Configure SSO with MFA (Azure AD) in tenant portal

To configure the Identity Provider (IdP) in the cloud tenant portal to use SAML 2 with Azure AD for single sign-on (SSO) with Multi-Factor Authentication (MFA), follow these step-by-step instructions:

  1. Set up Azure AD for SAML 2:
    • In the Azure portal, navigate to the Azure Active Directory (AD) section.
    • Under the “Manage” section, click on “App registrations” and then select “New registration”.
    • Provide a name for the application, choose the appropriate account type, and specify the Redirect URI as the VMware Cloud Director tenant portal URL (e.g., https://cloud-director.example.com/tenant/orgUrl/auth/saml/metadata).
    • After registration, note down the “Application (client) ID” and the “Tenant ID”.
  2. Obtain VMware Cloud Director metadata:
    • In the VMware Cloud Director tenant portal, navigate to the “Administration” section.
    • Under “Single Sign-On”, click on “Federation Metadata” and save the XML metadata file.
  3. Configure Azure AD as the Identity Provider (IdP):
    • In the VMware Cloud Director tenant portal, go to the “Administration” section.
    • Under “Single Sign-On”, click on “Identity Providers” and then select “New Identity Provider”.
    • Provide a name for the IdP configuration.
    • Choose “SAML 2.0” as the Identity Provider Type.
    • Upload the metadata XML file obtained from Azure AD.
    • Set the “Entity ID” to match the value provided in the Azure AD application registration.
    • Configure the other SAML 2.0 settings as needed, such as NameID format and attribute mappings.
    • Save the configuration.
  4. Enable Single Sign-On with MFA in Azure AD:
    • In the Azure portal, go to the Azure Active Directory section.
    • Under “Security”, select “Conditional Access”.
    • Click on “New policy” to create a new Conditional Access policy.
    • Configure the policy to require Multi-Factor Authentication (MFA) for the VMware Cloud Director application.
    • Save the policy.
  5. Enable Single Sign-On in VMware Cloud Director:
    • In the VMware Cloud Director tenant portal, go to the “Administration” section.
    • Under “Single Sign-On”, click on “Service Providers” and then select “New Service Provider”.
    • Provide a name for the Service Provider configuration.
    • Set the “Entity ID” to match the value provided in the Azure AD application registration.
    • Save the configuration.
  6. Test the SSO and MFA Integration:
    • Open a new browser session or incognito window and access the VMware Cloud Director tenant portal URL.
    • You should be redirected to the Azure AD sign-in page.
    • Sign in with your Azure AD credentials and complete the MFA process.
    • If successful, you should be redirected back to the VMware Cloud Director tenant portal and logged in automatically.

That’s it! You have configured the Identity Provider (IdP) in the VMware Cloud Director tenant portal to use SAML 2 with Azure AD for Single Sign-On (SSO) with Multi-Factor Authentication (MFA). Users can now authenticate using their Azure AD credentials and complete the MFA process before accessing the VMware Cloud Director tenant portal.