Google SSO with VMware Cloud Director

Introduction

Customers with a Google Workspace environment can integrate this with their Nubis VMware Cloud Director environment to take advantage of Single Sign On (SSO) and Multi Factor Authentication (MFA).

Pre Requisites

Prior to reading this guide, please ensure you have read and completed the pre requisites in Single Sign On (SSO) with VMware Cloud Director.

Directory Structure

Nubis recommends that you utilise security groups within Google Workspace to control access to your VMware Cloud Director (VCD) environment. You will then be able to add or remove users by amending your group memberships, and not have to manage users in both Google and VCD.

 

The exact structure of your security groups will need to be agreed within your organisation. As a starting point, we would suggest having a 1-1 mapping between security group and VCD role (e.g. Organisation Administrators).

To create security groups:

1. Login to your Google Workspace admin portal and under Directory, select Groups .

2. Select Create group - here, we are creating a group called Nubis VCD - Organisation Administrators. Be sure to select the Security label:

Upon pressing the Next button, you will need to ensure that the access settings applied to this group are appropriate. As a starting point, Nubis recommends setting the Access type to Restricted and then limiting Who can join the group to Only invited users  ( note - making any changes will amend the access type to Custom ). Press  Create Group once you are satisfied with the access settings selected.

3. Finally, add required members to the group(s) you have created. 

Google SAML Application

With your directory structure defined, you are ready to create a SAML application. 

1. Still in your Google Workspace admin portal, under Apps select Web and mobile apps .

2. Press Add app and then select Add custom SAML app

3. On the App details tab, provide an app name - we are creating an app called Nubis VCD :

4. On the Google Identity Provider details tab, choose option 1 to Download IdP metadata to your device:

5. On the Service provider details tab, you will need to inspect the metadata file you previously retrieved from the VCD SAML configuration page. Locate this file ( spring_saml_metadata.xml ) and load it into a text editor of your choice. 

Towards the bottom of this file, you will find an element similar to the following:

Copy the URL provided in the Location attribute.

You will see your organisation name in place of nubisdemo

6. Return to the Service provider details tab in your Google admin console and paste the URL you just obtained from the VCD metadata file into ACS URL. 

Entity ID requires a unique identifier representing your VCD organisation. Start URL is the page that will be displayed upon successful authentication. We recommend using your organisation tenant page for both (you will need to replace nubisdemo with the value obtained from your VCD metadata file).

Select the Signed response checkbox. 

Under Name ID, change Name ID format from UNSPECIFIED to EMAIL:

7. On the Attribute mapping tab, we need to provide a number of mappings between Google directory attributes and VMware Cloud Director attributes, to ensure that necessary data is passed at the point of SSO:

1. Primary email --> EmailAddress
   
2. First name --> FirstName
   
3. Last name --> Surname
   

Under Group membership, we need to provide the Google groups that we previously created whilst establishing the directory structure and map these to an App attribute named Groups. 

8. With all required information provided, press Finish to create your SAML app.

9. Finally, we need to provide the necessary user access to your new application. This is again a policy matter that you will need to agree within your organisation; as a starting point, Nubis recommend limiting access to the security groups you previously created. 

VMware Cloud Director - SAML Configuration

With your SAML application now configured in Google, return to Cloud Director and the SAML Configuration page (Administration > Identity Providers > SAML). 

1. On the Service Provider tab, provide the same Entity ID that you used when configuring your Google SAML app:

2. Move to the Identity Provider tab. Check the Use SAML Identity Provider box, and then Select Metadata XML file. Browse to locate the Google metadata file that you previously downloaded (GoogleIDPMetadata.xml):

3. Finally, move to the Attribute Mapping tab and create the following mappings:

1. First Name --> FirstName
   
2. Surname --> Surname
   

4. Press Save to commit your SAML configuration

5. Finally, we need to provide access to your VCD environment. Under Access Control, select Groups and then Import Groups.

6. In the import groups popup that appears, enter the names of the Google groups that you previously created and assign the appropriate role. You will need to repeat this process for each individual group that you created, to establish the correct group --> role mappings:

Testing

1. Return to your Google admin console and locate the SAML application that you created. 

2. Use Test SAML Login to verify the configuration of your integration. If you have completed the integration successfully (and are logged into Google as a user which has been provided with access to your VCD tenant portal, via security group membership), your VCD tenant portal will open in a new tab.

3. Within your VCD tenant app, browse to Administration > Access Control > Users and verify that your Google user has been imported via SAML.

4. Finally, open an incognito tab and browse to your tenant portal. Use the Sign In with Single Sign-On button and verify that you are redirected to the Google sign in page. Upon authenticating to Google, you should be redirected to your tenant homepage.

• Related Articles

• Single Sign On (SSO) with VMware Cloud Director

  Introduction By default, authentication to VMware Cloud Director (VCD) is against a local database. Nubis will provision each new organisation with a single account with the Organisation Administrator role which has full access to manage all aspects ...

• Entra ID SSO with VMware Cloud Director

  Introduction Customers with an Entra ID (formerly Azure Active Directory) environment can integrate this with their Nubis VMware Cloud Director environment to take advantage of Single Sign On (SSO) and Multi Factor Authentication (MFA). Pre ...