top of page

vIDM based authentication in vRSLCM | deep-dive |

Updated: Mar 9


 

Added an AD group into vRSLCM and gave all available roles to that group


Content Developer
Content Release Manager
LCM Cloud Admin
Certificate Administrator



From logs perspective, here are the actions which are performed in the background when you add a group and map roles to it 



 ### vIDM Search group task is initiated ###



2022-07-27 22:50:12.085 INFO  [pool-3-thread-13] c.v.v.l.v.c.t.s.VidmSearchUserGroupTask -  -- Starting :: vIDM Search User Group task 
2022-07-27 22:50:12.359 INFO  [pool-3-thread-13] c.v.v.l.v.d.r.c.VidmRestClient -  -- API Response Status : 200 Response Message : {"totalResults":0,"itemsPerPage":0,"startIndex":1,"schemas":[],"Resources":[]} 
2022-07-27 22:50:12.359 INFO  [pool-3-thread-48] c.v.v.l.v.d.r.c.VidmRestClient -  -- API Response Status : 200 Response Message : {"totalResults":0,"itemsPerPage":0,"startIndex":1,"schemas":[],"Resources":[]} 
2022-07-27 22:50:12.362 INFO  [pool-3-thread-48] c.v.v.l.v.d.r.u.VidmUserGroupMgmtRestUtil -  -- Get User response : VidmRestClientResponseDTO [statusCode=200, responseMessage={"totalResults":0,"itemsPerPage":0,"startIndex":1,"schemas":[],"Resources":[]}] 
2022-07-27 22:50:12.364 INFO  [pool-3-thread-13] c.v.v.l.v.d.r.u.VidmUserGroupMgmtRestUtil -  -- Get User response : VidmRestClientResponseDTO [statusCode=200, responseMessage={"totalResults":0,"itemsPerPage":0,"startIndex":1,"schemas":[],"Resources":[]}] 
2022-07-27 22:50:12.367 INFO  [pool-3-thread-48] c.v.v.l.c.l.MaskingPrintStream -  -- * SYSOUT/SYSERR CAPTURED:  -- Get User response : VidmRestClientResponseDTO [statusCode=200, responseMessage={"totalResults":0,"itemsPerPage":0,"startIndex":1,"schemas":[],"Resources":[]}] 
2022-07-27 22:50:12.369 INFO  [pool-3-thread-13] c.v.v.l.c.l.MaskingPrintStream -  -- * SYSOUT/SYSERR CAPTURED:  -- Get User response : VidmRestClientResponseDTO [statusCode=200, responseMessage={"totalResults":0,"itemsPerPage":0,"startIndex":1,"schemas":[],"Resources":[]}]


