vCloud Director and Microsoft AD FS (Active Director Federation Service) authentication.

The purpose of this document is to provide configuration of the AD FS service to authenticate vCloud Director users on the Organization level.

I would like to thank to Johan Bogema for his input in this procedure. Further information on SAML authentication with vCloud Director can be found on his blog.
http://www.bogema.eu/saml-authentication-failed-organization/

Requirements:

– Windows Server 2008/2012
– Active Directory service installed
– Active Directory Federation Service Installed
– IIS installed
– VMware vCloud Director 5.1/5.5/5.6

AD FS installation

1. Open Server manager to add AD FS role on Windows Server.

image

2. Click next.

image

3. Choose Role-based or feature-based installation

image

4. Select the server that you wish to use of AD FS role.

image5. Choose Active Directory Federation Services from the list

image

6. Accept additional roles that are required for AD FS.

image

7. Leave defaults and click Next

image

8. Accept defaults.

image

9. Click install to add AD FS role.

Generating IIS certificate

Before configuring AD FS, the self-signed or signed certificate has to be generated for IIS server.

1. Open Internet Information Services (IIS) Manger

image

2. Click on the server in the left pane and choose Server Certificates

image

3. Create Self-Signed or Signed certificate. (Self-Signed certificate will be used for this procedure)

image

image

AD FS configuration

1. Run AD FS Management tool.

image

2. Run AD FS Federation Server Configuration Wizard

image

3. Choose Create a new Federation Service

image

4. Next choose Stand-Alone federation server.

image

5. Choose SSL certificate and click next to complete the configuration.

image

vCloud Director configuration

1. Verify that vCloud Director and AD FS server have exactly the same time. Even the small difference will fail the login process.

2. Download SAML metadata XML file from AD FS server by following the link below.

https://<ADFS Server URL>/FederationMetadata/2007-06/FederationMetadata.xml

3. Go to vCloud Director Web UI and open the target Organization. Choose Administration and next Federation.

4. Click on Use SAML Identity Provider and next on Browse to add xml file downloaded from AD FS server.

5. Verify if the certificate is not expired. If it is click on Regenerate to issue the new one.

6. The final Federation setup window should look like the following example. Apply the changes.

image

 

Creating Relying Party Trusts in AD FS service.

1. If the vCloud Director has self-signed certificate, download the certificate and install in the AD FS keystore as Trusted Root CA and Third Party Trusted Root CA.

2. Run AD FS Management tool.

image

3. Choose Relying Party Trusts in the left pane.

image

4. Choose Add Relying Party Trust… in the right pane.

image

5. Choose first option and enter the following template link.

https://<vcloud.domain.com>/cloud/org/<organizationname>/saml/metadata/alias/vcd

image

6. Accept the warning.

image

7. Give the display name that will identify the target organization.

8. Choose Permit all users to access this relying party

9. Click Next to complete the configuration.

10. Finish the wizard, and then go ahead to edit the properties of the Relying Party Trust you just created. In the Advanced tab, you have to change the Secure hash algorithm to SHA-1.

11. Click on the configured Relying Party Trust and choose Edit Claim Rules… in the right pane.

image

12. Click on Add Rule… in Issuance Transform Rules tab.

image

13. Select Send LDAP Attributes as Claims and click Next.

image

14. Name the rule. Choose Active Directory in Attribute store field. Set the mapping as per following screenshot. Click Finish.

image

15. Add another rule and choose Transform an Incoming Claim as Claim rule template. Fill in as follows and click Finish once completed.

image

Bits and pieces.

1. Import SAML users to Organization and test login process.

2. ADFS authentication process will use “username@domain.com” login format. It will compare email address that is in properties of the AD account and SAML user name from vCloud Director. If AD account will be missing the email address value the authentication will fail on the vCD side. 

3. The AD FS default login window will be Windows like form. This can be changed to Web Form view by:

a. editing C:\inetpub\adfs\ls\web.xml file and changing following items.

– <authentication mode=”Forms” />

– <localAuthenticationTypes>

<add name=”Forms” page=”FormsSignIn.aspx” />

<add name=”TlsClient” page=”auth/sslclient/” />

<add name=”Basic” page=”auth/basic/” />

</localAuthenticationTypes>

b. enabling Form Authentication and disabling Windows Authentication on ls website as per following screenshots.

image image

4. If the Federation Certificate in Organization will be regenerated the change has to be applied to the corresponding Relying Party Trust by choosing Update from Federation Metadata… in AD FS Manager tool.

image

Advertisements
This entry was posted in Uncategorized. Bookmark the permalink.

21 Responses to vCloud Director and Microsoft AD FS (Active Director Federation Service) authentication.

  1. Billy says:

    Hi, im encountering issues related to SAML authentication. What Windows version are you using Windows 2012 or Windows 2012 R2? What vCloud Director version also? Appliance or the Bin installation. Thanks.

    Like

    • Hi Billy,

      This was tested on Windows Server 2008 R2, 2012 and 2012 R2 with self signed certificates on ADFS and vCloud Director side.
      vCloud Director versions were 5.5.2 and 5.6.3. Both were Bin as Appliance should be used only of proof of concept.
      What errors do you see in the ADFS server and vCloud Director debug logs?

      Regards
      Pawel

      Like

  2. Billy says:

    Here’s the error screenshots that im getting: 1. http://picpaste.com/SAML-ERR1-LRex6qbV.JPG ; 2. http://picpaste.com/SAML-ERR2-KlGLq3k4.JPG ; 3. http://picpaste.com/SAML-ERR3-YHPcNjbJ.JPG / I’ve also check the time for the VMs (AD, ADFS, VC, VCD) everything are in sync. I’ll post the error that im getting here. Initially im using the VCD appliance, 5.6.3 and Windows 2012 R2. I’ll try to use the Full Bin installation, maybe that would make a difference.

