Using VMware Horizon Workspace to Enable SSO in VMware vcloud Director 5.1

Similar documents
Configuring Single Sign-on from the VMware Identity Manager Service to Marketo

Configuring Single Sign-on from the VMware Identity Manager Service to Trumba

Configuring Single Sign-on from the VMware Identity Manager Service to Exterro E-Discovery

Configuring Single Sign-on from the VMware Identity Manager Service to Bonusly

Integration Guide. SafeNet Authentication Service. Protecting Syncplicity with SAS

Setting Up Resources in VMware Identity Manager (SaaS) Modified 15 SEP 2017 VMware Identity Manager

Configuring Single Sign-on from the VMware Identity Manager Service to Vizru

Setting Up Resources in VMware Identity Manager (On Premises) Modified on 30 AUG 2017 VMware AirWatch 9.1.1

INTEGRATING OKTA: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL VMware Workspace ONE

Setting Up Resources in VMware Identity Manager. VMware Identity Manager 2.8

Setting Up Resources in VMware Identity Manager 3.1 (On Premises) Modified JUL 2018 VMware Identity Manager 3.1

Configuring Single Sign-on from the VMware Identity Manager Service to Collibra

Configure ISE 2.3 Guest Portal with OKTA SAML SSO

VMWARE HORIZON CLOUD WITH VMWARE IDENTITY MANAGER QUICK START GUIDE WHITE PAPER MARCH 2018

Integrating VMware Horizon Workspace and VMware Horizon View TECHNICAL WHITE PAPER

McAfee Cloud Identity Manager

Integrating VMware Workspace ONE with Okta. VMware Workspace ONE

Setting Up Resources in VMware Identity Manager

CONFIGURING AD FS AS A THIRD-PARTY IDP IN VMWARE IDENTITY MANAGER: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL VMware Workspace ONE

REVIEWERS GUIDE NOVEMBER 2017 REVIEWER S GUIDE FOR CLOUD-BASED VMWARE WORKSPACE ONE: MOBILE SINGLE SIGN-ON. VMware Workspace ONE

Cloud Pod Architecture with VMware Horizon 6.1

RSA SecurID Access SAML Configuration for Brainshark

Formatted: Font: Century Gothic, 12 pt

Request Manager User's Guide

VMware Workspace ONE Quick Configuration Guide. VMware AirWatch 9.1

Configuring Alfresco Cloud with ADFS 3.0

IMPLEMENTING SINGLE SIGN-ON (SSO) TO KERBEROS CONSTRAINED DELEGATION AND HEADER-BASED APPS. VMware Identity Manager.

Installing and Configuring vcloud Connector

ARCHITECTURAL OVERVIEW REVISED 6 NOVEMBER 2018

Okta Embedded-OCC Implementation Guide

WHITE PAPER SEPTEMBER 2017 VCLOUD DIRECTOR 9.0. What s New

Using vrealize Operations Tenant App as a Service Provider

Workspace ONE UEM Integration with RSA PKI. VMware Workspace ONE UEM 1810

VMware Identity Manager Administration. MAY 2018 VMware Identity Manager 3.2

REVISED 6 NOVEMBER 2018 COMPONENT DESIGN: VMWARE IDENTITY MANAGER ARCHITECTURE

Horizon Workspace Administrator's Guide

vcloud Director User's Guide

Multi-Machine Guide vcloud Automation Center 5.2

vcloud Director Administrator's Guide

vcloud Director User's Guide

VMware Identity Manager Administration

INSTALLATION AND SETUP VMware Workspace ONE

EXPLORING MONITORING AND ANALYTICS VMware Horizon

MANAGING ANDROID DEVICES: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL VMware Workspace ONE

Installing and Configuring vcloud Connector

Workspace ONE UEM Certificate Authority Integration with JCCH. VMware Workspace ONE UEM 1810

vcloud Director User's Guide

Deploying VMware Identity Manager in the DMZ. JULY 2018 VMware Identity Manager 3.2

