VMware Aria Automation + Keycloak + LDAP
I got an idea to check if using Keycloak as an IdP for VMware Aria Automation is possible. Let’s find out.
Keycloak configuration
Export vIDM metadata
Let’s explore integrating Keycloak (backed by Open LDAP) as an Identity Provider for VMware Identity Manager.
- Login into VMware Identity Manager (IDM) > Administration Console > Identity & Access Management > Identity Providers > Add Identity Provider > Create Third Party IDP
VMware IDM
- Scroll down and download the Service Provider (SP) Metadata XML file. This metadata includes all the necessary information to create a new client in Keycloak.
VMware IDM
Create a new client
Now, let us proceed to access Keycloak and initiate the creation of a new client.
- Keycloak > Realm > Clients > Create > Import > select the saved XML metadata we downloaded previously > Save
Keycloak
- Enable / Disable the client options following the screenshots and save the changes
We’re using the
usernameas a Name ID Format, but it can be changed to any other attribute like
Keycloak
Keycloak
Now let’s create 4 mappers: email, givenName, userName, and surname.
- Keycloak > Realm > Clients > our IDM client > Mappers > Create
emailmapper
Keycloak
givenNamemapper
Keycloak
usernamemapper
Keycloak
surnamemapper
Keycloak
To use a username attribute as a login name, we need to make sure this attribute is mapped in the LDAP Federation as well.
- Keycloak > User Federation > your federation > Mappers > Create. Create a new mapper called
usernameof typeuser-attribute-ldap-mapperfollowing the screenshot below.
Keycloak
IDM configuration
To explore this further, let’s take care of IDM. We need to create a new Identity Provider and Directories, which will use this IdP.
- Keycloak > Realm > Realm Settings > General > Endpoints > SAML 2.0 Identity Provider Metadata
Copy the URL by clicking on it, or click on the link and copy the URL from the newly opened window with the XML metadata.
Keycloak
The link should look like this: https://SSO.DOMAIN/realms/REALM-NAME/protocol/saml/descriptor
- Login into VMware Identity Manager (IDM) > Administration Console > Identity & Access Management > Identity Providers > Add Identity Provider > Create Third Party IDP
- provide the IdP name (can be any name)
- paste the SSO Metadata URL into the SAML Metadata window and click on Proceed IdP Metadata. Remove all Name ID formats except the
emailand/oruserName(this should allow us to log into vRA with LDAP username or email attributes).
VMware IDM
- Name ID format for
email
VMware IDM
- Name ID format for
username
VMware IDM
- Enable the Just-in-Time (JIT) provisioning feature and specify any name you want as a Directory Name (this is a display name) and a real domain name in the Domain (can support multiple domains). This will be shown to the user during the login process.
Think of JIT as a handy shortcut for user accounts. Instead of pre-creating them, your system magically pulls them out of thin air on a user’s first login. Here’s the catch: these accounts aren’t actual users like ones synchronized from LDAP/AD. They’re more like placeholder bookmarks. Each time someone logs in, the system checks for their bookmark. If it doesn’t exist, it whips one up instantly. Then, depending on your setup, it either:
- Redirects to Keycloak: This tells Keycloak to verify the user’s identity directly, essentially outsourcing the work.
- Checks LDAP/AD: It peeks into your existing directory to confirm the username and password match. The key here is no extra data gets copied or stored in your system. Everything remains in its original location, be it Keycloak, LDAP, or AD. This keeps things light and secure.
VMware IDM
- Select ALL RANGES (this allows access to IDM from all IPs) or specify the IP range
- Provide an Authentication Method name (it can be any name) and SAML context from the screenshot below
VMware IDM
VMware IDM
- Save the changes
Let’s check if we have a new directory.
- IDM > Administration Console > Identity & Access Management > Directories. There, we should see a new directory of the type Just-In-Time
VMware IDM
Configure vIDM policy
The IDM uses policies to control the authentication way. Let’s update it to use our brand-new IdP.
- IDM > Administration Console > Identity & Access Management > Policies
There is an option to edit a default policy or create a new one. For testing purposes, we’ll revise the default policy.
VMware IDM
Because we’re using the browser to authenticate users, let’s edit the first policy rule.
VMware IDM
Here, we need to select our SSO as a fallback authentication method.
VMware IDM
SSO can be set as a primary authentication method. Still, in case of any issue with Keycloak, users will see the error page, and the IDM administrative console will not be available for access because everything will be redirected to SSO first. Just keep it in mind. PS. There is a backdoor if you can’t log in to IDM with an AD/LDAP user. Go to
https://idm/SAAS/login/0
Certificates
Export certificate
The last thing we need to do — certificates. SAML is all about certs. Therefore, we must add Keycloak’s certificate to the IDM’s Trusted CA store.
- Go to Keycloak
https://sso.domain- Obtain Keycloak’s certificate from the browser and save it to the file
Keycloak
- Select Base-64 encoding
Keycloak
- Open the saved certificate with any text editor and copy and paste it into the IDM Trusted CAs store.
Import certificate
Building on what we’ve discussed, let’s add the certificate to the Identity Manager.
- IDM > Administration Console > Appliance Settings> Manage Configuration > Install SSL Certificates > Trusted CAs
VMware IDM
VMware IDM
Login in
It is time to test our setup. Go to the vRA login page and click on GO TO LOGIN PAGE.
vRA will redirect us to the IDM login page, proposing we use a built-in System Domain directory and our new SSO.DOMAIN directory
Select SSO.DOMAIN from the dropdown menu, and IDM will redirect us to the Keycloak login page.
Provide the username and password, and if everything was done correctly, Keycloak should authenticate the user and redirect them back to vRA.