VMware

vCloud Director 5.1.1 and SAML/SSO authentication

Posted on 16/10/2013 · Posted in VMware

The other day I was working on a brand new testbest for a vCloud 5.1.1 environment when I found out a really nice problem with vCD and SSO. In vCD administration, in the federation options you have the possibility to join vCloud Director to SSO. If you do this, on any of your vCloud Director nodes you won’t be able to authenticate to your cloud neither with local nor LDAP usernames. You will get an error message stating that the username/password is incorrect.

vCloud Director 5.1 SSO

vCloud Director 5.1 SSO

To fix this issue I found an old post mentioning the same issue with an Oracle database (found here). The database is pretty much the same, if not identical so it was easy to find the right table and make the change.

 

!!Do this change at your own risk!! Always make sure you have a way to get back if something goes wrong.

First off, verify the current setting in the database using a select command.

SELECT TOP 1000 [id]
      ,[org_id]
      ,[provider_type]
      ,[provider_definition_id]
      ,[is_enabled]
  FROM [vcloud].[dbo].[identity_provider]

Change the required line in the database with the following SQL command:

UPDATE [vcloud].[dbo].[identity_provider] SET [is_enabled] = 0 WHERE provider_type = 'SAML'

And you can now log in using your local administrator account. For some reason enabling this breaks authentication even in vCloud 5.1.1, haven’t tested it yet with vCloud Director 5.1.2 so might be the same.