Dieser Artikel beschreibt wie vCloud Director 10 zu konfigurieren ist, um die Authentifizierung über Keycloak mittels SAML durchzuführen.
Bietet man als Provider seinen Kunden Zugang zu mehreren Systemen an, ist es hilfreich ein zentrales System zu Authentifizierung anzubieten. Die Vorteile dadurch sind ein reduzierter Konfigurationsaufwand, weniger komplizierte Fehleranalyse und die Möglichkeit Single Sign-On zu implementieren.
Im Folgenden wird die Implementierung von Single Sign-On mittels Keycloak beschrieben, die Abfrage der Benutzerdatenbank erfolgt über LDAPS. Im Frontend stellt Keycloak dem Kunden mehrere Methoden zur Authentifizierung bereit, z.B. SAML und OpenID.
Im Detail befasst sich dieser Artikel mit der Konfiguration von vCloud Director 10 zur Durchführung der Authentifizierung über einen SAML Identitätsprovider mittels Keycloak.
1. Check the prerequisites
2. Configure vCloud Director 10 for SAML
Choose Administration from the main menu and switch to the SAML tab under Identity Providers. Here you are able to see the current SAML configuration. The next step is to click Edit and a new window will open located at the tab Service Provider as you can see in the following picture.
Here it is necessary to provide an Entity ID which is unique to your Keycloak authentication realm.
After you provided the Entity ID, you need to download the Metadata under the download link shown in the above picture as well.
Warning: Double check the certificate expiration date and regenerate it, if expiration date is nearly reached. Keep in mind to download the metadata again if you regenerated the certificate.
3. Provide the downloaded metadata of vCloud Director SAML configuration to the identity provider
At first login to Keycloak as admin and choose the authentication realm, which should be responsible for vCloud Director SAML authentication. Afterwards switch to the tab Clients and click Create at the upper right side of the page. At the upcoming page click Select File and provide the metadata XML downloaded from vCloud Director, and click Save. This will result in a newly created client named as the entity ID configured inside the vCloud Director SAML setup, which will cover the SAML authentication for vCloud Director. A example is shown below.
4. Provide the SAML endpoint metadata of the identity provider (Keycloak Realm) to the vCloud Director SAML configuration
Logged in to Keycloak make sure you are in the context of the realm, which should be used for vCloud Director authentication. Then click Realm Settings and Download the endpoint metadata under SAML 2.0 Identity Provider Metadata. Below a screenshot as example.
After successful download of the Keycloak realm endpoint metadata, this data needs to be uploaded to the vCloud Director SAML configuration. Therefore login to vCloud Director and switch to the SAML configuration as already described above.
Now click Edit switch the tab to Identity Provider, enable the button for
5. Create a User in Keycloak local user directory or inside your central user directory and map a vCloud Director role to it
The created users needs a configured e-mail address for mapping inside vCloud Director against the vCloud Director specific user roles.
In this example I will create a local Keycloak user and map it inside vCloud Director.
At first login to Keycloak, choose the correct realm, switch to Users and click Add User. At the upcoming site provide the username and e-mail address, click Save and afterwards update the user credentials to set the a password.
Now switch back to the vCloud Director and choose the tab Users. At the Users tab click Import Users choose SAML as Source in the upcoming window provide the users e-mail address in the tab of Enter the user names and choose the role you want to assign. A example is shown in the following picture.