SSO authorization of Vmware Cloud Director based on Gluu 4 server

SSO (single sign-on) authentication allows you to have a single entry point to all the services you use. In this article, we want to share an implementation of SSO for Vmware Cloud Director.

The authentication provider (idp) is the Gluu 4.5 Final server. We will not talk about installing this service, since it is in the official documentation of Gluu 4.5 Final. You can check out her by reference.

Authentication in vCloudDirector is carried out using the SAML protocol. Gluu 4.5 Final uses shibboleth version 3. More details about it are in Shibboleth wiki.

The SAML SSO authentication scheme is as follows:

First you follow the link to your VCD https://vcd.domain.ru/tenant/name_tenant. You are redirected to the authentication provider (idp), where you enter your login and password for vCloudDirector.

After successful authentication, idp lets you into the VCD cloud control panel. In order for vCloudDirector to redirect you to the Gluu server, and for the Gluu server to enter the VCD, Trust Relationships must be established between the VCD and the Gluu server.

The following attributes must be passed to Vmware Cloud Director from the Gluu server:

In fact, from this entire list, it is enough to transfer only the attribute to VCD email address and custom attribute vcdnameid, which also acts as the name id for vCloudDirector.

Creating a custom vcdnameid attribute

The custom attribute vcdnameid will also be used as name id (identifier), in our LDAP schema. Only a custom attribute can act as a name-id. If you would like more details, please refer to official documentation. Here is an example ldif file where the vcdnameid attribute is set.

An attribute with a string type is created. It is described in more detail in the instructions.

Establishing trust

Now we need to establish a trust relationship (Trust Relationships) between vCloudDirector and the Gluu server. To do this, follow the link in the browser https://ваш_idp/idp/shibboleth and save the opened page in xml format.

Then find the Administration settings in vCloudDirector and go to the SAML tab there. Press EDIT as in the image below:

If the certificate is expired, it can be regenerated in the tab Service Provider. Then enable SAML, load the xml file we created earlier. How this is done is shown in the images below.

After enabling SAML, you need to import SAML users into vCloudDirector. To do this, go to the Administration settings in Users and press the button Import Users.

We enter the username in the form of an email address and assign him a role in the VCD:

Next, we return back to the SAML settings and follow the link that is indicated in the field metadata. Save the page as an xml file.

Let’s look at the shibboleth xml file saved from the vCloudDirector link. It can be seen that the VCD supports the attribute format urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

It is in this format that we will transfer the attributes to the VCD, as well as the identifier (name-id) vcdnameid.

You can start configuring on the Gluu server side. But there is one point to which you need to pay attention.

vCloudDirector requires an attribute named email address, as we have said. And here it is worth digging a little deeper and understanding what a parameter is. Namewhat is the parameter display name at the attribute on the Gluu server.

Parameter Name is the attribute’s internal name, which is used to display it on the Gluu server.
Parameter “Display Name” is the attribute name that is passed to vCloudDirector.

By default, Gluu has an attribute with an internal name mail And “Display Name” Email, which can be used as a required attribute for vCloudDirector. Required Parameter “Display Name” for this attribute translate to value EmailAddress.

To do this, go to the Gluu management web interface and go to the section Configuration→Attributes. Then open the attribute settings with the name mail and change the field “Display Name” on EmailAddress.

Next, go to SAML Trust Relationships → Trust Relationships. And we press the button Add Relationships to add a new trust relationship.

Fill in the fields “Display Name” And Description according to your tenant name in vCloudDirector. In field “Entity Type” select Single SP. In field “Metadata Location” select File and load the xml file that was saved from vCloudDirector.

From the gluuPerson tab, add the attribute email addressand from the tab gluuCustomPerson add the vcdnameid custom attribute we created earlier to our trust relationship. These attributes will be passed to vCloudDirector.

After that, click Add and wait for about five minutes to complete the establishment of a trust relationship. We wait until the Validation status of the trust relationship becomes success.

Add vcdnameid attribute as name-id (identifier)

Now let’s add a custom attribute vcdnameid as an identifier (name id). Official documentation available via link.

So, in the Gluu web interface, go to SAML → Configure Custom Nameid

And create a “name id” with the format urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

Setting up SAML translation of the identifier (name-id)

Open the settings of our trust relationship. Put a tick next to Configure Raying Party and go to its settings as in the image below.

Choose a version SAML SAML2SSO

Set up attribute translation vcdnameid in the format urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

To do this, go to the settings SAML2SSO profile and select the format we need.

Changing the format of generated SAML attributes for VCD

Now we need to work on the command line on the Gluu server. Change the format of the generated attributes on the Gluu server to the format urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

We connect via ssh or in the console to the Gluu server. For these purposes, you need to create a template file attribute-resolver.xml.vmsince after installing the Gluu server and its initial configuration, this file is not in the system.

This template generates another attribute resolution file: attribute-resolver.xml. The file can be taken from link from github. It must be placed along the way. /opt/gluu/jetty/identity/conf/shibboleth3/idp.

Assign the owner name and owner group for this file with the command:

chown jetty:gluu attribute-resolver.xml.vm

We grant full rights to the owner user and owner group for this file with the command:

chmod 770 attribute-resolver.xml.vm

In this file, you need to uncomment the lines starting with

<!—AttributeEncoder

and add a line

nameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"

in attribute definitions in a loop

#foreach( $attribute in $attrParams.attributes )

For example, it might look like this:

After that, you need to restart the idp and identity services with the commands:

systemctl restart idp

systemctl restart identity

Creating a user on the Gluu server

Next, you need to create a user on the Gluu server with the same name (username) as the user we imported into vCloudDirector earlier. To do this, in the Gluu web interface, go to Users → Add person

And add two attributes to the set of attributes for the user:

“vcdnameid” attribute from gluuCustomPerson tab
“Locale” attribute from gluuPerson tab

We fill in all the fields. In field username, email address, vcdnameid enter the user’s email address that we entered when importing the user into vCloudDirector. In field first name enter the username in the field last name last name of the user. In field display name specify the name of the tenant (tenant), which you set during the trust creation step. Specify “ru” in the Locale field. After that, we save the settings. The user has been created.

Connecting to a VCD

Now you can try to enter the cloud. Enter in the browser https://ваш_vcd/tenant/ваш_tenant/. After that, you should be transferred to the Gluu server.