Migrate Enterprise Identity Federation Broker for VMware Tanzu Platform to Symantec VIP Authentication Hub

search cancel

Migrate Enterprise Identity Federation Broker for VMware Tanzu Platform to Symantec VIP Authentication Hub

book

Article ID: 382893

calendar_today

Updated On:

Products

VMware Tanzu Platform Tanzu Mission Control VMware Tanzu Application Catalog VMware Tanzu Service Mesh

Issue/Introduction

This article is only applicable for VMware Tanzu customers who have Enterprise Identity Federation configured for VMware Tanzu Platform Console (https://console.tanzu.broadcom.com), and currently authenticate access to VMware Tanzu Platform Console and VMware Tanzu products listed in this article using their corporate credentials. No action is required for customers who currently authenticate access to these products using Broadcom Support Portal accounts.

VMware Tanzu Platform Console has begun transitioning to use Symantec VIP Authentication Hub as the Enterprise Identity Federation Broker that brokers the connection between customers’ corporate identity platform (IdP) and VMware Tanzu Platform Console. Symantec VIP Authentication Hub will be prepopulated with the customers’ current IdP information and existing Users and Groups to facilitate this transition.

During this Transition Period, VMware Tanzu Platform Console will support VMware Identity Broker (VIDB), which is the current Enterprise Identity Federation Broker, and Symantec VIP Authentication Hub to facilitate customers’ transition to the new Broker. It would be required for customers to take the following steps to transition to use Symantec VIP Authentication Hub, and it is recommended for customers to complete these steps by June 30, 2025.

Determine if it is necessary to create a new SAML application for accessing VMware Tanzu Platform Console
Create a new SAML application or modify the existing SAML application for VMware Tanzu Platform Console in the customers’ corporate identity platform to connect with Symantec VIP Authentication Hub.
Call VMware Tanzu Platform Console APIs to change the identity broker configuration in VMware Tanzu Platform Console, such that subsequent requests to authenticate access to VMware Tanzu Platform Console will be brokered through Symantec VIP Authentication Hub.
During the Transition Period, if the customer experiences issues after completing the above steps, the customer can roll back the changes above and revert to using VIDB to broker authentication requests.

If you encounter issues during the transition process and wish to contact the VMware Tanzu team, please visit Broadcom Support Portal and create a Support Ticket for VMware Tanzu Platform or any one of the VMware Tanzu products referenced in this article.

Environment

VMware Tanzu CSP managed services:

VMware Tanzu Platform
VMware Tanzu Mission Control
VMware Tanzu Application Catalog
VMware Tanzu Service Mesh

Resolution

Determine if it is necessary to create a new SAML application for accessing VMware Tanzu Platform Console using the following criteria.
1. If the existing SAML Application is configured with System for Cross-domain Identity Management (SCIM) provisioning protocol, it would be required to create a new SAML Application for accessing VMware Tanzu Platform Console that will use Just In Time (JIT) provisioning protocol. Jump to Step 3 for instructions to create a new SAML Application for accessing VMware Tanzu Platform Console.
  
  The SCIM provisioning protocol is currently not supported by Symantec VIP Authentication Hub and would require customers currently using this protocol to transition to use the JIT protocol.
2. If users in the federated domain only need access to VMware Tanzu Platform Console going forward and have stopped using services in VMware Cloud Services console (https://console.cloud.vmware.com), jump to Step 2 to modify the existing SAML Application for accessing VMware Tanzu Platform Console.
  
  It should be emphasized that this option would interrupt Enterprise Identity Federation for VMware Cloud Services, and should be considered only if access to VMware Cloud Services using your company’s credentials is no longer required.
3. If users in the federated domain continue to require access to VMware Tanzu Platform Console and VMware Cloud Services console, is your IdP currently configured with separate SAML Applications for accessing VMware Tanzu Platform Console and VMware Cloud Services Console?
  1. If yes, jump to Step 2 to modify the existing SAML Application for accessing VMware Tanzu Platform Console.
  2. If no (i.e. currently there is only one SAML Application for accessing VMware Tanzu Platform Console and VMware Cloud Services Console), it would be necessary to create an additional SAML Application such that the access to the two Consoles are handled by separate and dedicated SAML Applications. Jump to Step 3 for instructions to create a new SAML Application for accessing VMware Tanzu Platform Console.

Modify the existing SAML Application for accessing VMware Tanzu Platform Console using the following steps.

It should be emphasized that the steps in this section would interrupt Enterprise Identity Federation for VMware Cloud Services, and please proceed only if access to VMware Cloud Services using your company’s credentials is no longer required.

