Migrate Enterprise Identity Federation Broker for VMware Tanzu Platform to Symantec VIP Authentication Hub
search cancel

Migrate Enterprise Identity Federation Broker for VMware Tanzu Platform to Symantec VIP Authentication Hub

book

Article ID: 382893

calendar_today

Updated On:

Products

VMware Tanzu Platform Tanzu Mission Control VMware Tanzu Application Catalog VMware Tanzu Service Mesh

Issue/Introduction

This article is only applicable for VMware Tanzu customers who have Enterprise Identity Federation configured for VMware Tanzu Platform Console (https://console.tanzu.broadcom.com), and currently authenticate access to VMware Tanzu Platform Console and VMware Tanzu products listed in this article using their corporate credentials. No action is required for customers who currently authenticate access to these products using Broadcom Support Portal accounts.

On December 2, 2024, VMware Tanzu Platform Console will begin transitioning to use Symantec VIP Authentication Hub as the Enterprise Identity Federation Broker that brokers the connection between customers’ corporate identity platform (IdP) and VMware Tanzu Platform Console. Symantec VIP Authentication Hub will be prepopulated with the customers’ current IdP information and existing Users and Groups to facilitate this transition.

During the Transition Period starting December 2, 2024, VMware Tanzu Platform Console will support VMware Identity Broker (VIDB), which is the current Enterprise Identity Federation Broker, and Symantec VIP Authentication Hub to facilitate customers’ transition to the new Broker. During this period, it would be required for customers to take the following steps to transition to use Symantec VIP Authentication Hub.

 

  1. Determine if it is necessary to create a new SAML application for accessing VMware Tanzu Platform Console
  2. Create a new SAML application or modify the existing SAML application for VMware Tanzu Platform Console in the customers’ corporate identity platform to connect with Symantec VIP Authentication Hub.
  3. Call VMware Tanzu Platform Console APIs to change the identity broker configuration in VMware Tanzu Platform Console, such that subsequent requests to authenticate access to VMware Tanzu Platform Console will be brokered through Symantec VIP Authentication Hub.
  4. During the Transition Period, if the customer experiences issues after completing the above steps, the customer can roll back the changes above and revert to using VIDB to broker authentication requests.

If you encounter issues during the transition process and wish to contact the VMware Tanzu team, please visit Broadcom Support Portal and create a Support Ticket for VMware Tanzu Platform or any one of the VMware Tanzu products referenced in this article.

Environment

VMware Tanzu CSP managed services:

  • VMware Tanzu Platform
  • VMware Tanzu Mission Control
  • VMware Tanzu Application Catalog
  • VMware Tanzu Service Mesh

Resolution

 

    1. Determine if it is necessary to create a new SAML application for accessing VMware Tanzu Platform Console using the following criteria.

      1. If the existing SAML Application is configured with System for Cross-domain Identity Management (SCIM) provisioning protocol, it would be required to create a new SAML Application for accessing VMware Tanzu Platform Console that will use Just In Time (JIT) provisioning protocol.  Jump to Step 3 for instructions to create a new SAML Application for accessing VMware Tanzu Platform Console.

        The SCIM provisioning protocol is currently not supported by Symantec VIP Authentication Hub and would require customers currently using this protocol to transition to use the JIT protocol.

      2. If users in the federated domain only need access to VMware Tanzu Platform Console going forward and have stopped using products in VMware Cloud Services console, jump to Step 2 to modify the existing SAML Application for accessing VMware Tanzu Platform Console.

        It should be emphasized that this option would interrupt Enterprise Identity Federation for VMware Cloud Services, and should be considered only if access to VMware Cloud Services using your company’s credentials is no longer required.

      3. If users in the federated domain continue to require access to VMware Tanzu Platform Console and VMware Cloud Services console, is your IdP currently configured with separate SAML Applications for accessing VMware Tanzu Platform Console and VMware Cloud Services Console?

        1. If yes, jump to Step 2 to modify the existing SAML Application for accessing VMware Tanzu Platform Console.

        2. If no (i.e. currently there is only one SAML Application for accessing VMware Tanzu Platform Console and VMware Cloud Services Console), it would be necessary to create an additional SAML Application such that the access to the two Consoles are handled by separate and dedicated SAML Applications. Jump to Step 3 for instructions to create a new SAML Application for accessing VMware Tanzu Platform Console.



    2. Modify the existing SAML Application for accessing VMware Tanzu Platform Console using the following steps.

      It should be emphasized that the steps in this section would interrupt Enterprise Identity Federation for VMware Cloud Services, and please proceed only if access to VMware Cloud Services using your company’s credentials is no longer required.

      1. Record the existing ACS URL and Audience URI before making any changes. This information would be necessary to roll back to the previous configuration.

      2. Change ACS URL to:
        https://access.broadcom.com/default/saml/v1/sp/acs?sp=ada0eaf7-5d4b-47d9-8ed5-b82a429f515e

      3. Change Audience URI to: https://access.broadcom.com/default

      4. Ensure the SAML App’s claim mapping NameID is mapped to the email attribute.

      5. Ensure the following minimally required user and group attributes exist on the SAML Application

        User Attributes

        Name

        Name Format

        Value

        email

        Basic

        user email

        firstName

        Basic

        user first name

        lastName

        Basic

        user last name

         

        Group Attributes

        Name

        Name Format

        Value

        groups

        Unspecified

        {Their current groups}

         

      6. Jump to Step 4



    3. Create a new SAML Application and use this new Application to access VMware Tanzu Platform Console going forward. Configure this new instance with the following steps.

