Entra ID SSO with VMware Cloud Director

Introduction

Customers with an Entra ID (formerly Azure Active Directory) environment can integrate this with their Nubis VMware Cloud Director environment to take advantage of Single Sign On (SSO) and Multi Factor Authentication (MFA).

Pre Requisities

Prior to reading this guide, please ensure you have read and completed the pre requisites in Single Sign On (SSO) with VMware Cloud Director.

Group Structure

Nubis recommends that you utilise security groups within Entra ID to control access to your VMware Cloud Director (VCD) environment. You will then be able to add or remove users by amending your group memberships, and not have to manage users in both Entra and VCD.

The exact structure of your security groups will need to be agreed within your organisation. As a starting point, we would suggest having a 1-1 mapping between security group and VCD role (e.g. Organisation Administrators).

To create security groups:

1. Login to your Entra ID admin portal and under Identity, select Groups then All Groups.

2. Select New group - here, we are creating a group called Nubis VCD - Organisation Administrators. Ensure the group type is set to Security and add any required members. 

SAML Application

With your group structure defined, you are now ready to create a SAML application.

1. Still in your Entra admin portal, under Identity, then Applications, select Enterprise applications.

2. Press New application and then Create your own application.

3. Provide a name for your application (we are creating an app called Nubis VCD) and select the Non-gallery application type option:

4. Once your application has been created, you will be able to assign users and groups to it. We recommend that you use assign the groups previously created, to streamline ongoing administration of your SSO integration.

Use the Assign users and groups option:

and then press Add user/group to assign the security groups you previously created.

5. Return to the Overview option for your application, and use the Set up single sign on option:

6. When prompted to select a single sign-on method, choose SAML:

6. Press Upload metadata file and locate the XML configuration file you previously downloaded from the SAML configuration page in Cloud Director (filename spring_saml_metadata.xml). A Basic SAML Configuration popup will appear; no further configuration is required here; simply press the Save button to commit the configuration:

7. The Set up Single Sign-On with SAML window will update with the configuration from the VCD metadata file. Under section 1, you will need the Identifier (Entity ID) for the next stage of configuring Cloud Director.

8. Scroll down to section 2 - Attributes and Claims and press Edit. On the next screen, press Add a group claim. 

9. On the Group Claims page, select Security groups. Leave source attribute set to Group ID:

Expand the Advanced options section and check Customise the name of the group claim. Under Name, enter Groups (case sensitive). Press Save.

10. Return to your application Single sign-on page (under Manage). Scroll down to section 3 - SAML Certificates. Alongside Federation Metadata XML, use the Download option to download an XML configuration to your device:

VMware Cloud Director - SAML Configuration

With your SAML application now configured in Entra, return to Cloud Director and the SAML Configuration page (Administration > Identity Providers > SAML).

1. On the Service Provider tab, you will need to provide the same Entity ID as shown in the Entra Basic SAML Configuration section:

2. Move to the Identity Provider tab. Check the Use SAML Identity Provider box, and then Select Metadata XML file. Browse to locate the Entra metadata file that you previously downloaded (the filename will match the name of your Entra application):

3. Press Save to commit your SAML configuration.

4. Finally, we need to provide access to your VCD environment. Under Access Control, select Groups and then Import Groups.

5. In the import groups popup that appears, enter the IDs of the Entra security groups that you previously created and assign the appropriate role. You will need to repeat this process for each individual group that you created, to establish the correct group --> role mappings.

You must use the Entra group object IDs here - you cannot provide group names

Testing

1. Return to your Entra admin portal and locate the SAML application that you created. Under Manage, select Single-on. 

2. Scroll down to section 5 - Test single sign-on. Press the Test button to verify your SSO integration:

3. On the test page that appears, read the information provided and then press the Test sign in button. If you have completed the integration successfully (and are signed into Entra ID as a user which has been provided with access to your VCD tenant portal, via security group membership), your VCD tenant portal will open in a new tab.

• Related Articles

• Single Sign On (SSO) with VMware Cloud Director

  Introduction By default, authentication to VMware Cloud Director (VCD) is against a local database. Nubis will provision each new organisation with a single account with the Organisation Administrator role which has full access to manage all aspects ...

• Google SSO with VMware Cloud Director

  Introduction Customers with a Google Workspace environment can integrate this with their Nubis VMware Cloud Director environment to take advantage of Single Sign On (SSO) and Multi Factor Authentication (MFA). Pre Requisites Prior to reading this ...