### Group Search Task is successful ### 



2022-07-27 22:50:12.429 INFO  [pool-3-thread-13] c.v.v.l.v.d.r.c.VidmRestClient -  -- API Response Status : 200 Response Message : {"totalResults":1,"itemsPerPage":1,"startIndex":1,"schemas":["urn:scim:schemas:core:1.0","urn:scim:schemas:extension:workspace:1.0"],"Resources":[{"id":"7e8dbd36-da 
3b-4277-a42a-f3a3c5893faa","meta":{"created":"2022-02-14T00:56:55.862Z","lastModified":"2022-02-14T00:56:55.862Z","location":"https://idm.cap.org/SAAS/jersey/manager/api/scim/Groups/7e8dbd36-da3b-4277-a42a-f3a3c5893faa","version":"W/\"1644800215862\""},"displayName":"capadmins@cap.org","externa 
lId":"05da97d4-1269-48a2-94e9-1b7e4e4c9ea5","urn:scim:schemas:extension:workspace:1.0":{"distinguishedName":"CN=capadmins,CN=Users,DC=cap,DC=org","domain":"cap.org","internalGroupType":"EXTERNAL"}}]} 
2022-07-27 22:50:12.429 INFO  [pool-3-thread-48] c.v.v.l.v.d.r.c.VidmRestClient -  -- API Response Status : 200 Response Message : {"totalResults":2,"itemsPerPage":2,"startIndex":1,"schemas":["urn:scim:schemas:core:1.0","urn:scim:schemas:extension:workspace:1.0"],"Resources":[{"id":"5fcb2bcd-4270-483e-9718-34d6b9139614","meta":{"created":"2022-02-14T00:56:55.863Z","lastModified":"2022-02-14T00:56:55.863Z","location":"https://idm.cap.org/SAAS/jersey/manager/api/scim/Groups/5fcb2bcd-4270-483e-9718-34d6b9139614","version":"W/\"1644800215863\""},"displayName":"premadmins@cap.org","externalId":"20acbbd4-07d3-46ff-922c-a6c6daaf1664","urn:scim:schemas:extension:workspace:1.0":{"distinguishedName":"CN=premadmins,CN=Users,DC=cap,DC=org","domain":"cap.org","internalGroupType":"EXTERNAL"}},{"id":"7e8dbd36-da3b-4277-a42a-f3a3c5893faa","meta":{"created":"2022-02-14T00:56:55.862Z","lastModified":"2022-02-14T00:56:55.862Z","location":"https://idm.cap.org/SAAS/jersey/manager/api/scim/Groups/7e8dbd36-da3b-4277-a42a-f3a3c5893faa","version":"W/\"1644800215862\""},"displayName":"capadmins@cap.org","externalId":"05da97d4-1269-48a2-94e9-1b7e4e4c9ea5","urn:scim:schemas:extension:workspace:1.0":{"distinguishedName":"CN=capadmins,CN=Users,DC=cap,DC=org","domain":"cap.org","internalGroupType":"EXTERNAL"}}]} 
2022-07-27 22:50:12.431 INFO  [pool-3-thread-13] c.v.v.l.v.d.r.u.VidmUserGroupMgmtRestUtil -  -- Get Group response : VidmRestClientResponseDTO [statusCode=200, responseMessage={"totalResults":1,"itemsPerPage":1,"startIndex":1,"schemas":["urn:scim:schemas:core:1.0","urn:scim:schemas:extension:workspace:1.0"],"Resources":[{"id":"7e8dbd36-da3b-4277-a42a-f3a3c5893faa","meta":{"created":"2022-02-14T00:56:55.862Z","lastModified":"2022-02-14T00:56:55.862Z","location":"https://idm.cap.org/SAAS/jersey/manager/api/scim/Groups/7e8dbd36-da3b-4277-a42a-f3a3c5893faa","version":"W/\"1644800215862\""},"displayName":"capadmins@cap.org","externalId":"05da97d4-1269-48a2-94e9-1b7e4e4c9ea5","urn:scim:schemas:extension:workspace:1.0":{"distinguishedName":"CN=capadmins,CN=Users,DC=cap,DC=org","domain":"cap.org","internalGroupType":"EXTERNAL"}}]}] 

2022-07-27 22:50:12.708 INFO  [pool-3-thread-48] c.v.v.l.c.l.MaskingPrintStream -  -- * SYSOUT/SYSERR CAPTURED:  -- Task Result : {"status":"SUCCESS","statusCode":200,"responseType":"com.vmware.vrealize.lcm.vidm.request.common.dto.ad.VidmFormattedUserNGrpListDTO","response":{"vidmUsers":[],"vidmGroups":[{"displayName":"premadmins@cap.org","groupType":"EXTERNAL","providerIdentifier":"5fcb2bcd-4270-483e-9718-34d6b9139614","domain":"cap.org","isDisabled":false,"groupMetadata":{"distinguishedName":"CN=premadmins,CN=Users,DC=cap,DC=org","externalId":"20acbbd4-07d3-46ff-922c-a6c6daaf1664","additionalMeta":[]}},{"displayName":"capadmins@cap.org","groupType":"EXTERNAL","providerIdentifier":"7e8dbd36-da3b-4277-a42a-f3a3c5893faa","domain":"cap.org","isDisabled":false,"groupMetadata":{"distinguishedName":"CN=capadmins,CN=Users,DC=cap,DC=org","externalId":"05da97d4-1269-48a2-94e9-1b7e4e4c9ea5","additionalMeta":[]}}]},"message":null,"currentState":null,"currentTask":null} 
2022-07-27 22:50:12.708 INFO  [pool-3-thread-48] c.v.v.l.p.a.s.Task -  -- Injecting Edge :: OnVidmSearchUserGrpSuccess
*
*

