In vRealize Automation 8.X, Easy Installer deploys a vIDM appliance which is used for Authentication by vRealize Automation whether you choose a Standalone deployment or a Clustered deployment. As we already have an external vIDM appliance as part of our vRA 8.X deployment, we can use it for configuring Single Sign-On for VMware vRealize Suite products.

Single Sign-On configuration is supported in 7.X versions of vRealize Suite products as well but we need an external VMware Identity Manager which most of the customers do not deploy. vRealize Automation 7.X Appliances also include an embedded version of VMware Identity Manager, even though we can enable the UI for the embedded vIDM using the command vcac–vami horizon ui enable but there is no documentation suggesting that making changes directly to VMware Identity Manager is supported by VMware.

In this post we will discuss the process of configuring Single Sign-On for vRealize Suite 8.X version products. In this article I am assuming that an Active Directory domain has already been configured in VMware Identity Manager.

vRealize Automation:

1. Login to VMware Identity Manager and click on Web Apps under the Catalog section.

2. Click on New to configure vRealize Automation Web Application Link.

3. In the Name section enter vRealize Automation 8.X (vRA) and upload an Icon file for vRealize Automation.

4. Leave the Category section blank and click Next.

5. In Authentication Type select Web Application Link and type https://vRA_FQDN/csp/gateway/portal/#/consumer in Target URL.

5. Click Next and then click Save.

6. Now the only task left is to assign this App to Active Directory users who already have access to vRealize Automation. Select the newly created Application and Click on Assign.

5. Search the name of Users/User Groups to publish the App, select the Deployment type as Automatic and click Save.

6. Next time the user authenticates with vIDM and goes to User Portal, he/she will be able to see the newly published vRA 8.X Application.

7. Next time the user authenticates with vIDM and goes to User Portal, he/she will be able to see the newly published vRA 8.X Application.

8. Once the user clicks on Open on this App, user will be authenticated & re-directed to vRealize Automation portal.

vRealize Log Insight:

1. Before publishing vRealize Log Insight as an App in VMware Identity Manager we need to configure vIDM as an Authentication Source in vRealize Log Insight and we need to obtain the Target URL.

2. Login to vRealize Log Insight. Click on Administration and Under Authentication enter the details of your vIDM.

3. Provide access to VMware Identity Manager Users/User Groups in Administration section under Access Control > Users and Groups.

4. In order to obtain the Target URL, logout from vRealize Log Insight & logout from vIDM and select System Domain.

5. Open vRealize Log Insight in a new Tab, select VMware Identity Manager from the Drop-down and click on Login via SSO.

6. You’ll be redirected to VMware Identity Manager for login. Copy the URL from the Address Bar of the browser. URL will look something like:
https://idm01.mydomain.lab/SAAS/auth/login?dest=https://idm01.mydomain.lab/SAAS/auth/oauth2/authorize?response_type%3Dcode%26client_id%3Dbabc6f64a70-2c7c-4c5a-867f-bc631327f5dc%26redirect_uri%3Dhttps://192.168.113.112/login&chainedauthMethods
=%5B%7B%212chainedAuthmethods%212:%5B%7B%22authMethoId%22:15,%212a
uthMethodOrder%22:13%7D%5D%7D,%7B%22chainedAuthmethods%22:%5B%7B%
22authMethoId%22:3,%22authMethodOrder%22:1%7D%5D%7D%5D&ttl=28800

7. URL highlighted in red is our Target URL for vRealize Log Insight. Follow the same process as vRealize Automation App and publish vRealize Log Insight for users using the vRealize Log Insight Target URL.

8. Now the users should be able to launch vRealize Log Insight App from vIDM User Portal & Authenticate using vIDM Single Sign-On.

vRealize Operations Manager:

1. For vRealize Operations Manager we need to follow the process similar to vRealize Log Insight. Configure vIDM as Authentication Source, Grant permissions to vIDM Users/Groups in vROps & obtain the Target URL.

2. Login to vRealize Operations Manager as an Admin user. Click on Administration and Under Authentication Sources click Add. Select Source Type as VMware Identity Manager and enter the details of your vIDM Appliance.

3. Provide access to VMware Identity Manager Users/Groups by Importing them in Administration section under Access > Access Control > User Accounts and User Groups.

4. In order to obtain the Target URL, logout from vRealize Operations Manager & logout from vIDM and select System Domain.

