Forum Discussion
NimbostratusAPM SSO for VMware vCenter and vCloud Director
I currently have an HA pair of F5s running LTM, AFM + APM in front of a vCloud Director 5.5 deployment. I currently have users authenticate to APM and are provided a webtop based on AD Group Resource Assign. The users access their allowed areas of vCloud Director and Administrators can access vCenter server web client from a webtop. I would like to provide Single-Sign On to users accessing these areas. I can tell both vCenter and vCloud Director utilize some kind of form to send credentials. I believe they are both running Adobe Flex on the client side. Can anyone provide me assistance on how to pass credentials in this situation? Thank you
14 Replies
Arnaud_LemaireEmployee
it really depends on the authentication mechanism of your application. if it's a traditional you need to create a a sso form based profile and attach it in the resource menu of your access portal object. then add in the VPE a sso credential mapping agent.
if it's something more complicated you may need to play with client initiated form sso profile.
you have some more info here :
- kunjan_118660
Cumulonimbus
Since it's not HTML form based login, I guess you can't use the normal form based SSO here. May be an iRule be able to do the credential hard coding and trigger the login.
fwebb_116789Do you have any examples or links I could reference.
- kunjan
Since it's not HTML form based login, I guess you can't use the normal form based SSO here. May be an iRule be able to do the credential hard coding and trigger the login.
- fwebb_116789Do you have any examples or links I could reference.
- kunjan
Are you able to do Fiddler or HTTPwatch on the vCenter webpage?
Is there a POST to /vsphere-client/j_spring_security_check when you login?
- fwebb_116789
Yes. The body of the WebForms view shows variables for:
- j_username
- locale
- j_password
- _spring_security_remember_me
- fwebb_116789
And it looks like VMware Director has a POST to /cloud/security_check with variables for:
- username
- password
- kunjan_118660
Is there a j_thumbprint variable too for vCentre? Seems this varies with the installation.
I tried the following iRule which seems to be working, but may not be complete. Modify according to your setup. vCloud Director might be similar, but I don't have one to check.
when HTTP_REQUEST { set ssoKey 0 if { [HTTP::uri] ends_with "ui.jsp" } { if { [ACCESS::session data get "session.custom.sso"] equals "" }{ HTTP::header remove "Accept-Encoding" STREAM::disable set ssoKey 1 } } if { [HTTP::uri] ends_with "j_spring_security_check" } { set ssoKey 1 } } when HTTP_RESPONSE { if { $ssoKey equals 1 } { if { [HTTP::payload] contains "url:/vsphere-client/ui.jsp" } { ACCESS::session data set session.custom.sso 1 HTTP::redirect "ui.jspextensionId=vsphere.core.folder.summaryView" return } set j_username [ACCESS::session data get "session.logon.last.username"] set j_password [ACCESS::session data get "session.logon.last.password"] set j_serviceUrl {vc5.local} set j_thumbprint {00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00} set vForm " " STREAM::expression "@@$vForm@" STREAM::enable } }- fwebb_116789First of all, thank you. This really helps. I am working with this iRule. When I attempt to apply it to the virtual server, I get an error stating that a STREAM profile must be applied. Is it okay just to apply the parent stream profile, or are there any considerations that I need to take into consideration?
- kunjan
Is there a j_thumbprint variable too for vCentre? Seems this varies with the installation.
I tried the following iRule which seems to be working, but may not be complete. Modify according to your setup. vCloud Director might be similar, but I don't have one to check.
when HTTP_REQUEST { set ssoKey 0 if { [HTTP::uri] ends_with "ui.jsp" } { if { [ACCESS::session data get "session.custom.sso"] equals "" }{ HTTP::header remove "Accept-Encoding" STREAM::disable set ssoKey 1 } } if { [HTTP::uri] ends_with "j_spring_security_check" } { set ssoKey 1 } } when HTTP_RESPONSE { if { $ssoKey equals 1 } { if { [HTTP::payload] contains "url:/vsphere-client/ui.jsp" } { ACCESS::session data set session.custom.sso 1 HTTP::redirect "ui.jspextensionId=vsphere.core.folder.summaryView" return } set j_username [ACCESS::session data get "session.logon.last.username"] set j_password [ACCESS::session data get "session.logon.last.password"] set j_serviceUrl {vc5.local} set j_thumbprint {00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00} set vForm " " STREAM::expression "@@$vForm@" STREAM::enable } }- fwebb_116789First of all, thank you. This really helps. I am working with this iRule. When I attempt to apply it to the virtual server, I get an error stating that a STREAM profile must be applied. Is it okay just to apply the parent stream profile, or are there any considerations that I need to take into consideration?
- kunjan
Not aware of any specific consideration other than the stream profile to be applied.
https://support.f5.com/kb/en-us/solutions/public/8000/100/sol8115.html
The one issue documented, not applicable here
https://support.f5.com/kb/en-us/solutions/public/15000/500/sol15526.html
ebrcHello eveyone!
I know this case is 6 years old but since I get the same issue with new vcloud director v10, I prefer to continue it instead of creating a new one.
I'm unable to find a way to do SSO with APM portal. Our goal is to show an APM portal where we can use token and do SSO to login to vcloud but it's completely different than older vcloud director.
The login page is like this: GET /login/?service=tenant:ORG-TEST&redirectTo=%2Ftenant%2FORG-TEST HTTP/1.1
It contains the following:
function onPageLoad() { setSessionCookie(); disable('loginButton'); tid = setInterval(handleLoginEnable, 200); document.getElementById('usernameInput').onkeydown = function(event) { if(event.keyCode == '13') { // switch to password field on enter document.getElementById("passwordInput").focus(); } handleLoginEnable(); }; // Submit the form when ENTER is pressed. document.getElementById('tenantName').onkeyup = function(event) { if(event.keyCode == '13') { onSubmit(); } }; handleLoginEnable(); hide('blankCanvas'); // Focus tenant or username input. timeout is requied as the dom is not rendered and focus is not set whitout the timeout window.setTimeout(function() { if (false) { document.getElementById("tenantName").focus(); } else { document.getElementById("usernameInput").focus(); } }, 150); }Once I do the login, it does this: POST /cloudapi/1.0.0/sessions HTTP/1.1
With a JSON file which looks like
{"id":"urn:vcloud:session:4cf167ea-1c96-46ed-9cd4-cbc5797aa128","user":{"name":"sde","id":"urn:vcloud:user:4538234e-c53c-4517-a81c-45acf8107b45"},"org":{"name":"ORG-TEST","id":"urn:vcloud:org:673fe109-5da1-4179-9603-2bee17ffee01"},"location":"673fe109-5da1-4179-9603-2bee17ffee01@cf5ec229-07dd-44c1-a4a5-f119253df0ab","roles":["Organization Administrator"]}There is no clear parameter name.
Do you think is still possible to use APM on this?
Thank you very much for your support!