2022-07-27 22:50:13.164 INFO  [scheduling-1] c.v.v.l.a.c.EventProcessor -  -- INITIALIZING NEW EVENT :: { 
  "vmid" : "ab8c333e-5019-4df7-969f-8511af14dac8", 
  "transactionId" : null, 
  "tenant" : "default", 
  "createdBy" : "root", 
  "lastModifiedBy" : "root", 
  "createdOn" : 1658962212711, 
  "lastUpdatedOn" : 1658962213127, 
  "version" : "8.1.0.0", 
  "vrn" : null, 
  "eventName" : "OnVidmSearchUserGrpSuccess", 
  "currentState" : null, 
  "eventArgument" : "{\"componentSpec\":{\"name\":\"componentSpec\",\"type\":\"com.vmware.vrealize.lcm.domain.ComponentDeploymentSpecification\",\"value\":\"{\\\"component\\\":{\\\"symbolicName\\\":\\\"searchusergrp\\\",\\\"type\\\":null,\\\"componentVersion\\\":null,\\\"properties\\\":{\\\"vidmSearchUserRequestDTO\\\":\\\"{\\\\\\\"vidmHost\\\\\\\":\\\\\\\"idm.cap.org\\\\\\\",\\\\\\\"vidmTenant\\\\\\\":null,\\\\\\\"useServiceClient\\\\\\\":false,\\\\\\\"isTenantConfiguredByPath\\\\\\\":false,\\\\\\\"vidmAdminUser\\\\\\\":\\\\\\\"admin\\\\\\\",\\\\\\\"vidmAdminPassword\\\\\\\":\\\\\\\"JXJXJXJX\\\\\\\",\\\\\\\"vidmOAuthServiceClientId\\\\\\\":\\\\\\\"Service__OAuth2Client\\\\\\\",\\\\\\\"vidmOAuthServiceClientSecret\\\\\\\":\\\\\\\"JXJXJXJX\\\\\\\",\\\\\\\"vidmDomainName\\\\\\\":\\\\\\\"cap.org\\\\\\\",\\\\\\\"baseTenantHostname\\\\\\\":KXKXKXKX,\\\\\\\"requestId\\\\\\\":null,\\\\\\\"searchString\\\\\\\":\\\\\\\"cap\\\\\\\"}\\\",\\\"isVcfUser\\\":\\\"false\\\",\\\"hostName\\\":\\\"idm.cap.org\\\",\\\"vidmTenant\\\":null,\\\"useServiceClient\\\":\\\"true\\\",\\\"__isTenantByPath\\\":\\\"false\\\",\\\"vidmOAuthServiceClientId\\\":\\\"Service__OAuth2Client\\\",\\\"vidmOAuthServiceClientSecret\\\":\\\"JXJXJXJX\\\",\\\"vidmAdminUser\\\":\\\"admin\\\",\\\"vidmAdminPassword\\\":\\\"JXJXJXJX\\\",\\\"vidmDomainName\\\":\\\"cap.org\\\",\\\"vidmBaseTenantHostname\\\":KXKXKXKX,\\\"searchString\\\":\\\"cap\\\"}},\\\"priority\\\":0}\"}}", 
  "status" : "CREATED", 
  "stateMachineInstance" : "556b76d2-a8a0-4489-a382-c13f565d6d5c", 
  "errorCause" : null, 
  "sequence" : 563259, 
  "eventLock" : 1, 
  "engineNodeId" : "lcm.cap.org" 
}




