Some notes on vIDM in general and ADFS integration

Over the last week I had my first contact with vIDM and the fine task to integrate it with ADFS for a customer and to do some tasks around NSX-T in my lab. There were some caveats I fell into and this page is more like my online notes in case you stumble here with the help of google fu.

Here are the sources for reference for the ADFS integration:

The NSX-T integration with vIDM is described in great details by my colleague Romain Decker (who has some awesome content on his blog btw).

Access denied or how to force local login

When my configuration didn’t work after following the guides, I was unable to go back to the admin console because I was re-directed to my default authentication method. Then I was looking for a way to login against the system domain. Use the following URL to enforce this:

https://<vidm>/SAAS/login/0

vIDM authentication methods for an IDP

When you create an Identity provider (IDP), vIDM forces you to specify an authentication method. Both guide specify the classes

  • urn:oasis:names:tc:SAML:2.0:ac:classes:Password
  • urn:federation:authentication:windows

During our debugging session I learned from the ADFS folks that these classes are not an universal standard or defaults, but depend on what your provider has configured. Unfortunately, this is a mandatory field and hence you need to talk to your ADFS team first on what they expect from you. If nothing else helps, set this to

  • urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified

Change the authentication method for an IDP

So you created an IDP but you made an error? You can only change the “authentication method” if it is not in use. Change the policy that uses this authentication method to another setting, make your changes and re-include your authentication method.

Debugging SAML messages

When I configured the ADFS integration it didn’t work and I didn’t know why. The way forward was to capture the SAML message and see which failure was thrown. AWS provides a nice summary on how to capture the SAML response in your browser here:

https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_saml_view-saml-response.html

One you got the content you can use this page to decode the response and try to make sense of it all:

https://www.samltool.com/index.php

Get the vIDM certificate thumbprint

There is an official page in the VMware documentation, however I found that you can shorten it down to this (with possible improvements to use OpenSSL from remote to reduce the steps further):

  • SSH to the vIDM host and log in as sshuser.
  • su root or sudo -s or whatever suits you to get root access
  • Change directory cd /usr/local/horizon/conf
  • Get the thumbprint: openssl x509 -in <FQDN of vIDM host>_cert.pem -noout -sha256 -fingerprint
Update 2019-08-01:

Find the vIDM debug logs

The bulk of vIDM log files is not in the standard directory /var/log

  • SSH to the vIDM host and log in as sshuser.
  • su root or sudo -s or whatever suits you to get root access
  • change directory to /opt/vmware/horizon/workspace/logs
  • If you need to increase the verbosity, edit /usr/local/horizon/conf/saas-log4j.properties