Record the existing ACS URL and Audience URI before making any changes. This information would be necessary to roll back to the previous configuration.
Change ACS URL to:
https://access.broadcom.com/default/saml/v1/sp/acs?sp=ada0eaf7-5d4b-47d9-8ed5-b82a429f515e
Change Audience URI to: https://access.broadcom.com/default
Ensure the SAML App’s claim mapping NameID is mapped to the email attribute.

Ensure the following minimally required user and group attributes exist on the SAML Application. These attributes should retain the same value as those currently set in the SAML Application for VMware Tanzu Platform Console.

User Attributes
Name	Name Format	Value
email	Basic	user email
firstName	Basic	user first name
lastName	Basic	user last name
userName	Basic	user SAM (Security Account Manager) account name / user email / user principal name (*)

(*) Please retain the current configuration in the SAML application for VMware Tanzu Platform Console.

Group Attributes
Name	Name Format	Value
groups	Unspecified	{Their current groups}

Your SAML Application may require the encryption / signing certificate of Symantec VIP Authentication Hub. If required please find the certificate at: https://access.broadcom.com/default/saml/v1/metadata
Jump to Step 4

Create a new SAML Application and use this new Application to access VMware Tanzu Platform Console going forward. Configure this new instance with the following steps.

Set Assertion Consumer Service (ACS) URL:
https://access.broadcom.com/default/saml/v1/sp/acs?sp=ada0eaf7-5d4b-47d9-8ed5-b82a429f515e
Set Audience URI (also referred to as Service Provider Entity ID): https://access.broadcom.com/default
Ensure the SAML App’s claim mapping NameID is mapped to the email attribute.

Apply the following required user and group attributes in the SAML Application: Please copy these attributes and values from your current / old SAML application for VMware Tanzu Platform Console. These attributes should have the same value as those set in the current SAML Application for VMware Tanzu Platform Console.

User Attributes
Name	Name Format	Value
email	Basic	user email
firstName	Basic	user first name
lastName	Basic	user last name
userName	Basic	user SAM (Security Account Manager) account name / user email / user principal name (*)

(*) Please retain the current configuration in the SAML application for VMware Tanzu Platform Console.

Group Attributes
Name	Name Format	Value
groups	Unspecified	{Their current groups}

The new SAML Application may require the encryption / signing certificate of Symantec VIP Authentication Hub. If required please find the certificate at: https://access.broadcom.com/default/saml/v1/metadata
Add or assign Users and Groups that should be granted access to this SAML Application and to VMware Tanzu Platform Console. Please reference the Users and Groups associated with the existing SAML Application for VMware Tanzu Platform Console and VMware Cloud Services to retain access for existing users. Some IdP may have capabilities to copy Users and Groups from an existing SAML Application to this new Application.
Provide information about the new SAML Application to VMware Tanzu team by visiting https://forms.gle/gCzCKBKoqaoU2cd48 and completing the required information in the form.
VMware Tanzu team will send a confirmation email to the Email Address entered in this form after we have successfully configured Symantec VIP Authentication Hub with information about the new SAML Application. Please wait for this email before proceeding to Step 4.

Modify VMware Tanzu Platform Console configuration to start using Symantec VIP Authentication Hub as Enterprise Identity Federation Broker. This step needs to be performed by a VMware Tanzu Platform Console user with Organization Owner or Organization Administrator role.
1. If the Organization Owner or Organization Administrator has an existing and valid API Token scoped within the VMware Tanzu Platform Console Organization already configured for Enterprise Identity Federation, jump to Step 4.III
2. If the Organization Owner or Organization Administrator does not have a valid API Token, create an API Token using the following steps
  1. Login to VMware Tanzu Platform Console at https://console.tanzu.broadcom.com
  2. If you have access to multiple VMware Tanzu Platform Console Organizations, please review the Organization Name displayed under your name in the header area and confirm that you are in the context of the Organization to be configured for Enterprise Identity Federation. You might need to switch to a different Organization by clicking on your name and selecting a different Organization under the “Change Organization” drop down.
  3. Follow the instructions in KB Article "How do I generate API tokens" to create a new API Token.
3. Create an access (bearer) token using the API token
  
  $ export CSP_API_TOKEN=...
  $ export CSP_API_HOST=https://console.tanzu.broadcom.com
  $ export BEARER_TOKEN=$(curl -s -H 'Content-Type: application/x-www-form-urlencoded' -X POST -d "grant_type=refresh_token&api_token=$CSP_API_TOKEN" "$CSP_API_HOST/csp/gateway/am/api/auth/api-tokens/authorize" | jq -r .access_token)
4. Find your current IDP Registration ID in VMware Tanzu Platform Console in the “Details” page under the “Organization” category. Export the ID for commands in substep V:
  
  Note the first IdpRegistration in the response and its ID.
  
  export IDP_REGISTRATION_ID=...
5. Check current IDP Registration of VMware Tanzu Platform Console. It should return VIDB URLs because the switch to Symantec VIP Authentication Hub has not been made.
  