### Role Mapping being performed ### 



2022-07-27 22:50:34.634 INFO  [http-nio-8080-exec-7] c.v.v.l.a.c.AuthznCustomObjectMapper -  -- Group Entity : Group [displayName=capadmins@cap.org, groupType=EXTERNAL, providerIdentifier=7e8dbd36-da3b-4277-a42a-f3a3c5893faa, domain=cap.org, isDisabled=false, groupMetadata={"distinguishedName":"CN=capadmins,CN=Users,DC=cap,DC=org","externalId":"05da97d4-1269-48a2-94e9-1b7e4e4c9ea5","additionalMeta":[]}] 
2022-07-27 22:50:35.223 INFO  [http-nio-8080-exec-7] c.v.v.l.a.c.AuthznCustomObjectMapper -  -- Group Role Mapping Entity : GroupRoleMapping [groupvmid=0d35fb24-84d2-4f5a-8c38-81b32120f08f, rolevmid=65da899f-8483-426c-a2a6-1cb5eb53260a] 
2022-07-27 22:50:35.321 INFO  [http-nio-8080-exec-7] c.v.v.l.a.c.AuthznCustomObjectMapper -  -- Group Role Mapping Entity : GroupRoleMapping [groupvmid=0d35fb24-84d2-4f5a-8c38-81b32120f08f, rolevmid=d5fea331-6576-407f-82b3-fd115541e059] 
2022-07-27 22:50:35.322 INFO  [http-nio-8080-exec-7] c.v.v.l.a.c.AuthznCustomObjectMapper -  -- Group Role Mapping Entity : GroupRoleMapping [groupvmid=0d35fb24-84d2-4f5a-8c38-81b32120f08f, rolevmid=eed92b61-31d2-4024-b550-a008e10c4c8d] 
2022-07-27 22:50:35.323 INFO  [http-nio-8080-exec-7] c.v.v.l.a.c.AuthznCustomObjectMapper -  -- Group Role Mapping Entity : GroupRoleMapping [groupvmid=0d35fb24-84d2-4f5a-8c38-81b32120f08f, rolevmid=f09ef48e-42ef-4613-8646-c62c56730c41] 
2022-07-27 22:50:35.369 INFO  [http-nio-8080-exec-7] c.v.v.l.c.l.MaskingPrintStream -  -- * SYSOUT/SYSERR CAPTURED:  -- Created Group vmid : 0d35fb24-84d2-4f5a-8c38-81b32120f08f 
2022-07-27 22:50:35.552 INFO  [http-nio-8080-exec-6] c.v.v.l.a.c.AuthznCustomObjectMapper -  -- Group Role Mapping DTO : GroupRoleMappingDTO [groupvmid=0d35fb24-84d2-4f5a-8c38-81b32120f08f, rolevmid=65da899f-8483-426c-a2a6-1cb5eb53260a] 
2022-07-27 22:50:35.552 INFO  [http-nio-8080-exec-6] c.v.v.l.a.c.AuthznCustomObjectMapper -  -- Group Role Mapping DTO : GroupRoleMappingDTO [groupvmid=0d35fb24-84d2-4f5a-8c38-81b32120f08f, rolevmid=d5fea331-6576-407f-82b3-fd115541e059] 
2022-07-27 22:50:35.553 INFO  [http-nio-8080-exec-6] c.v.v.l.a.c.AuthznCustomObjectMapper -  -- Group Role Mapping DTO : GroupRoleMappingDTO [groupvmid=0d35fb24-84d2-4f5a-8c38-81b32120f08f, rolevmid=eed92b61-31d2-4024-b550-a008e10c4c8d] 
