ADFS: Integration with VMWare Virtual Cloud Director

 

Milos and I tested an integration between VMWare Virtual Cloud Director (VCD) and Microsoft SSO implementation – ADFS installed on Windows Server 2012 R2. We used this ARTICLE in Dutch as a guidance.

1. Install ADFS role on 2012 R2 Server

2. Plan a name for ADS services. The name cannot be the same as the server name: if your server called server1.yourdomain.com call ADFS as sso.yourdomain.com  for example. Think abut external name if applicable. Request a certificate with EKU = Server Authentication (from WEB template) for the server. ADFS supports wildcard certificates or add all your ADFS service names to it as Subject Alternative Names (SANs)

3. Create an account for ADFS or use Group Managed Service Account (GMSA).

3.1 To create a GMSA:

Add-KdsRootKey –EffectiveTime (Get-Date).AddHours(-10)
New-ADServiceAccount FsGmsa –DNSHostName server1.yourdomain.com -ServicePrincipalNames https/server1.yourdomain.com

3.1 Create a test user in AD and set its email. Email is important it will be used for claims.

4. Add KDS Root Key (if not added with GMSA)

Add-KdsRootKey –EffectiveTime (Get-Date).AddHours(-10)

2. Go to ADFS roles and Click Additional Configuration Required. Configure ADFS (default configuration with Internal Database)

3. Add SSO.yourdomain.com to your DNS to be sure both VCD and Clients can resolve it.

4. After installation go to https://sso.yourdoamin.com/FederationMetadata/2007-06/FederationMetadata.xml and save it.

———————————   VCD SIDE   ———————————————-

5. Log on to VCD as administrator https://vcd.yourdomain.com/cloud/org/yourorg/.

6. Go to Administration-Federation

7. Select SAML Identity Provider

8. Copy content of XML file saved in step 4.

9. Go to User Management – Import Users and import a user as SAML User  with Name ID matching to e-mail of the user in Active Directory. For example user@yourdomain.com

10. Open Internet Explorer and navigate to https://vcd.yourdomain.com/cloud/org/yourorg/saml/metadata/alias/vcd save the file.

11. Copy vcd file to ADFS as vcd.xml

————————————————–  ADFS Part   ————————————————————–

12. Configure Relying Part Trust

12.1 login to ADFS as a Domain Administrator

12.2 Open ADFS Management Console

12.2 Right-Click “Relying Party Trust” and select “Add Relying Party Trust”

12.3 Click Start

12.4 Select “Import data about the relying party from a file and point the Wizard to the file saved in step 11

12.5 Click Ok in Warning Window

12.6 Add a Display name (for ex. VCD)

12.7 Do not add Multi-factor authentication or rules. Just finish the Wizard.

12.8 Right-Click newly created Relying Party Trust and select Properties

12.9 Under Advanced tab switch Hash Algorithm to SHA-1

i13. n original step it is marked as Optional but we found iintegration does not work without it. So, open PowerShell as Administrator and run:

Add-PSSnapin Microsoft.Adfs.Powershell       <—– NOT REQUIRED FOR Server 2012 R2
Set-ADFSRelyingPartyTrust -TargetName “vCD” -EncryptClaims $False

14. Configure ADFS Claims

14.1 Right-Click Relying Party Trust created in step 12. And select Edit Claim Rules

14.2 Click Add Rule

14.2.1 Select Send LDAP Attribute as Claims; Click Next

14.2.2 Add Claim Rule Name (for example “LDAP Attribute E-Mail Address”)

14.2.3 Select Active Directory as Attribute Store

14.2.4 In LDAP Attribute column select “E-mail Addresses”

14.2.5 In Outgoing Claim Type select “E-Mail Address”

14.2.6 Click Finish

14.3. Click Add Rule again

14.3.1 Select Transform an Incoming Claims; Click Next

14.3.2 Add Claim Rule Name (for example “Transform an incoming claims”)

14.3.3. In Incoming Claim type select “ E-MAil Address”

14.3.4 In Outgoing Claim Type select “Name ID”

14.3.5 Verify Pass through all claim values is selected

14.3.6 Click Finish

At this point you should have two rules like this:

 

ADFS is configured and you should be able to connect to VCD via ADFS

Advertisements