By Peter Bjork, Principal Systems Engineer, EMEA End-User-Computing Practice, VMware
With the support of Benoit Sarda, Professional Services Organization Consultant in France, VMware
This blog post explains how to configure VMware Identity Manager as the identity provider (IdP) in VMware vRealize Automation 7 using Security Assertion Markup Language (SAML) integration.
SAML is an open standard often used to exchange authentication and authorization data between an identity provider and a service provider. Using SAML, end users can log in once and, thereafter, access multiple different systems, both internal and external, using single sign-on (SSO). VMware Identity Manager can act as the identity provider and manage SSO for your whole enterprise.
VMware vRealize Automation accelerates the deployment and management of applications and compute services by automating IT’s delivery of applications, infrastructure, and desktops. It also provides the ability to “personalize” policies that enforce application deployment standards.
Configuring Identity Manager as the identity provider offers two benefits:
- You can make vRealize Automation available as an application to your users through the application portal in Identity Manager
- vRealize Automation can use the latest authentication methods offered by Identity Manager
How to Get Started with Integrating vRealize Automation and Identity Manager
First, you need to set up the following:
- vRealize Automation 7 configured and integrated with Active Directory (AD)
- Identity Manager configured and integrated with AD
- Local users in vRealize Automation represented as users in Identity Manager, sharing a common user ID, for example, email (typically this is the case if the two products are integrated to the same AD)
Launch your Web browser and navigate to the administrator consoles of both vRealize Automation and VMware Identity Manager.
You will be working in both the VRealize Automation tab and the VMware Identity Manager tab of your browser.
Figure 1: vRealize Automation and VMware Identity Manager Tabs
In this blog post, vRealize Automation and Identity Manager are both integrated into the same AD, which allows both environments to have the same users. You can also connect vRealize Automation and Identity Manager to separate ADs. The key to authentication integration is a shared user identifier. If you have two different ADs, for example, the integration works as long as the email address is the same for the user in both directories.
Configuring VMware Identity Manager as the IdP
Now you will configure Identity Manager as the IdP in vRealize Automation 7.
Collecting SAML Metadata from Identity Manager
You need to collect SAML metadata from Identity Manager so you can configure the IdP.
Note: In SAML, you have two types of metadata: IdP XML and SP XML. The IdP metadata must be imported into vRealize Automation, and the SP metadata must be imported into Identity Manager.
- From the VMware Identity Manager tab, click the Catalog tab, and from the drop-down menu that appears, select Settings.
- In the left pane, click SAML Metadata.The Download SAML Certificate pane appears.
Figure 2: Download SAML Certificate Pane
- In the center of the pane, right-click the Identity Provider metadata link and, in the pop-up menu that displays, select Open link in new tab.
The IdP metadata appears in a new, third tab.
Figure 3: IdP Metadata
- Copy the IdP metadata (do not copy the explanatory text or the line at the top of the data).
Adding the New Identity Provider in vRealize Automation
Now add the new identity provider to vRealize Automation.
- Click the vRealize Automation tab, click the Administration tab, and in the left pane, click Identity Providers.
The Identity Providers pane appears.
- In the Identity Providers pane, click Add Identity Provider.
Figure 4: Add Identity Provider
The Identity Providers Administration pane appears.
- In the Identity Provider Name text box, enter a name.
- In the Identity Provider Metadata (URL or XML) text box, paste the IdP metadata you copied in Figure 3.
Figure 5: Identity Providers Administration
- Click Save to save the metadata.
This activates more options where you can continue the configuration.
- In the Name ID policy in SAML Request (Optional) drop-down menu, select urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress.
In this example, we are using the email address as the Unique User Identifier. Therefore you must choose the urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress value.
- Under Users, select a user directory; in this example, it is the same Active Directory.
- Under Network, select which networks this IdP can be accessed from. (You can filter based on network ranges, that is, which IdP to use for clients in a particular network range.)
- In the Authentication Methods text box, specify a name; in this example, we entered PassIdp.
- In the SAML Content drop-down menu, select urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport.
- At the bottom of the window, right-click the Service Provider (SP) Metadata link and choose to open the link in a separate tab.