2022-07-27 22:50:35.553 INFO  [http-nio-8080-exec-6] c.v.v.l.a.c.AuthznCustomObjectMapper -  -- Group Role Mapping DTO : GroupRoleMappingDTO [groupvmid=0d35fb24-84d2-4f5a-8c38-81b32120f08f, rolevmid=f09ef48e-42ef-4613-8646-c62c56730c41] 
2022-07-27 22:50:35.554 INFO  [http-nio-8080-exec-6] c.v.v.l.a.c.AuthznCustomObjectMapper -  -- Role DTO : RoleDTO [vmid=65da899f-8483-426c-a2a6-1cb5eb53260a, roleName=Content Developer, roleDescription=Content developer] 
2022-07-27 22:50:35.561 INFO  [http-nio-8080-exec-6] c.v.v.l.a.c.AuthznCustomObjectMapper -  -- Role DTO : RoleDTO [vmid=d5fea331-6576-407f-82b3-fd115541e059, roleName=Content Release Manager, roleDescription=Content Release Manager] 
2022-07-27 22:50:35.562 INFO  [http-nio-8080-exec-6] c.v.v.l.a.c.AuthznCustomObjectMapper -  -- Role DTO : RoleDTO [vmid=eed92b61-31d2-4024-b550-a008e10c4c8d, roleName=LCM Cloud Admin, roleDescription=vRealize Lifecycle Manager Cloud Admin] 
2022-07-27 22:50:35.563 INFO  [http-nio-8080-exec-6] c.v.v.l.a.c.AuthznCustomObjectMapper -  -- Role DTO : RoleDTO [vmid=f09ef48e-42ef-4613-8646-c62c56730c41, roleName=Certificate Administrator, roleDescription=Administrator for Certificate operations] 
2022-07-27 22:50:35.564 INFO  [http-nio-8080-exec-6] c.v.v.l.a.c.AuthznCustomObjectMapper -  -- Group DTO : GroupDTO [vmid=0d35fb24-84d2-4f5a-8c38-81b32120f08f, displayName=capadmins@cap.org, groupType=EXTERNAL, providerIdentifier=7e8dbd36-da3b-4277-a42a-f3a3c5893faa, domain=cap.org, isDisabled=false, groupMetadata=GroupMetadataDTO [distinguishedName=CN=capadmins,CN=Users,DC=cap,DC=org, externalId=05da97d4-1269-48a2-94e9-1b7e4e4c9ea5, additionalMeta=[]], roleMappings=[RoleDTO [vmid=65da899f-8483-426c-a2a6-1cb5eb53260a, roleName=Content Developer, roleDescription=Content developer], RoleDTO [vmid=d5fea331-6576-407f-82b3-fd115541e059, roleName=Content Release Manager, roleDescription=Content Release Manager], RoleDTO [vmid=eed92b61-31d2-4024-b550-a008e10c4c8d, roleName=LCM Cloud Admin, roleDescription=vRealize Lifecycle Manager Cloud Admin], RoleDTO [vmid=f09ef48e-42ef-4613-8646-c62c56730c41, roleName=Certificate Administrator, roleDescription=Administrator for Certificate operations]]]


