I had a few issues getting vCloud Director and SAML federation playing nicely. By issues, I mean there wasn’t an explicit how-to in VMware’s doco. The big issues were group-based authentication and authenticating against a user’s email address instead of their UPN.
Using the following article from pablovirtualization I was able to get vCloud Director federated to an ADFS SAML endpoint.
This allowed users to login using their UPN. That’s all well and good until you need users to log into their account using their email address which may differ from their UPN.
Enable login via email address
First, if you haven’t already due to some other requirement, allow your ADFS deployment to use the ‘mail’ attribute as an alternate login ID:
Set-ADFSClaimsProviderTrust -TargetIdentifier “AD AUTHORITY” -alternateloginID mail -lookupforest {your forest fqdn here} e.g contoso.corp
Now, brief difference between Pablo’s steps and this. When configuring the NameID transformation rule you’ll need to specify “Email” instead of “Unspecified”
Group-based authentication
While you’re still adding transform rules, make sure you add this one too:
Now all you have to do is enter the group name when importing groups in vCloud Director. Any users that are a member of that group will be able to login and receive the role specified when importing the group.
- Restore of a Wordpress deployment is stuck redirecting the port
- Backups and Restores using Velero in TKGm 1.6.1
- Unable to upgrade the database: org.postgresql.util.PSQLException: ERROR: could not open shared memory segment: No such file or directory
- Upgrading Cloud Director 10.4.1 to 10.5
- Installing and Configuring Velero in TKGm 1.6.1 on vSphere