VMware vCloud Director Two-factor authentication
Overview
This article shows how to set up two-factor authentication for the VMware vCloud Director virtualization system.
VMware vCloud Director supports federated SAML authentication (Single Sign-On). It allows you to configure VMware vCloud access for your existing user base and set up multifactor authentication with centralized access management with the Multifactor platform.
Manually created VMware vCloud accounts will continue to work for administrative purposes.
Multifactor does not request and store your users' passwords. Accounts and first-factor authentication methods are managed and verified locally with your Identity Provider (IDP) of choice.
List of supported IDPs:
Active Directory
GSuite (Google)
Yandex
List is extending
Operational Principle
- VMware vCloud Director and Multifactor establish mutual trust by sharing public certificates and configuring a Single Sign-On and Single Log Out paths.
- After the authentication request, VMware vCloud forwards the user to the Multifactor page.
- The multifactor redirects user to the account provider's page (e.g. GSuite or Active Directory).
- After first-factor verification is complete, Multifactor initiates the second-factor authentication and returns the signed request to VMWare.
Configure Multifactor
- Visit your account page and create a new Site->SAML application in "Resources" section:
- Title: arbitrary
- Address: arbitrary
- Account provider:
- GSuite for Google accounts;
- Yandex for Yandex accounts;
- Active Directory for Microsoft domain accounts.
- Portal address:
- If you selected the Active Directory account provider, enter the address (either configured internally or externally) of a self-service portal.
- Save settings.
- Download the Multifactor metadata file as you will need it for further configuration.
Configure VMWare vCloud Director
- Navigate to "Administration", then "Identity Providers" -> "SAML".
- On the "Service Provider" tab:
- enter Entity ID — your cloud address.
- On the "Identity Provider" tab:
- enable "Use SAML Identity Provider";
- upload the Multifactor metadata file;
- Save changes
- Copy the metadata address from the "Service Provider" section, go back to the Multifactor resource settings, click "Download metadata" and specify download address.
- In the VMware console, go to "Access Control" -> Users
- press "Import Users"
- enter the logins and configure SSO rights for users;
Try it out
Log out of the VMWare console, and you will be prompted to log in with your local account or via Single Sign-On.