Milos and I tested an integration between VMWare Virtual Cloud Director (VCD) and Microsoft SSO implementation – ADFS installed on Windows Server 2012 R2. We used this ARTICLE in Dutch as a guidance.
1. Install ADFS role on 2012 R2 Server
2. Plan a name for ADS services. The name cannot be the same as the server name: if your server called server1.yourdomain.com call ADFS as sso.yourdomain.com for example. Think abut external name if applicable. Request a certificate with EKU = Server Authentication (from WEB template) for the server. ADFS supports wildcard certificates or add all your ADFS service names to it as Subject Alternative Names (SANs)
3. Create an account for ADFS or use Group Managed Service Account (GMSA).
3.1 To create a GMSA:
Add-KdsRootKey –EffectiveTime (Get-Date).AddHours(-10)
New-ADServiceAccount FsGmsa –DNSHostName server1.yourdomain.com -ServicePrincipalNames https/server1.yourdomain.com
3.1 Create a test user in AD and set its email. Email is important it will be used for claims.
4. Add KDS Root Key (if not added with GMSA)
Add-KdsRootKey –EffectiveTime (Get-Date).AddHours(-10)
2. Go to ADFS roles and Click Additional Configuration Required. Configure ADFS (default configuration with Internal Database)
3. Add SSO.yourdomain.com to your DNS to be sure both VCD and Clients can resolve it.
4. After installation go to https://sso.yourdoamin.com/FederationMetadata/2007-06/FederationMetadata.xml and save it.
——————————— VCD SIDE ———————————————-
5. Log on to VCD as administrator https://vcd.yourdomain.com/cloud/org/yourorg/.
6. Go to Administration-Federation
7. Select SAML Identity Provider
8. Copy content of XML file saved in step 4.
9. Go to User Management – Import Users and import a user as SAML User with Name ID matching to e-mail of the user in Active Directory. For example user@yourdomain.com
10. Open Internet Explorer and navigate to https://vcd.yourdomain.com/cloud/org/yourorg/saml/metadata/alias/vcd save the file.
11. Copy vcd file to ADFS as vcd.xml
————————————————– ADFS Part ————————————————————–
12. Configure Relying Part Trust
12.1 login to ADFS as a Domain Administrator
12.2 Open ADFS Management Console
12.2 Right-Click “Relying Party Trust” and select “Add Relying Party Trust”
12.3 Click Start
12.4 Select “Import data about the relying party from a file and point the Wizard to the file saved in step 11
12.5 Click Ok in Warning Window
12.6 Add a Display name (for ex. VCD)
12.7 Do not add Multi-factor authentication or rules. Just finish the Wizard.
12.8 Right-Click newly created Relying Party Trust and select Properties
12.9 Under Advanced tab switch Hash Algorithm to SHA-1
i13. n original step it is marked as Optional but we found iintegration does not work without it. So, open PowerShell as Administrator and run:
Add-PSSnapin Microsoft.Adfs.Powershell <—– NOT REQUIRED FOR Server 2012 R2
Set-ADFSRelyingPartyTrust -TargetName “vCD” -EncryptClaims $False
14. Configure ADFS Claims
14.1 Right-Click Relying Party Trust created in step 12. And select Edit Claim Rules
14.2 Click Add Rule
14.2.1 Select Send LDAP Attribute as Claims; Click Next
14.2.2 Add Claim Rule Name (for example “LDAP Attribute E-Mail Address”)
14.2.3 Select Active Directory as Attribute Store
14.2.4 In LDAP Attribute column select “E-mail Addresses”
14.2.5 In Outgoing Claim Type select “E-Mail Address”
14.2.6 Click Finish
14.3. Click Add Rule again
14.3.1 Select Transform an Incoming Claims; Click Next
14.3.2 Add Claim Rule Name (for example “Transform an incoming claims”)
14.3.3. In Incoming Claim type select “ E-MAil Address”
14.3.4 In Outgoing Claim Type select “Name ID”
14.3.5 Verify Pass through all claim values is selected
14.3.6 Click Finish
At this point you should have two rules like this:
ADFS is configured and you should be able to connect to VCD via ADFS
Like this:
Like Loading...
Related