5. Open vRealize Operations Manager in a new Tab, select VMware Identity Manager from the Drop-down and click REDIRECT.

6. You’ll be redirected to VMware Identity Manager for login. Copy the URL from the Address Bar of the browser. URL will look something like:

https://idm01.mydomain.lab/SAAS/auth/login?dest=https://idm01.mydomain.lab/SAAS/auth/oauth2/authorize?response_type%3Dcode%26client_id%3D0246fe54-d0a5-42ff-b3c1-f3d144b64519%26redirect_uri%3Dhttps://10.11.12.13/ui/vidmClient/vidm/&chainedauth
Methods=%5B%7B%22chainedAuthmethods%22:%5B%7B%22authMethoId%22:15,%
22authMethodOrder%22:13%7D%5D%7D,%7B%22chainedAuthmethods%22:%5B%7
B%22authMethoId%22:3,%22authMethodOrder%22:1%7D%5D%7D%5D&ttl=28800

We are only interested in Client ID highlighted in RED in the above link.

7. Replace the details of the below URL with your environment details and you’ll get Target URL for vRealize Operations Manager.

https://idm01.mydomain.lab/SAAS/auth/oauth2/authorize?response_type=code&client_id=3D0246fe54-d0a5-42ff-b3c1-f3d144b64519&redirect_uri=https://idm_ip_address/ui/vidmClient/vidm/

8. Follow the same process as vRealize Automation App and publish vRealize Operations Manager App for users using the vRealize Operations Manager Target URL.

9. Now the users should be able to launch vRealize Operations Manager App from vIDM User Portal & Authenticate using vIDM Single Sign-On.

vRealize Suite Lifecycle Manager:

1. For vRealize Suite Lifecycle Manager the process is fairly easy. We just need to provide users access to vLCM under Identity and Tenant Management and publish the Target URL.

2. Login to vRealize Suite Lifecycle Manager as an Admin user. Click on dentity and Tenant Management.

3. In Directory Management section, click on Directories click Add Directory by selecting Active Directory over LDAP.

4. The process of Adding the Active Directory is same as vRealize Automation 7.X.

5. Once Active Directory has been configured, provide relevant permissions to Users/Groups under User Management section.

6. Replace the details of the below URL with your environment details and you’ll get Target URL for vRealize Suite Lifecycle Manager.

http://lcm01.mydomain.lab/lcm/login/vidm

8. The process of publishing vRealize Suite Lifecycle Manager App for users using the vRealize Suite Lifecycle Manager Target URL remains the same.

Note: The current versions of vCenter Server do not support VMware Identity Manager as an Identity Provider. NSX-T does support Single Sign-On configuration using vIDM.
For more details on integrating NSX-T with IDM, check out this blog.

The final catalog of your VMware Identity Manager will have Web Apps for all 4 vRealize Suite Components. Enjoy!!

In vRealize Automation 8.X, Easy Installer deploys a vIDM appliance which is used for Authentication by vRealize Automation whether you choose a Standalone deployment or a Clustered deployment. As we already have an external vIDM appliance as part of our vRA 8.X deployment, we can use it for configuring Single Sign-On for VMware vRealize Suite products.

Single Sign-On configuration is supported in 7.X versions of vRealize Suite products as well but we need an external VMware Identity Manager which most of the customers do not deploy. vRealize Automation 7.X Appliances also include an embedded version of VMware Identity Manager, even though we can enable the UI for the embedded vIDM using the command vcac–vami horizon ui enable but there is no documentation suggesting that making changes directly to VMware Identity Manager is supported by VMware.

In this post we will discuss the process of configuring Single Sign-On for vRealize Suite 8.X version products. In this article I am assuming that an Active Directory domain has already been configured in VMware Identity Manager.

vRealize Automation:

1. Login to VMware Identity Manager and click on Web Apps under the Catalog section.

2. Click on New to configure vRealize Automation Web Application Link.

3. In the Name section enter vRealize Automation 8.X (vRA) and upload an Icon file for vRealize Automation.

4. Leave the Category section blank and click Next.

5. In Authentication Type select Web Application Link and type https://vRA_FQDN/csp/gateway/portal/#/consumer in Target URL.

5. Click Next and then click Save.

6. Now the only task left is to assign this App to Active Directory users who already have access to vRealize Automation. Select the newly created Application and Click on Assign.

5. Search the name of Users/User Groups to publish the App, select the Deployment type as Automatic and click Save.

6. Next time the user authenticates with vIDM and goes to User Portal, he/she will be able to see the newly published vRA 8.X Application.

7. Next time the user authenticates with vIDM and goes to User Portal, he/she will be able to see the newly published vRA 8.X Application.

8. Once the user clicks on Open on this App, user will be authenticated & re-directed to vRealize Automation portal.

vRealize Log Insight:

1. Before publishing vRealize Log Insight as an App in VMware Identity Manager we need to configure vIDM as an Authentication Source in vRealize Log Insight and we need to obtain the Target URL.

2. Login to vRealize Log Insight. Click on Administration and Under Authentication enter the details of your vIDM.

3. Provide access to VMware Identity Manager Users/User Groups in Administration section under Access Control > Users and Groups.

