APM SSO for VMware vCenter and vCloud Director

it really depends on the authentication mechanism of your application. if it's a traditional you need to create a a sso form based profile and attach it in the resource menu of your access portal object. then add in the VPE a sso credential mapping agent.

if it's something more complicated you may need to play with client initiated form sso profile.

you have some more info here :

https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-sso-config-11-4-0.html?sr=41450985

Since it's not HTML form based login, I guess you can't use the normal form based SSO here. May be an iRule be able to do the credential hard coding and trigger the login.

Since it's not HTML form based login, I guess you can't use the normal form based SSO here. May be an iRule be able to do the credential hard coding and trigger the login.

Are you able to do Fiddler or HTTPwatch on the vCenter webpage?

Is there a POST to /vsphere-client/j_spring_security_check when you login?

Yes. The body of the WebForms view shows variables for:

• j_username
• locale
• j_password
• _spring_security_remember_me

And it looks like VMware Director has a POST to /cloud/security_check with variables for:

• username
• password

Is there a j_thumbprint variable too for vCentre? Seems this varies with the installation.

I tried the following iRule which seems to be working, but may not be complete. Modify according to your setup. vCloud Director might be similar, but I don't have one to check.

when HTTP_REQUEST {
    set ssoKey 0    
    if { [HTTP::uri] ends_with "ui.jsp" } {        
        if { [ACCESS::session data get "session.custom.sso"]  equals "" }{
            HTTP::header remove "Accept-Encoding"   
            STREAM::disable
            set ssoKey 1
        }
    }   
    if { [HTTP::uri] ends_with "j_spring_security_check" } {
        set ssoKey 1    
    }
}

when HTTP_RESPONSE {
    if { $ssoKey equals 1 } {
        if { [HTTP::payload] contains "url:/vsphere-client/ui.jsp" } {
            ACCESS::session data set session.custom.sso 1   
            HTTP::redirect "ui.jspextensionId=vsphere.core.folder.summaryView"
            return
        }

        set j_username [ACCESS::session data get "session.logon.last.username"] 
        set j_password [ACCESS::session data get "session.logon.last.password"] 
        set j_serviceUrl {vc5.local}
        set j_thumbprint {00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00}

        set vForm "
            
                
                
                
                
                
                
                
                "

        STREAM::expression "@@$vForm@"    
        STREAM::enable      
    }   
}

Is there a j_thumbprint variable too for vCentre? Seems this varies with the installation.

I tried the following iRule which seems to be working, but may not be complete. Modify according to your setup. vCloud Director might be similar, but I don't have one to check.

when HTTP_REQUEST {
    set ssoKey 0    
    if { [HTTP::uri] ends_with "ui.jsp" } {        
        if { [ACCESS::session data get "session.custom.sso"]  equals "" }{
            HTTP::header remove "Accept-Encoding"   
            STREAM::disable
            set ssoKey 1
        }
    }   
    if { [HTTP::uri] ends_with "j_spring_security_check" } {
        set ssoKey 1    
    }
}

when HTTP_RESPONSE {
    if { $ssoKey equals 1 } {
        if { [HTTP::payload] contains "url:/vsphere-client/ui.jsp" } {
            ACCESS::session data set session.custom.sso 1   
            HTTP::redirect "ui.jspextensionId=vsphere.core.folder.summaryView"
            return
        }

        set j_username [ACCESS::session data get "session.logon.last.username"] 
        set j_password [ACCESS::session data get "session.logon.last.password"] 
        set j_serviceUrl {vc5.local}
        set j_thumbprint {00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00}

        set vForm "
            
                
                
                
                
                
                
                
                "

        STREAM::expression "@@$vForm@"    
        STREAM::enable      
    }   
}

Not aware of any specific consideration other than the stream profile to be applied.

https://support.f5.com/kb/en-us/solutions/public/8000/100/sol8115.html

The one issue documented, not applicable here

https://support.f5.com/kb/en-us/solutions/public/15000/500/sol15526.html

Hello eveyone!

I know this case is 6 years old but since I get the same issue with new vcloud director v10, I prefer to continue it instead of creating a new one.

I'm unable to find a way to do SSO with APM portal. Our goal is to show an APM portal where we can use token and do SSO to login to vcloud but it's completely different than older vcloud director.

The login page is like this: GET /login/?service=tenant:ORG-TEST&redirectTo=%2Ftenant%2FORG-TEST HTTP/1.1

It contains the following:

            function onPageLoad() {
                setSessionCookie();
                
                disable('loginButton');
                tid = setInterval(handleLoginEnable, 200);
 
                document.getElementById('usernameInput').onkeydown = function(event) {
                    if(event.keyCode == '13') {
                        // switch to password field on enter
                        document.getElementById("passwordInput").focus();
                    }
                    handleLoginEnable();
                };
 
                // Submit the form when ENTER is pressed.
                document.getElementById('tenantName').onkeyup = function(event) {
                    if(event.keyCode == '13') {
                        onSubmit();
                    }
                };
 
                handleLoginEnable();
                hide('blankCanvas');
 
                // Focus tenant or username input. timeout is requied as the dom is not rendered and focus is not set whitout the timeout
                window.setTimeout(function() {
                    if (false) {
                        document.getElementById("tenantName").focus();
                    } else {
                        document.getElementById("usernameInput").focus();
                    }
                }, 150);
 
            }

Once I do the login, it does this: POST /cloudapi/1.0.0/sessions HTTP/1.1

With a JSON file which looks like

{"id":"urn:vcloud:session:4cf167ea-1c96-46ed-9cd4-cbc5797aa128","user":{"name":"sde","id":"urn:vcloud:user:4538234e-c53c-4517-a81c-45acf8107b45"},"org":{"name":"ORG-TEST","id":"urn:vcloud:org:673fe109-5da1-4179-9603-2bee17ffee01"},"location":"673fe109-5da1-4179-9603-2bee17ffee01@cf5ec229-07dd-44c1-a4a5-f119253df0ab","roles":["Organization Administrator"]}

There is no clear parameter name.

Do you think is still possible to use APM on this?

Thank you very much for your support!