  $ curl --silent --location --request GET "$CSP_API_HOST/csp/gateway/am/api/idp-registrations/$IDP_REGISTRATION_ID/current" \
  --header "Authorization: Bearer $BEARER_TOKEN" \
  -H "Origin: $CSP_API_HOST"
  
  NOTE: The expected result from this command is "primary"
6. Change IDP Registration of VMware Tanzu Platform Console to Symantec VIP Authentication Hub using POST /am/api/idp registrations/{idpRegistrationId}/alternate/active
  
  $ curl --silent --location --request POST "$CSP_API_HOST/csp/gateway/am/api/idp-registrations/$IDP_REGISTRATION_ID/alternate/active" \
  --header "Authorization: Bearer $BEARER_TOKEN" \
  -H 'Content-Type: application/json' \
  -H "Origin: $CSP_API_HOST"
7. Confirm the current active IDP Registration is Symantec VIP Authentication Hub. using GET /am/api/idp-registrations/{idpRegistrationId}/current
  
  $ curl --silent --location --request GET "$CSP_API_HOST/csp/gateway/am/api/idp-registrations/$IDP_REGISTRATION_ID/current" \
  --header "Authorization: Bearer $BEARER_TOKEN" \
  -H "Origin: $CSP_API_HOST"
  
  NOTE: The expected result from this command is "alternate"
8. Validate that you can successfully log in to VMware Tanzu Platform Console
  1. If you have an active session using VMware Tanzu Platform Console, log out from that session.
  2. Open an Incognito or Private browser window and navigate to https://console.tanzu.broadcom.com
  3. Log in using your corporate credentials and validate whether you can successfully log in. If the log in failed, jump to Step 3.
9. If you have an active subscription and access to VMware Cloud Services Console, validate that you can successfully log in to VMware Cloud Services Console by navigating to https://console.cloud.vmware.com and log in to the service using your corporate credentials.
If you failed to log in at Step 4.VIII.C, revert IDP Registration back to VIDB (primary) to maintain user access to VMware Tanzu Platform Console while issues with switching to Symantec VIP Authentication Hub are being resolved.

$ curl --silent --location --request POST "$CSP_API_HOST/csp/gateway/am/api/idp-registrations/$IDP_REGISTRATION_ID/primary/active" \
--header "Authorization: Bearer $BEARER_TOKEN" \
-H 'Content-Type: application/json' \
-H "Origin: $CSP_API_HOST"

Troubleshooting common migration issues

SAML authentication fails after migration

Issue:

After switching to Authentication Hub, users are unable to log in to VMware Tanzu Platform Console (https://console.tanzu.broadcom.com) due to SAML authentication failures.

Possible Causes & Solutions

- - Incorrect SAML configuration:
    - Ensure that the SAML metadata from Authentication Hub has been correctly imported into your IdP: SAML metadata can be retrieved from https://access.broadcom.com/default/saml/v1/metadata
    - Double-check that the Entity ID, Assertion Consumer Service (ACS) URL, and other required attributes match the settings provided in this guide.
  - Certificate mismatch:
    - Confirm that the signing certificate used in the SAML application matches the one sent in the Google form referenced in Step 3.
    - If they are not matching, please contact VMware Tanzu team to provide the correct certificate.
  - Assertion attributes do not match the expected format:
    - Ensure that the required attributes (email, name, username, groups) are included and formatted correctly in the SAML assertion.
  - SSO Url mismatch:
    - Ensure that the correct IdP login URL for your SAML application matches the one provided to VMware Tanzu team in the Google form referenced in Step 3.
  - EntityID mismatch:
    - Verify that the EntityID used in your SAML application matches the one provided to VMware Tanzu team in the Google form referenced in Step 3.

Login works, but there are errors when accessing to any Tanzu service

Issue:

Users can log in to VMware Tanzu Platform Console but are unable to access the expected services / products due to missing roles and permissions.

Possible Causes & Solutions

- - IdP is not sending group claims in the SAML assertion:
    - Ensure that the SAML application is configured to send user group information and that the correct attribute name (‘groups’) is being used.
  - Group with the Roles is not added to the Organization in VMware Tanzu Platform Console:
    - In VMware Tanzu Platform Console, navigate to Identity & Access Management → Groups in the left side navigation bar, and validate if the group has been added to the Organization
    - If the group is not listed, add the Group to the Organization using the following steps
      - Select “Add Groups”
      - Select “Select Groups from Your Source Domain”
      - Under “Search for an Enterprise Group” enter the name of the Group that you wish to add, and add required Service Roles.

Feedback

thumb_up Yes

thumb_down No