VMware Identity Manager Administration

Introduction to application management

VMware vrealize Configuration Manager SQL Migration Helper Tool User's Guide vrealize Configuration Manager 5.8

Administering Workspace ONE in VMware Identity Manager Services with AirWatch. VMware AirWatch 9.1.1

vrealize Production Test Upgrade Assessment Guide

VMware Identity Manager Cloud Deployment. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager

VMware Identity Manager Cloud Deployment. Modified on 01 OCT 2017 VMware Identity Manager

Deploying VMware Identity Manager in the DMZ. SEPT 2018 VMware Identity Manager 3.3

Horizon DaaS Platform 6.1 Service Provider Installation - vcloud

Using the vcenter Orchestrator Perspectives Plug-In

Slack Cloud App SSO. Configuration Guide. Product Release Document Revisions Published Date

vcloud Director User's Guide 04 OCT 2018 vcloud Director 9.5

vcloud Director User's Guide

Integrating AirWatch and VMware Identity Manager

vrealize Orchestrator Load Balancing

REVISED 6 NOVEMBER 2018 COMPONENT DESIGN: UNIFIED ACCESS GATEWAY ARCHITECTURE

RSA SecurID Access SAML Configuration for Datadog

Configuration Guide - Single-Sign On for OneDesk

Guide to Deploying VMware Workspace ONE. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager 3.1

INTEGRATING WITH DELL CLIENT COMMAND SUITE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL VMware Workspace ONE

vshield Administration Guide

Installing and Configuring VMware Identity Manager Connector (Windows) OCT 2018 VMware Identity Manager VMware Identity Manager 3.

SAML-Based SSO Configuration

Guide to Deploying VMware Workspace ONE. VMware Identity Manager VMware AirWatch 9.1

Using vrealize Operations Tenant App for vcloud Director as a Tenant Admin

VMware vrealize Suite and vcloud Suite

Configure Unsanctioned Device Access Control

Guide to Deploying VMware Workspace ONE with VMware Identity Manager. SEP 2018 VMware Workspace ONE

vrealize Operations Manager Customization and Administration Guide vrealize Operations Manager 6.4

Manage SAML Single Sign-On

Horizon DaaS Platform 6.1 Release Notes. This document describes changes to the Horizon DaaS Platform for Version 6.1.

SAML 2.0 SSO. Set up SAML 2.0 SSO. SAML 2.0 Terminology. Prerequisites

Oracle Utilities Opower Solution Extension Partner SSO

RSA SecurID Access SAML Configuration for Kanban Tool

Single Sign-On Administrator Guide

Directories Services and Single Sign-On for Collaboration

CONFIGURING BASIC MACOS MANAGEMENT: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL VMware Workspace ONE

Single Sign-On Administrator Guide

Migrating vrealize Automation 6.2 to 7.2

PROVIDING SECURE ACCESS TO VMWARE HORIZON 7 AND VMWARE IDENTITY MANAGER WITH THE VMWARE UNIFIED ACCESS GATEWAY REVISED 2 MAY 2018

VMware AirWatch Integration with RSA PKI Guide

VMware Identity Manager Connector Installation and Configuration (Legacy Mode)

AirWatch Container. VMware Workspace ONE UEM

VMware Identity Manager Integration with Office 365

RSA SecurID Access SAML Configuration for StatusPage

Configuring OneSign 4.9 Virtual Desktop Access with Horizon View HOW-TO GUIDE

Deploying VMware Workspace ONE Intelligent Hub. October 2018 VMware Workspace ONE

Leave Policy. SAML Support for PPO

Horizon DaaS Platform 6.1 Patch 3

Migrating vrealize Automation 6.2 to 7.1

Box Connector. Version 2.0. User Guide

Using VMware Identity Manager Apps Portal

Transcription:

Using VMware Horizon Workspace to Enable SSO in VMware vcloud Director 5.1 March 2013

