VMware Aria Automation + Keycloak + LDAP
I got an idea to check if using Keycloak as an IdP for VMware Aria Automation is possible. Let’s find out.
Keycloak configuration
Export vIDM metadata
Let’s explore integrating Keycloak (backed by Open LDAP) as an Identity Provider for VMware Identity Manager.
- Login into VMware Identity Manager (IDM) > Administration Console > Identity & Access Management > Identity Providers > Add Identity Provider > Create Third Party IDP
- Scroll down and download the Service Provider (SP) Metadata XML file. This metadata includes all the necessary information to create a new client in Keycloak.
Create a new client
Now, let us proceed to access Keycloak and initiate the creation of a new client.
- Keycloak > Realm > Clients > Create > Import > select the saved XML metadata we downloaded previously > Save
- Enable / Disable the client options following the screenshots and save the changes
We’re using the
username
as a Name ID Format, but it can be changed to any other attribute like
Now let’s create 4 mappers: email, givenName, userName, and surname.
- Keycloak > Realm > Clients > our IDM client > Mappers > Create
email
mapper
givenName
mapper
username
mapper
surname
mapper
To use a username
attribute as a login name, we need to make sure this attribute is mapped in the LDAP Federation as well.
- Keycloak > User Federation > your federation > Mappers > Create. Create a new mapper called
username
of typeuser-attribute-ldap-mapper
following the screenshot below.
IDM configuration
To explore this further, let’s take care of IDM. We need to create a new Identity Provider and Directories, which will use this IdP.
- Keycloak > Realm > Realm Settings > General > Endpoints > SAML 2.0 Identity Provider Metadata
Copy the URL by clicking on it, or click on the link and copy the URL from the newly opened window with the XML metadata.
The link should look like this: https://SSO.DOMAIN/realms/REALM-NAME/protocol/saml/descriptor
- Login into VMware Identity Manager (IDM) > Administration Console > Identity & Access Management > Identity Providers > Add Identity Provider > Create Third Party IDP
- provide the IdP name (can be any name)
- paste the SSO Metadata URL into the SAML Metadata window and click on Proceed IdP Metadata. Remove all Name ID formats except the
email
and/oruserName
(this should allow us to log into vRA with LDAP username or email attributes).
- Name ID format for
email
- Name ID format for
username
- Enable the Just-in-Time (JIT) provisioning feature and specify any name you want as a Directory Name (this is a display name) and a real domain name in the Domain (can support multiple domains). This will be shown to the user during the login process.
Think of JIT as a handy shortcut for user accounts. Instead of pre-creating them, your system magically pulls them out of thin air on a user’s first login. Here’s the catch: these accounts aren’t actual users like ones synchronized from LDAP/AD. They’re more like placeholder bookmarks. Each time someone logs in, the system checks for their bookmark. If it doesn’t exist, it whips one up instantly. Then, depending on your setup, it either:
- Redirects to Keycloak: This tells Keycloak to verify the user’s identity directly, essentially outsourcing the work.
- Checks LDAP/AD: It peeks into your existing directory to confirm the username and password match. The key here is no extra data gets copied or stored in your system. Everything remains in its original location, be it Keycloak, LDAP, or AD. This keeps things light and secure.
- Select ALL RANGES (this allows access to IDM from all IPs) or specify the IP range
- Provide an Authentication Method name (it can be any name) and SAML context from the screenshot below
- Save the changes
Let’s check if we have a new directory.
- IDM > Administration Console > Identity & Access Management > Directories. There, we should see a new directory of the type Just-In-Time
Configure vIDM policy
The IDM uses policies to control the authentication way. Let’s update it to use our brand-new IdP.
- IDM > Administration Console > Identity & Access Management > Policies
There is an option to edit a default policy or create a new one. For testing purposes, we’ll revise the default policy.
Because we’re using the browser to authenticate users, let’s edit the first policy rule.
Here, we need to select our SSO as a fallback authentication method.
SSO can be set as a primary authentication method. Still, in case of any issue with Keycloak, users will see the error page, and the IDM administrative console will not be available for access because everything will be redirected to SSO first. Just keep it in mind. PS. There is a backdoor if you can’t log in to IDM with an AD/LDAP user. Go to
https://idm/SAAS/login/0
Certificates
Export certificate
The last thing we need to do — certificates. SAML is all about certs. Therefore, we must add Keycloak’s certificate to the IDM’s Trusted CA store.
- Go to Keycloak
https://sso.domain
- Obtain Keycloak’s certificate from the browser and save it to the file
- Select Base-64 encoding
- Open the saved certificate with any text editor and copy and paste it into the IDM Trusted CAs store.
Import certificate
Building on what we’ve discussed, let’s add the certificate to the Identity Manager.
- IDM > Administration Console > Appliance Settings> Manage Configuration > Install SSL Certificates > Trusted CAs
Login in
It is time to test our setup. Go to the vRA login page and click on GO TO LOGIN PAGE.
vRA will redirect us to the IDM login page, proposing we use a built-in System Domain directory and our new SSO.DOMAIN directory
Select SSO.DOMAIN
from the dropdown menu, and IDM will redirect us to the Keycloak login page.
Provide the username and password, and if everything was done correctly, Keycloak should authenticate the user and redirect them back to vRA.