Support Aria Automation Plugin in Orchestrator for Greenfield Soft Tenant (VCF Automation 9.0)
search cancel

Support Aria Automation Plugin in Orchestrator for Greenfield Soft Tenant (VCF Automation 9.0)

book

Article ID: 401216

calendar_today

Updated On:

Products

VCF Automation

Issue/Introduction

  • The vRA plugin for Greenfield deployment will be supported for Soft tenants with the prerequisite vIDM is used as their IDP.

  • For Greenfield Soft Tenant, user must configure vIDM as the IDP in that soft tenant. The soft tenant should also be marked as default login org.

Environment

  • VCF Automation 9.x 
  • VCF Operations Orchestrator 9.x

Cause

With VCFA 9.0 (Greenfield deployment), the vRA Plugin in VCF Operations Orchestrator is supported only for Soft tenants, and only when vIDM is configured as the Identity Provider (IDP). By default the plugin will not work for fresh VCFA 9.0 setups unless the vIDM is set as IDP and classic tenant is made as the default tenant.

Resolution

Configure Tenant Manager to use VIDM as a backing IDP

1.  Login as Provider with Username/ Password using POSTMAN

   Note: Use x-vmware-vcloud-access-token returned in the above API response Header as tm_token for further calls

2.  Create vIDM Backed Soft Tenant - can be skipped if you already have one

 

3.  Get VIDM backed org

Note: Use vidm_backed_org_id and vidm_backed_org_urn as shown in below screenshot for further calls

4.  Get vidm Backed Org Redirect URI

Note: Use orgRedirectUri returned as shown in below screenshot for further calls.

5.  Trust VIDM Certificate in Tenant Manager

  • Go to VCFA Provider/ Tenant Manager
  • Go to Certificate Management from the Side bar
  • Click Test Remote Connection
  • Enter the vIDM URL
  • Click Connect
  • Trust Selected Certificate
  • Click Connect

6.  Get vIDM Token

Note: Use sessionToken as vidm_admin_token from the response returned from below API as shown and use it in further calls.

 

7.  Create auth_code OAuth Client in VIDM to back vidmBackedOrg

Note: Use clientId as vidm_auth_code_grant_client_id and secret as vidm_auth_code_grant_client_secret from the response returned from below API as shown and use it in further calls. 

 

8.  Get vIDM Auth Key

Note: Use raw text returned as response in the body and replace any newline characters (\n) with a literal \\n to preserve formatting as vidm_auth_key for further calls.

9.  Get vIDM Auth Key Id

Note:  Use the value of kid field from the first object in the keys array returned in the response json as vidm_auth_kid for further calls.

10.  Setup VIDM as backing IDP for vidm Backed Org Name

PUT https://VCFA-FQDN/api/admin/org/{{vidm_backed_org_id}}/settings/oauth
 
Headers:
Accept: application/*+json;version=40.0
Authorization: Bearer {{tm_token}}
Content-Type: application/vnd.vmware.admin.organizationOAuthSettings+json
 
Body:
{
"type":"application/vnd.vmware.admin.organizationOAuthSettings+json",
"issuerId":"https://{{vidm}}/SAAS/auth",
"enabled":true,
"clientId":"{{vidm_auth_code_grant_client_id}}",
"clientSecret":"{{vidm_auth_code_grant_client_secret}}",
"userAuthorizationEndpoint":"https://{{vidm}}/SAAS/auth/oauth2/authorize",
"accessTokenEndpoint":"https://{{vidm}}/SAAS/auth/oauthtoken",
"scimEndpoint":"https://{{vidm}}/SAAS/jersey/manager/api/scim/Me",
"scope":[
"user",
"openid",
"profile",
"email"
],
"maxClockSkew":60,
"jwksUri":"https://{{vidm}}/SAAS/API/1.0/REST/auth/token?attribute=publicKey&format=jwks",
"autoRefreshKey":null,
"keyRefreshStrategy":null,
"keyRefreshFrequencyInHours":null,
"keyExpireDurationInHours":null,
"wellKnownEndpoint":"https://{{vidm}}/SAAS/auth/.well-known/openid-configuration",
"lastKeyRefreshAttempt":null,
"lastKeySuccessfulRefresh":null,
"enableIdTokenClaims":false,
"usePKCE":null,
"sendClientCredentialsAsAuthorizationHeader":null,
"customUiButtonLabel":null,
"oAuthKeyConfigurations":{
"oAuthKeyConfiguration":[
{
"keyId":"{{vidm_auth_kid}}",
"key":"{{vidm_auth_key}}",
"algorithm":"RSA"
}
]
},
"oidcAttributeMapping":{
"subjectAttributeName":"sub",
"emailAttributeName":"email",
"fullNameAttributeName":"name",
"firstNameAttributeName":"given_name",
"lastNameAttributeName":"family_name"
}
}

 

11.  Once the above steps are done, the Classic Tenant Org will have IDP as VIDM configured. Test it by going to the provider portal, and launch the Classic tenant Org created. Under Administer tab of the Tenant Portal, Click Identity Providers and you will see the OIDC with the details configured.

 

12.  Get Org Admin Role ID

Note:  Use the value of role id from the response json for further calls.

 

13.  Import the vIDM User

Note: The User now you can see as imported in the Access Control tab. Test it by going to the provider portal, and launch the Classic tenant Org created. Under Infrastructure tab of the Tenant Portal, Click Access Control tab.

 

14.  Create Default Login Org as the vIDM Classic Soft tenant

 

15.  Re-deploy application services in the VCFA Setup via the below commands:

# Login to VCFA Setup through SSH
1. export KUBECONFIG={your .kubeconfig file}   # Eg: vmsp-#######.kubeconfig
2. Run the below command to re-deploy the application services:                                                      
   kubectl delete hr -n prelude vmsp-prelude-deployer
 
 
16.  Login to VCFA Soft tenant Org with the imported vIDM Username and Password. Login should be successful.
 
 
Powered by Wolken Software