NSX Advanced Load Balancer with vIDM Integration - Part 2

In the previous post, I showed how to integrate vIDM & NSX ALB. However any user that was assigned to the vIDM SaaS catalog item had super user permissions. Lets be honest, that's just easier to work with right? But.. some orgs prefer more selective permissions.

Here I will show how to use vIDM and be able to assign roles to groups synced with vIDM.

The official doco is terrible at describing how to assign roles to groups especially using vIDM. Thankfully there's a lot of people smarter than me that helped out. The official doco should be updated based on what we discovered.

It's important that you have vIDM & Avi already working. See the previous post if you need to do that.

In vIDM, ensure you're syncing all the groups you want to reference within Avi. To do that, log in to vIDM, and from the Identity & Access Management tab, click your Directory Name.

vIDM Settings

Click Sync Settings, Groups, and add any groups that you'll base tenants and roles on.

vIDM Settings

Click Save & Sync, and check it shows the number of groups it will sync. Check for any syncing errors, and click Sync Directory.

To use these groups in NSX ALB, we need to set up custom mappings.

From vIDM, click on the Catalog menu, then select the check box next to your NSX ALB application, and click Edit.

In the Edit SaaS Application window, click Configuration, and scroll all the way down to the bottom. Click on Advanced Properties.

vIDM Settings

Scroll down further to the Custom Attribute Mapping section.

Click Add Row and add the following:

Name Format Namespace Value
mappingGroup Basic ${groupNames}

The Name can be anything. The important part is Value:${groupNames}.

Click Next, Next, Save & Assign.

At the Assign window, make sure the users or groups you plan to use for tenant & roles within NSX ALB are included in this group. You can specifically list those groups, or a higher level folder/common name that includes them. In my example, I have some groups under CN=Users,DC=vmw,DC=one. Set Deployment Type to Automatic and click Save.

Side note: Any user listed here, can log into vIDM, and they'll have a list of any app assigned to them. In our case it's the NSX ALB icon where they can launch a browser window and be logged in directly to NSX ALB IF they have permission within NSX ALB.

vIDM Settings

Setting up Tenant and Role Mapping

From the NSX ALB Administration menu, go to Settings / Authentication/Authorization, and click New Mapping.

At the New Tenant and Role Mapping window, set Attribute to Contains, and have the values:

1Attribute Name:mappingGroup 
2Attribute Value: group-avi-cust1-admin@vmw.one

The Attribute Name needs to be the same as what you set in vIDM earlier.

For User Role, change it to Selected, and pick a role. Do the same for Tenants, and click Save.

vIDM Settings

Now you can delete the Super User role mapping we set up in part 1.

Open a private window in Firefox/Chrome and test with your remote user.

Troubleshooting

If it's not working as expected, have the user login to vIDM first. Ensure they log in successfully, and have the NSX ALB application available.

You can also troubleshoot using SAML Tracer, available for Chrome and Firefox. Using a private window, get to the point where you put in the username & password, then start SAML Tracer browser plugin. Continue to login, and you'll see the URL and other details fly past. Scroll down and click the second SAML line, then select the SAML icon to view the details. If you look carefully, you'll see the username, mapping attribute, and the group that was sent.

vIDM Settings

Hope it works for you too!