      1. Set Assertion Consumer Service (ACS) URL:
        https://access.broadcom.com/default/saml/v1/sp/acs?sp=ada0eaf7-5d4b-47d9-8ed5-b82a429f515e

      2. Set Audience URI (also referred to as Service Provider Entity ID): https://access.broadcom.com/default

      3. Ensure the SAML App’s claim mapping NameID is mapped to the email attribute.

      4. Apply the following required user and group attributes in the SAML Application

        User Attributes

        Name

        Name Format

        Value

        email

        Basic

        user email

        firstName

        Basic

        user first name

        lastName

        Basic

        user last name

         

        Group Attributes

        Name

        Name Format

        Value

        groups

        Unspecified

        {Their current groups}


      5. Add or assign Users and Groups that should be granted access to this SAML Application and to VMware Tanzu Platform Console. Please reference the Users and Groups associated with the existing SAML Application for VMware Tanzu Platform Console and VMware Cloud Services to retain access for existing users. Some IdP may have capabilities to copy Users and Groups from an existing SAML Application to this new Application.

      6. Provide information about the new SAML Application to VMware Tanzu team by visiting https://forms.gle/gCzCKBKoqaoU2cd48  and completing the required information in the form.

      7. VMware Tanzu team will send a confirmation email to the Email Address entered in this form after we have successfully configured Symantec VIP Authentication Hub with information about the new SAML Application. Please wait for this email before proceeding to Step 4.



    4. Modify VMware Tanzu Platform Console configuration to start using Symantec VIP Authentication Hub as Enterprise Identity Federation Broker. This step needs to be performed by a VMware Tanzu Platform Console user with Organization Owner or Organization Administrator role.
      1. If the Organization Owner or Organization Administrator has an existing and valid API Token scoped within the VMware Tanzu Platform Console Organization already configured for Enterprise Identity Federation, jump to Step 4.III

      2. If the Organization Owner or Organization Administrator does not have a valid API Token, create an API Token using the following steps 
        1. Login to VMware Tanzu Platform Console at https://console.tanzu.broadcom.com

        2. If you have access to multiple VMware Tanzu Platform Console Organizations, please review the Organization Name displayed under your name in the header area and confirm that you are in the context of the Organization to be configured for Enterprise Identity Federation. You might need to switch to a different Organization by clicking on your name and selecting a different Organization under the “Change Organization” drop down.

        3. Follow the Tanzu Platform instructions to create a new API Token.


      3. Create an access (bearer) token using the API token

        $ export CSP_API_TOKEN=...
        $ export CSP_API_HOST=https://console.tanzu.broadcom.com
        $ export BEARER_TOKEN=$(curl -s -H 'Content-Type: application/x-www-form-urlencoded' -X POST -d "grant_type=refresh_token&api_token=$CSP_API_TOKEN" "$CSP_API_HOST/csp/gateway/am/api/auth/api-tokens/authorize" | jq -r .access_token)


      4. Find your current IDP Registration ID in VMware Tanzu Platform Console in the “Details” page under the “Organization” category. Export the ID for commands in substep V:



        Note the first IdpRegistration in the response and its ID.

        export IDP_REGISTRATION_ID=...


      5. Check current IDP Registration of VMware Tanzu Platform Console. It should return VIDB URLs because the switch to Symantec VIP Authentication Hub has not been made.

        $ curl --silent --location --request GET "$CSP_API_HOST/csp/gateway/am/api/idp-registrations/$IDP_REGISTRATION_ID/current" \
          --header "Authorization: Bearer $BEARER_TOKEN" \
          -H "Origin: $CSP_API_HOST"

        NOTE: The expected result from this command is "primary"

      6. Change IDP Registration of VMware Tanzu Platform Console to Symantec VIP Authentication Hub using POST /am/api/idp registrations/{idpRegistrationId}/alternate/active

        $ curl --silent --location --request POST "$CSP_API_HOST/csp/gateway/am/api/idp-registrations/$IDP_REGISTRATION_ID/alternate/active" \
          --header "Authorization: Bearer $BEARER_TOKEN" \
          -H 'Content-Type: application/json' \
          -H "Origin: $CSP_API_HOST"

      7. Confirm the current active IDP Registration is Symantec VIP Authentication Hub. using GET /am/api/idp-registrations/{idpRegistrationId}/current

        $ curl --silent --location --request GET "$CSP_API_HOST/csp/gateway/am/api/idp-registrations/$IDP_REGISTRATION_ID/current" \
          --header "Authorization: Bearer $BEARER_TOKEN" \
          -H "Origin: $CSP_API_HOST"

        NOTE: The expected result from this command is "alternate"

      8. Validate that you can successfully log in to VMware Tanzu Platform Console

        1. If you have an active session using VMware Tanzu Platform Console, log out from that session.

        2. Open an Incognito or Private browser window and navigate to https://console.tanzu.broadcom.com

        3. Log in using your corporate credentials and validate whether you can successfully log in. If the log in failed, jump to Step 3.

      9. If you have an active subscription and access to VMware Cloud Services Console, validate that you can successfully log in to VMware Cloud Services Console by navigating to https://console.cloud.vmware.com and log in to the service using your corporate credentials.


    5. If you failed to log in at Step 4.VIII.C, revert IDP Registration back to VIDB (primary) to maintain user access to VMware Tanzu Platform Console while issues with switching to Symantec VIP Authentication Hub are being resolved.

      $ curl --silent --location --request POST "$CSP_API_HOST/csp/gateway/am/api/idp-registrations/$IDP_REGISTRATION_ID/primary/active" \
        --header "Authorization: Bearer $BEARER_TOKEN" \
        -H 'Content-Type: application/json' \
        -H "Origin: $CSP_API_HOST"

Powered by Wolken Software