Using VMware Horizon Workspace to Enable SSO This product is protected by U.S. and international copyright and intellectual property laws. This product is covered by one or more patents listed at http://www.vmware.com/download/patents.html. VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marks and names mentioned herein may be trademarks of their respective companies. VMware, Inc. 3401 Hillview Ave Palo Alto, CA 94304 www.vmware.com Page 2 of 11

Contents Using VMware Horizon Workspace to Enable SSO 1. Overview... 5 2. Requirements for SSO in VMware vcloud Director... 5 3. Configuring vcloud Director... 7 3.1 Exporting XML Metadata from vcloud Director... 9 4. Configuring Horizon Workspace for vcloud Director SSO... 10 5. Other Considerations... 11 5.1 Groups... 11 5.2 Previous LDAP Users... 11 5.3 API Access... 11 5.4 Known Issues... 11 Page 3 of 11

Using VMware Horizon to Enable SSO Page 4 of 11

1. Overview Using VMware Horizon to Enable SSO VMware Horizon Workspace can be used to enable single sign-on (SSO) in VMware vcloud Director 5.1. vcloud Director provides methods to authenticate end users via LDAP and federation to external authentication sources. This document provides information and procedures for configuring vcloud Director to allow for account federation from VMware Horizon Workspace. This information is also applicable for third-party Identity Providers. 2. Requirements for SSO in VMware vcloud Director The SAML process and the people using it have formal roles and responsibilities: Service Provider An entity that receives the SAML message from an Identity Provider (vcloud Director). Identity Provider An entity that authenticates an user (Horizon Workspace). To set up vcloud Director for SSO you need to acquire metadata from your SAML Identity Provider. Usually, this is in the form of an XML document such as the following: <?xml version="1.0" encoding="utf-8"?> <md:entitydescriptor cacheduration="p29dt12h44m3.840s" entityid="https://doman.com/idp.xml" validuntil="2013-04-11t21:44:51.059z" xmlns:md="urn:oasis:names:tc:saml:2.0:metadata"> <md:idpssodescriptor WantAuthnRequestsSigned="true" protocolsupportenumeration="urn:oasis:names:tc:saml:2.0:protocol"> <md:keydescriptor use="signing"> <ds:keyinfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> </md:keydescriptor> <md:singlelogoutservice Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="domain.com" ResponseLocation="domain.com"/> <md:nameidformat>urn:oasis:names:tc:saml:1.1:nameidformat:unspecified</md:nameidformat> <md:nameidformat>urn:oasis:names:tc:saml:1.1:nameidformat:emailaddress</md:nameidformat> <md:nameidformat>urn:oasis:names:tc:saml:2.0:nameidformat:persistent</md:nameidformat> <md:singlesignonservice Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="domain.com"/> </md:idpssodescriptor> <md:additionalmetadatalocation namespace="urn:oasis:names:tc:saml:2.0:metadata">domain.com</md:additionalmetadataloca tion> </md:entitydescriptor> This XML metadata file includes several certificates and the information required to allow vcloud Director to communicate with the SSO solution and validate and trust the SSO solution responses. Page 5 of 11

Using VMware Horizon to Enable SSO The Identity provider must provide values for the following case-sensitive fields in the response: UserName EmailAddress FullName Groups Only UserName is required, but it is recommended that all fields be returned with appropriate information to allow for ease of management and administration of the users and their rights. Page 6 of 11

3. Configuring vcloud Director Use the following procedure to configure vcloud Director for SSO. To enable the use of a SAML Identity provider in vcloud Director 5.1 Using VMware Horizon to Enable SSO 1. After logging in as an organization administrator or system administrator go to the organization Administration page, click Federation, and select Use SAML Identity Provider. 2. The XML metadata file from your SAML/SSO provider should be downloaded to the machine these actions are running from. In the case of Horizon Workspace the metadata can be found here: https://<hostname>/saas/api/1.0/get/metadata/idp.xml Use the upload function to upload the XML file. (Do not paste the file into the text area as special characters might cause problems.). Page 7 of 11

