Configure User and Group Provisioning for VCF Identity Broker
search cancel

Configure User and Group Provisioning for VCF Identity Broker

book

Article ID: 441140

calendar_today

Updated On:

Products

VCF Operations

Issue/Introduction

Steps required to configure user and group provisioning from an Active Directory/LDAP identity provider to the VCF Identity Broker.

Environment

  • VCF Operations 9.0.x

Cause

Initial setup or modification of directory synchronization requires explicit mapping and provisioning configurations.

Resolution

  1. Navigate to the Configure user and group provisioning screen and click Configure.
  2. On the Review Directory Information screen, verify details and click Next.
  3. On the Attributes Mappings screen, verify mappings and click Next. If default mappings are incorrect, select the appropriate Active Directory attribute from the drop-down list.
    1. Note: For email synchronization, VCF Identity Broker requires the domain name appended (e.g., [email protected]@domain.com). Reference Broadcom VCF SSO login requires upn@domain (393150).
  4. On the Group Provisioning screen, configure required Active Directory group Distinguished Names (DN) and click Next.
    1. Sync Nested Groups: Select this option to sync users from a primary group and its nested groups, bypassing group hierarchy.
    2. Specify the base group DN: Enter the base DN, click Select Base Group DN, and select target groups from the grid. Configure the base DN at a higher directory level (e.g., parent OU or domain root) if provisioning groups from multiple Active Directory locations.
  5. On the User Provisioning screen, select corresponding Active Directory user DNs and click Next.
    1. Specify the base user DN: Click Select Base User DN to search and select specific users. Leave this unspecified if the intent is to sync users directly from the groups defined in Step 4.
  6. On the Review screen, verify all configuration parameters and click Finish and done.

Additional Information

Background synchronization begins immediately upon completion. Subsequent synchronizations are automatically scheduled to run once per week. Modify the schedule via the Managing AD/LDAP configuration panel if required.
 
Powered by Wolken Software