    Like

    • Billy,

      According to the screenshots it looks like the issue is in vCloud Director as ADFS passes the authentication.
      Please connect to vCloud Director command line and look for errors in vcloud-container-debug.log file that is located in /opt/vmware/vcloud-director/logs/.

      Is vCloud Director uses external NTP server or local? Is it the same as ADFS server?

      Regards
      Pawel

      Like

      • Billy says:

        Im configuring the ADFS now using your steps and integrate it with VCD for the SAML part. I’ll configure VCD to use an external NTP, same with VC and AD to make sure no issues with time. I’ll post the errors here in the log file if i get the same. Im using Windows 2012 Standard Edition for AD & ADFS + vmware-vcloud-director-5.5.2-2233543 with vCenter 5.5.20400 appliance . Crossing my fingers!

        Like

  3. Billy,

    I’ve found that procedure is missing one step.
    The user account that is used for SAML authentication has to have an email address in the email filed of the AD user properties.

    The Claim Rules that are configured in Relaying Party Trust are matching email address of the AD account through LDAP queries and Organization Administrator that was added as SAML user.
    The format on both sides has to be “username@domain.local”.

    Regards
    Pawel

    Like

    • Billy says:

      Got it. Will make sure to configure the email address field of the AD user property. Im still doing the integration of ADFS & VCD. Will post immediately any issues that im encountering. I’ve make sure VMware Tools are all installed in the VMs (AD, ADFS & VCD). Same thing also in configuring external NTP for AD, VC & VCD.

      Like

      • Billy,

        The best would be to have all VMware products pointed to the same nearest internal NTP server and then configure that internal NTP server to source time information from the external one. With this scenario any external network outages won’t affect time sync internally.

        Regards
        Pawel

        Like

      • Billy says:

        Got it. For the logs any idea, where can i upload it for analysis? It might be too big for me to post everything here. I’ll upload again the error screenshot once i get it.

        Like

  4. Billy says:

    My First Error, opening the ADFS page: http://picpaste.com/SAML-Error1-ElhxJl5m.JPG

    Like

  5. Billy says:

    Will try to install ADFS, i think this error is related to it, not completing the installation properly. Though it seems OK, server manager hang on the last minute of the installation and i forcibly close it, maybe it wasnt able to install all the needed files.

    Like

  6. Billy says:

    Login is OK -> http://picpaste.com/SAML-Logon-HHyqAjoU.JPG / Got this Error after selecting VSS OrgVDC Portal -> http://picpaste.com/SAML-Error3-M47OS6JY.JPG / I’ll check the logs.

    Like

  7. Billy says:

    Here’s the VCD logs that i have -> http://wikisend.com/download/841514/VCD-logs.zip

    Liked by 1 person

    • Billy,

      I’ve checked the logs and I’ve found the following errors in vcloud-container-debug.log.

      2015-03-11 02:48:33,928 | ERROR | pool-jetty-85 | CertPathPKIXTrustEvaluator | PKIX path construction failed for untrusted credential: [subjectName=’CN=ADFS Signing – SSO.adfs.lab’]: unable to find valid certification path to requested target |
      2015-03-11 02:48:33,929 | ERROR | pool-jetty-85 | SignatureValidationFilter | Signature trust establishment failed for metadata entry http://SSO.adfs.lab/adfs/services/trust |
      2015-03-11 02:48:33,930 | ERROR | pool-jetty-85 | AbstractReloadingMetadataProvider | Error filtering metadata from vss |
      org.opensaml.saml2.metadata.provider.FilterException: Signature trust establishment failed for metadata entry

      According to that your SSL certificate of SSO server has incorrect CN entry. The vCD is looking for “CN=ADFS Signing – SSO.adfs.lab” instead of “CN=SSO.adfs.lab”. You should re-generate the SSL certificate with the correct CN value. Be aware that CN has to always match FQDN or IP address of the server.
      Once you fix the SSL cert, you will have to present it to ADFS again.

      Regards
      Pawel

      Like

  8. fnkrstatt says:

    Hello,

    I am using vCloud SAML now in our organization. I configured it by sending the Group-membership as a claim type. Users are now automatically added if they are member of one of the 3 service level groups i configure in vCloud. This all works perfect thanks to your article!

    Although i have one problem which i cant seem to fix. A user is automatically added but the contact info like Full Name, Mobile Phone are not filled in. How can i configure ADFS to send the claim types like Display-Name so vCloud fills this in the contact info? I already tried custom claim rules like:

    => issue(Type = “FullName”, Value = “Max”);

    It seems the only claim that is working and added to the user details is Name ID. This is being used as e-mail address and username.

    Hope you can help me!

    Max

    Liked by 1 person

    • Pawel says:

      Just to let everyone know, this issue has been resolved in vCloud Director 5.6.5 and 8.0. There is no information about the next version of vCD 5.5 so upgrade is the only option for now.

      Like

    • Hey Max, we are trying to do the same you are doing. Can you help us in how you exactly send the Group Membership to the vCloud. Are you setting the SAML User in vCloud to the Role “Defer to identity” and use “Organization Administrator” as a claim or did you import a SAML group like “orgusers” and set a role “Organization Administrator” for this group and send the claim type “orgusers” over?
      Thank you for your help

      Like

  9. Pingback: vCloud Director and SAML Federation – Funky Cloud Medina

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s