Using VMware Horizon to Enable SSO 3. Close the Organization tab, or log out and back into the UI, to make the Groups and Import from SAML options available from the UI. Then, import users into vcloud Director. Page 8 of 11

Using VMware Horizon to Enable SSO Because SAML users and groups cannot be found using a search, users have to be added one per line for each role. Alternatively, access to the organization can be granted through the use of groups. After importing users or groups the configuration of SSO for vcloud Director is complete. 3.1 Exporting XML Metadata from vcloud Director Export a file similar to the file imported from the SAML provider so that the SAML provider can trust and validate requests coming from vcloud Director. This file and related certificates are controlled from the Federation page where we imported the SAML XML file. To export XML metadata from vcloud Director Click Regenerate to create a new certificate that is valid for one year. A warning about changing the certificate is displayed. If you have already set up a SAML provider relationship, changing this certificate breaks that relationship until the SAML provider replaces the current information with the new certificate. After the certificate is generated you can download it from the following link: https://<domain>.<tld>/cloud/org/<organizationname>/saml/metadata/alias/vcd Save the certificate as an XML file, and provide it to your SAML provider when you configure Horizon Workspace for vcloud Director SSO. Page 9 of 11

Using VMware Horizon to Enable SSO 4. Configuring Horizon Workspace for vcloud Director SSO Log in to the administrator interface for Horizon Workspace and create a new application, then configure the following items for the newly created application. To configure Horizon Workspace for vcloud Director SSO 1. Configure the Login Redirection URL to be the organization URL in vcloud Director. This is required for vcloud Director to work properly because the authentication sequence must start with vcloud Director, not Horizon Workspace. 2. Select Include the Destination in the response. 3. Select the Sign the entire response. 4. Select Sign the assertion. 5. Deselect the Include Cert checkbox. 6. Select the configure via Meta-data XML option. Then upload the certificate (copy/paste) the certificate into the text box. 7. Click Populate Attribute Mapping. 8. Configure the attribute mapping to match your deployment of Horizon Workspace. Page 10 of 11

5. Other Considerations Also consider the following when configuring SSO. Using VMware Horizon to Enable SSO 5.1 Groups Depending on the deployment source of truth for authentication, if the user can see the application in Horizon Workspace, it can be assumed to be granted access to vcloud Director. If that is the case, you can avoid having to manage two lists of users by hardcoding a group name. To do this set an attribute in Horizon Workspace of Groups = TrustedUsers (or similar name), and in vcloud Director add a group by that name (SAML is case sensitive). This allows any user that authenticates to Horizon Workspace and is presented with this application access to the vcloud Director instance, regardless of whether an account was prepopulated. In Horizon Workspace, the attribute mapping looks like the following. 5.2 Previous LDAP Users If you are migrating from LDAP to SAML you probably have some LDAP users in your vcloud installation. These users may even be owners of vapps or catalog items. If your SAML provider uses the same UserName as LDAP, vcloud Director will display errors about SAML failing to authenticate the user. To resolve this the LDAP user has to be removed from vcloud Director before the SAML user can be created. A solution for some LDAP users might be to disable and remove the user, transfer the ownership of the objects to a different user, create the SAML user, and change the ownership back to the new SAML account. 5.3 API Access When using SAML Identity Providers and API access follow the instructions in the Create a Login Session Using a SAML:Identity Provider section of the VCloud API Programming Guide (http://pubs.vmware.com/vcd-51/topic/com.vmware.vcloud.api.doc_51/guid-335cfc35-7ad8-40e5-91be-53971937a2bb.html?resultof=%22%73%61%6d%6c%22%20). Another option is to use a LDAP user or local user to access the API, PowerCLI, or other means. 5.4 Known Issues vcloud Director does not handle a logout event properly in a SAML installation. If a user ends up in a infinite loop between Horizon Workspace and vcloud Director, have the user close the browser (clearing the session cookies) and re-login. This problem presents itself mostly when a user has access to multiple organizations and attempts to change between those organizations without logging out of organization 1 and then logging into organization 2 through Horizon Workspace. Page 11 of 11

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback