Integrating vIDB with VM Apps Organization in VCF Automation 9.0.x
search cancel

Integrating vIDB with VM Apps Organization in VCF Automation 9.0.x

book

Article ID: 429467

calendar_today

Updated On:

Products

VCF Operations/Automation (formerly VMware Aria Suite)

Issue/Introduction

This article provides steps to configure VM Apps Organizations to authenticate using the vIDB via OpenID Connect (OIDC).

NOTE

  • This configuration establishes vIDB as the Identity Provider for the VM Apps tenant. However, it does not provide Single Sign-On (SSO) access from the VCFA VM Apps tenant to other VCF components.

  • To ensure uninterrupted service and accommodate concurrent login limits under heavy VCF Automation 9.x tenant workloads, deploying additional vIDB instances may be required to effectively manage the increased system load.

Prerequisites

Environment

VCF Automation 9.0.x

Resolution

  • Retrieve Redirect URI from VM Apps:

    1. Log in to the VM Apps Organization using an account with administrative privileges.

    2. Navigate to Infrastructure > Administration > Identity Providers > OIDC.

    3. Copy the Client Configuration Redirect URI.

  • Create OIDC Client in VCF Operations:

    1. Log in to VCF Operations (VCFOps).

    2. Navigate to Fleet Management > Identity & Access > VCF Other Components.

    3. Click ADD to create a new client.

    4. Provide a Friendly Name for the client.

    5. On Redirect URIs, paste the Client Configuration Redirect URI copied earlier.

    6. Click Generate OIDC Client.

    7. Note down the Identity Broker Issuer, Client ID, and Client Secret.

    8. Click Save to complete the wizard.

  • Configure OIDC in VM Apps :

    1. Return to the VM Apps Organization (logged in as admin account).

    2. Navigate to Infrastructure > Administration > Identity Providers > OIDC.

    3. Click Configure.

  • Enter Client Details :

    1. Enter the Client ID and Client Secret recorded earlier.

    2. Enter the IDP Well-Known Configuration Endpoint. This is constructed by appending /.well-known/openid-configuration to the Identity Broker Issuer URL. Example: If the Identity Broker Issuer URL is https://vIDB-FDQN/acs/t/CUSTOMER, enter: https://vIDB-FDQN/acs/t/CUSTOMER/.well-known/openid-configuration for IDP Well-Known Configuration Endpoint.

  • Configure Scopes and Claims:

    1. Leave default settings for most sections except for Scopes and Claims Mapping.

    2. Scopes: Type "group" and click ADD SCOPE. Ensure the list includes: openid, profile, email, and group.

    3. Claims Mapping: Change the Subject value to acct (Account) and add Groups with claim group_names. Leave the remaining mappings as defaults.
       

    4. Complete the configuration.

  • Import Users and Groups:

    1. On VM Apps Organization, navigate to Infrastructure > Administration > Access Control.

    2. Import users or groups, specifying them using the UPN format (e.g. [email protected]).

  • Verify Configuration:

    1. Open an incognito browser window to your VCFA instance and specify the VM Apps organization name to log in. You should see the login to OIDC or the custom text you have specified.

Powered by Wolken Software