I would now use one of the members of the AD group to login . Since i am using vIDM as my authentication source , I'll switch to it than local user and then click on "LOGIN WITH IDENTITY MANAGER"





Have 2 domains and i'll be using the first one that's the CAP.ORG , as the group where the permissions has been assigned belongs to this domain





User logs in






So Authentication and Authorization are now complete

 


Checking or trying to understand the login sequence from logs perspective 



### Password based authentication begins by connector as soon as you click on sign in after entering username and password ### 
### Reference: connector.log  ( vidm ) ### 


2022-07-27T23:09:13,502 INFO  (Thread-10) [IDM;-;10.104.68.224;] com.vmware.horizon.adapters.passwordAdapter.PasswordIdpAdapter - attribute : email 
2022-07-27T23:09:13,502 INFO  (Thread-10) [IDM;-;10.104.68.224;] com.vmware.horizon.adapters.passwordAdapter.PasswordIdpAdapter -  User Email attribute : 
2022-07-27T23:09:13,502 INFO  (Thread-10) [IDM;-;10.104.68.224;] com.vmware.horizon.adapters.passwordAdapter.PasswordIdpAdapter - outside if  : email    HIDDEN 
2022-07-27T23:09:13,502 INFO  (Thread-10) [IDM;-;10.104.68.224;] com.vmware.horizon.adapters.passwordAdapter.PasswordIdpAdapter - attribute : userInput 
2022-07-27T23:09:13,502 INFO  (Thread-10) [IDM;-;10.104.68.224;] com.vmware.horizon.adapters.passwordAdapter.PasswordIdpAdapter - outside if  : userInput    HIDDEN 
2022-07-27T23:09:13,502 INFO  (Thread-10) [IDM;-;10.104.68.224;] com.vmware.horizon.adapters.passwordAdapter.PasswordIdpAdapter - attribute : username 
2022-07-27T23:09:13,502 INFO  (Thread-10) [IDM;-;10.104.68.224;] com.vmware.horizon.adapters.passwordAdapter.PasswordIdpAdapter - attribute : password 
2022-07-27T23:09:13,502 INFO  (Thread-10) [IDM;-;10.104.68.224;] com.vmware.horizon.adapters.passwordAdapter.PasswordIdpAdapter - attribute : forgotPasswd 
2022-07-27T23:09:13,502 INFO  (Thread-10) [IDM;-;10.104.68.224;] com.vmware.horizon.adapters.passwordAdapter.PasswordIdpAdapter - attribute : signIn 
2022-07-27T23:09:29,395 INFO  (Thread-3) [IDM;-;10.104.68.224;] com.vmware.horizon.directory.ldap.LdapDirectoryService - Password-based authentication: arun@cap.org - BEGIN 
2022-07-27T23:09:29,433 INFO  (Thread-3) [IDM;-;10.104.68.224;] com.vmware.horizon.directory.ldap.dc.service.context.JNDIContextFetcher - LDAP Context env Json Values: { 
  "java.naming.factory.initial" : "com.sun.jndi.ldap.LdapCtxFactory", 
  "javax.security.sasl.server.authentication" : "true", 
  "com.sun.jndi.ldap.connect.timeout" : "5000", 
  "java.naming.ldap.attributes.binary" : "objectGUID pae-IconData objectSid securityIdentifier", 
  "javax.security.sasl.strength" : "high,medium,low", 
  "javax.security.sasl.qop" : "auth-conf,auth-int,auth", 
  "com.sun.jndi.ldap.read.timeout" : "600000", 
  "java.naming.provider.url" : "ldap://ad.cap.org:389", 
  "java.naming.security.authentication" : "GSSAPI" 
}


### Password based authentication is now successful ### 



2022-07-27T23:09:29,443 INFO  (Thread-3) [IDM;-;10.104.68.224;] com.vmware.horizon.directory.ldap.LdapDirectoryService - Password-based authentication: arun@cap.org - SUCCESS


### States login is successful for user: arun ### 



2022-07-27T23:09:29,443 INFO  (Thread-3) [IDM;-;10.104.68.224;] com.vmware.horizon.adapters.passwordAdapter.PasswordIdpAdapter - Login: arun - SUCCESS 
2022-07-27T23:09:29,443 INFO  (Thread-3) [IDM;-;10.104.68.224;] com.vmware.horizon.connector.controller.AdapterLoginController - samlRequestInfo: SamlRequestInfo[acsUrl=https://idm.cap.org/SAAS/auth/saml/response,relayState=dfe41fd6-446a-4945-9a55-91534817100d,nameId=<null>,requestId=_35a6cdf1404211eefc1b8baed576d91b,authnContextClassRefList=[urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport]] 
2022-07-27T23:09:29,444 INFO  (Thread-3) [IDM;-;10.104.68.224;] com.vmware.horizon.connector.controller.IdPInitiatedSSOController - samlRequestInfo: SamlRequestInfo[acsUrl=https://idm.cap.org/SAAS/auth/saml/response,relayState=dfe41fd6-446a-4945-9a55-91534817100d,nameId=<null>,requestId=_35a6cdf1404211eefc1b8baed576d91b,authnContextClassRefList=[urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport]]


--------------------------------------------------------------------------
### horizon.log in vIDM states login succeeded after connector confirms it ### 
### Reference: horizon.log ### 


2022-07-27T23:09:30,131 INFO  (Thread-3) [IDM;-;10.104.68.224;] com.vmware.horizon.components.authentication.monitoring.LoginMetricsPublisher - Login succeeded.


--------------------------------------------------------