This article describes how to configure vCloud Director 10 to consume authentication information from a SAML identity provider using Keycloak.
If you will provide your customers access to more than one system, it might be helpful to have a single point of authentication. The advantages to have a central system for all authentication requests are reduced configuration overhead, troubleshooting complexity and the possibility to implement Single Sign-On.
The implementation described in this article is based on Keycloak which is consuming the user database through LDAPS in the backend and provides multiple authentication methods towards several customer consumed applications in the fronted. Available authentication methods are for example SAML or OpenID.
In the following I will show you the procedure to enable vCloud Director 10 for SAML authentication against Keycloak.
1. Check the prerequisites
- Your identity provider have to be SAML 2.0 compliant
- A XML file from your identity provider with the following Information is necessary
- Location of the single Sign-On service
- Location of the single logout service
- Location of the services X.509 certificate
2. Configure vCloud Director 10 for SAML
Choose Administration from the main menu and switch to the SAML tab under Identity Providers. Here you are able to see the current SAML configuration. The next step is to click Edit and a new window will open located at the tab Service Provider as you can see in the following picture.
Here it is necessary to provide an Entity ID which is unique to your Keycloak authentication realm.
After you provided the Entity ID, you need to download the Metadata under the download link shown in the above picture as well.
Warning: Double check the certificate expiration date and regenerate it, if expiration date is nearly reached. Keep in mind to download the metadata again if you regenerated the certificate.
3. Provide the downloaded metadata of vCloud Director SAML configuration to the identity provider
At first login to Keycloak as admin and choose the authentication realm, which should be responsible for vCloud Director SAML authentication. Afterwards switch to the tab Clients and click Create at the upper right side of the page. At the upcoming page click Select File and provide the metadata XML downloaded from vCloud Director, and click Save. This will result in a newly created client named as the entity ID configured inside the vCloud Director SAML setup, which will cover the SAML authentication for vCloud Director. A example is shown below.
4. Provide the SAML endpoint metadata of the identity provider (Keycloak Realm) to the vCloud Director SAML configuration
Logged in to Keycloak make sure you are in the context of the realm, which should be used for vCloud Director authentication. Then click Realm Settings and Download the endpoint metadata under SAML 2.0 Identity Provider Metadata. Below a screenshot as example.
After successful download of the Keycloak realm endpoint metadata, this data needs to be uploaded to the vCloud Director SAML configuration. Therefore login to vCloud Director and switch to the SAML configuration as already described above.
Now click Edit switch the tab to Identity Provider, enable the button for
5. Create a User in Keycloak local user directory or inside your central user directory and map a vCloud Director role to it
The created users needs a configured e-mail address for mapping inside vCloud Director against the vCloud Director specific user roles.
In this example I will create a local Keycloak user and map it inside vCloud Director.
At first login to Keycloak, choose the correct realm, switch to Users and click Add User. At the upcoming site provide the username and e-mail address, click Save and afterwards update the user credentials to set the a password.
Now switch back to the vCloud Director and choose the tab Users. At the Users tab click Import Users choose SAML as Source in the upcoming window provide the users e-mail address in the tab of Enter the user names and choose the role you want to assign. A example is shown in the following picture.