The purpose of this document is to provide configuration of the AD FS service to authenticate vCloud Director users on the Organization level.
I would like to thank to Johan Bogema for his input in this procedure. Further information on SAML authentication with vCloud Director can be found on his blog.
– Windows Server 2008/2012
– Active Directory service installed
– Active Directory Federation Service Installed
– IIS installed
– VMware vCloud Director 5.1/5.5/5.6
AD FS installation
1. Open Server manager to add AD FS role on Windows Server.
2. Click next.
3. Choose Role-based or feature-based installation
4. Select the server that you wish to use of AD FS role.
6. Accept additional roles that are required for AD FS.
7. Leave defaults and click Next
8. Accept defaults.
9. Click install to add AD FS role.
Generating IIS certificate
Before configuring AD FS, the self-signed or signed certificate has to be generated for IIS server.
1. Open Internet Information Services (IIS) Manger
2. Click on the server in the left pane and choose Server Certificates
3. Create Self-Signed or Signed certificate. (Self-Signed certificate will be used for this procedure)
AD FS configuration
1. Run AD FS Management tool.
2. Run AD FS Federation Server Configuration Wizard
3. Choose Create a new Federation Service
4. Next choose Stand-Alone federation server.
5. Choose SSL certificate and click next to complete the configuration.
vCloud Director configuration
1. Verify that vCloud Director and AD FS server have exactly the same time. Even the small difference will fail the login process.
2. Download SAML metadata XML file from AD FS server by following the link below.
https://<ADFS Server URL>/FederationMetadata/2007-06/FederationMetadata.xml
3. Go to vCloud Director Web UI and open the target Organization. Choose Administration and next Federation.
4. Click on Use SAML Identity Provider and next on Browse to add xml file downloaded from AD FS server.
5. Verify if the certificate is not expired. If it is click on Regenerate to issue the new one.
6. The final Federation setup window should look like the following example. Apply the changes.
Creating Relying Party Trusts in AD FS service.
1. If the vCloud Director has self-signed certificate, download the certificate and install in the AD FS keystore as Trusted Root CA and Third Party Trusted Root CA.
2. Run AD FS Management tool.
3. Choose Relying Party Trusts in the left pane.
4. Choose Add Relying Party Trust… in the right pane.
5. Choose first option and enter the following template link.
6. Accept the warning.
7. Give the display name that will identify the target organization.
8. Choose Permit all users to access this relying party
9. Click Next to complete the configuration.
10. Finish the wizard, and then go ahead to edit the properties of the Relying Party Trust you just created. In the Advanced tab, you have to change the Secure hash algorithm to SHA-1.
11. Click on the configured Relying Party Trust and choose Edit Claim Rules… in the right pane.
12. Click on Add Rule… in Issuance Transform Rules tab.
13. Select Send LDAP Attributes as Claims and click Next.
14. Name the rule. Choose Active Directory in Attribute store field. Set the mapping as per following screenshot. Click Finish.
15. Add another rule and choose Transform an Incoming Claim as Claim rule template. Fill in as follows and click Finish once completed.
Bits and pieces.
1. Import SAML users to Organization and test login process.
2. ADFS authentication process will use “firstname.lastname@example.org” login format. It will compare email address that is in properties of the AD account and SAML user name from vCloud Director. If AD account will be missing the email address value the authentication will fail on the vCD side.
3. The AD FS default login window will be Windows like form. This can be changed to Web Form view by:
a. editing C:\inetpub\adfs\ls\web.xml file and changing following items.
– <authentication mode=”Forms” />
<add name=”Forms” page=”FormsSignIn.aspx” />
<add name=”TlsClient” page=”auth/sslclient/” />
<add name=”Basic” page=”auth/basic/” />
b. enabling Form Authentication and disabling Windows Authentication on ls website as per following screenshots.
4. If the Federation Certificate in Organization will be regenerated the change has to be applied to the corresponding Relying Party Trust by choosing Update from Federation Metadata… in AD FS Manager tool.