Figure 6: Identity Providers Administration (continued)
A window opens with the Service Provider (SP) metadata.
Figure 7: SP Metadata to Be Copied
- Copy the SP metadata from the window that opens. (Do not copy the explanatory text or the line at the top of the data.)
Configuring the vRealize Automation Access Policy
Next you need to configure the vRealize Automation access policy so that vRealize Automation knows to use the Identity Manager method of authentication.
- From the vRealize Automation tab, click the Administration tab and, in the left column, click Policies.
- Edit the default access policy so that your new authentication method (in this example, PassIdp) is first and handles the correct network range or ranges. The order of the items in the window and the network ranges should of course be reflected in your environment.For more details about how to edit the access policy, refer to Managing Access Policies in the VMware Identity Manager Administration Guide.
Figure 8: Policies Pane
Creating a New SAML Application in Identity Manager
Next, add vRealize Automation as an application in Identity Manager. First you use the application to verify the SSO integration; later, you can entitle users to this application to make it available to them.
- From the VMware Identity Manager tab, click the Catalog tab. Next click Add Application and select Create a new one.
Figure 9: Catalog Tab
This opens the Add Application window.
- Give the application a Name and for the Authentication Profile, select SAML 2.0 POST profile.
- For the best end-user experience, next to Icon, click Choose File, and upload a vRealize Automation logo as the application icon.
Figure 10: Add Application Window
- Click Next. The Application Configuration window appears.
Configuring the SAML Application
Now configure the SAML application.
- In the Meta-data XML text box, paste the vRealize Automation SP metadata that you copied in the Adding the New Identity Provider in vRealize Automation section and click Save.
Figure 11: Application Configuration Information
Additional options appear in the Application Configuration window. Some of them are automatically populated from the metadata.
- In the RelayState text box, enter the URL of your vRealize Automation instance and click Save.
Figure 12: Setting the RelayState
Entitling Users to the SAML Application
Now you need to identify the groups and individuals you want to entitle to your new SAML application.
- From the VMware Identity Manager tab, click the Catalog tab, and in the left pane, click Entitlements.
- Select groups or individuals you want to entitle to your new SAML application.
Figure 13: Setting Entitlements
Testing the Integration
Now, as a user who is entitled to vRealize Automation, test the integration.
Testing by Launching vRealize Automation from Identity Manager
Do a simple test of having a user launch vRealize Automation from Identity Manager.
- Make sure the user is not already logged in to vRealize Automation.
- Log in to VMware Identity Manager.
Figure 14: VMware Identity Manager Login Window
- From the Identity Manager window, try launching vRealize Automation by clicking the icon. If you can successfully access vRealize Automation, you can proceed to the next test.
Figure 15: Identity Manager Window, with vRealize Automation Icon
Note: This access method is referred to as IdP-Init; that is, the user first logs in to the IdP (Identity Manager, in this example), and afterwards launches the application (vRealize Automation, in this case).
This configuration also supports what is referred to as SP-Init. SP-Init means you are first directed to the vRealize Automation Web page (without being authenticated anywhere). Later, vRealize Automation (the service provider, SP in this case) redirects you to your IdP (Identity Manager, in this example) for authentication.
Testing with the Built-In IdP Disabled (Optional)
Another test is to completely disable the built-in IdP in vRealize Automation, after which a user with access to vRealize Automation can log in. This helps to verify that the external VMware Identity Manager is being used for authentication.
- From the vRealize Automation tab, in the left pane, click Identity Providers.
- In the Identity Providers pane, in the Status drop-down menu, toggle from Enabled to Disabled for the built-in IdP (WorkspaceIDP_3 in this example). This results in idp (the name given to the VMware Identity Manager IdP in this example) being the only identity provider.
Figure 16: Identity Providers Pane
- With the built-in IdP disabled, try to authenticate once again into vRealize Automation.
You have successfully
- Configured VMware Identity Manager as the identity provider (IdP) in VMware vRealize Automation 7 using SAML integration
- Made vRealize Automation available as an application to your users through the application portal in Identity Manager
- Tested that SSO works for this integration of vRealize Automation into Identity Manager
For more information about SSO in Identity Manager, see the Identity Manager Web page.