign-On, you must configure your corporate Identity Provider solution and vCloud Air instance to trust each other.
- Start with configuring your vCloud Air instance with the Identity Provider metadata. The Identity Provider metadata must include the location of the Single Sign-On service, the single logout service, and the service’s X.509 certificate. For example, if you are using ADFS as your Identity Provider, you can obtain metadata from https://<ADFS-host>/FederationMetadata/2007-06/FederationMetadata.xml.
- Login to the vCloud Air Org with Organization Administrator credentials, go to the Federation Settings page as shown below, check “Use SAML Identity Provider”, and upload or paste the metadata XML data. Set Entity ID. The entity ID uniquely identifies your SP. You can use any string, such as com.xyz.instance1 or an org name.
- Next , add the vCloud Air instance as a Service Provider (SP) to your Identity Provider. In your corporate Identity Provider solution, register your vCloud Air instance by using SP metadata from https://<vCloud-Air-Org-URL>/saml/metadata/alias/vcd. Make sure that your Identity Provider returns the NameID field to identity the user and Groups attribute in the SAML assertion.
Mapping vCloud Air Roles to Directory Groups
To control vCloud Air access rights using directory user groups, these groups must be mapped to the vCloud Air roles.
- Login to the vCloud Air Org with Organization Administrator credentials
- Go to Groups Administration page, and use “Import Groups” action to assign vCloud Air roles to the user groups in your corporate directory.
Supporting identity federation through SAML 2.0 authentication is a great way to integrate your existing data center practices with vCloud Air. By managing user access to vCloud Air through your preferred corporate identity solution, you are able to simplify user management and the user experience, while improving both security and response times. With identity federation support, VMware continues to make it easier for you to extend your data center or IT organization to vCloud Air and add cloud-based agility, scale, and reach to your existing IT practices – all without changing the tools, processes, and skillsets you already have.
For more information, see VMware vCloud® Air™ – Support for Identity Federation Getting Started Guide.
Ready to get started with the hybrid cloud? Visit vCloud.VMware.com.