4. In order to obtain the Target URL, logout from vRealize Log Insight & logout from vIDM and select System Domain.

5. Open vRealize Log Insight in a new Tab, select VMware Identity Manager from the Drop-down and click on Login via SSO.

6. You’ll be redirected to VMware Identity Manager for login. Copy the URL from the Address Bar of the browser. URL will look something like:
https://idm01.mydomain.lab/SAAS/auth/login?dest=https://idm01.mydomain.lab/SAAS/auth/oauth2/authorize?response_type%3Dcode%26client_id%3Dbabc6f64a70-2c7c-4c5a-867f-bc631327f5dc%26redirect_uri%3Dhttps://192.168.113.112/login&chainedauthMethods
=%5B%7B%212chainedAuthmethods%212:%5B%7B%22authMethoId%22:15,%212a
uthMethodOrder%22:13%7D%5D%7D,%7B%22chainedAuthmethods%22:%5B%7B%
22authMethoId%22:3,%22authMethodOrder%22:1%7D%5D%7D%5D&ttl=28800

7. URL highlighted in red is our Target URL for vRealize Log Insight. Follow the same process as vRealize Automation App and publish vRealize Log Insight for users using the vRealize Log Insight Target URL.

8. Now the users should be able to launch vRealize Log Insight App from vIDM User Portal & Authenticate using vIDM Single Sign-On.

vRealize Operations Manager:

1. For vRealize Operations Manager we need to follow the process similar to vRealize Log Insight. Configure vIDM as Authentication Source, Grant permissions to vIDM Users/Groups in vROps & obtain the Target URL.

2. Login to vRealize Operations Manager as an Admin user. Click on Administration and Under Authentication Sources click Add. Select Source Type as VMware Identity Manager and enter the details of your vIDM Appliance.

3. Provide access to VMware Identity Manager Users/Groups by Importing them in Administration section under Access > Access Control > User Accounts and User Groups.

4. In order to obtain the Target URL, logout from vRealize Operations Manager & logout from vIDM and select System Domain.

5. Open vRealize Operations Manager in a new Tab, select VMware Identity Manager from the Drop-down and click REDIRECT.

6. You’ll be redirected to VMware Identity Manager for login. Copy the URL from the Address Bar of the browser. URL will look something like:

https://idm01.mydomain.lab/SAAS/auth/login?dest=https://idm01.mydomain.lab/SAAS/auth/oauth2/authorize?response_type%3Dcode%26client_id%3D0246fe54-d0a5-42ff-b3c1-f3d144b64519%26redirect_uri%3Dhttps://10.11.12.13/ui/vidmClient/vidm/&chainedauth
Methods=%5B%7B%22chainedAuthmethods%22:%5B%7B%22authMethoId%22:15,%
22authMethodOrder%22:13%7D%5D%7D,%7B%22chainedAuthmethods%22:%5B%7
B%22authMethoId%22:3,%22authMethodOrder%22:1%7D%5D%7D%5D&ttl=28800

We are only interested in Client ID highlighted in RED in the above link.

7. Replace the details of the below URL with your environment details and you’ll get Target URL for vRealize Operations Manager.

https://idm01.mydomain.lab/SAAS/auth/oauth2/authorize?response_type=code&client_id=3D0246fe54-d0a5-42ff-b3c1-f3d144b64519&redirect_uri=https://idm_ip_address/ui/vidmClient/vidm/

8. Follow the same process as vRealize Automation App and publish vRealize Operations Manager App for users using the vRealize Operations Manager Target URL.

9. Now the users should be able to launch vRealize Operations Manager App from vIDM User Portal & Authenticate using vIDM Single Sign-On.

vRealize Suite Lifecycle Manager:

1. For vRealize Suite Lifecycle Manager the process is fairly easy. We just need to provide users access to vLCM under Identity and Tenant Management and publish the Target URL.

2. Login to vRealize Suite Lifecycle Manager as an Admin user. Click on dentity and Tenant Management.

3. In Directory Management section, click on Directories click Add Directory by selecting Active Directory over LDAP.

4. The process of Adding the Active Directory is same as vRealize Automation 7.X.

5. Once Active Directory has been configured, provide relevant permissions to Users/Groups under User Management section.

6. Replace the details of the below URL with your environment details and you’ll get Target URL for vRealize Suite Lifecycle Manager.

http://lcm01.mydomain.lab/lcm/login/vidm

8. The process of publishing vRealize Suite Lifecycle Manager App for users using the vRealize Suite Lifecycle Manager Target URL remains the same.

Note: The current versions of vCenter Server do not support VMware Identity Manager as an Identity Provider. NSX-T does support Single Sign-On configuration using vIDM.
For more details on integrating NSX-T with IDM, check out this blog.

The final catalog of your VMware Identity Manager will have Web Apps for all 4 vRealize Suite Components. Enjoy!!