When logging on to Workspace ONE Access and viewing the catalog, the links that are presented can be just bookmarks, or they can be bookmarks that also sign you in to the service you are navigating to. One such case is trying to log onto other vRealize products. Unfortunately, I am not aware of an easy button to accomplish this. I was also unable to find any documentation on www.vmware.com that publishes an SSO URL.
I did, however, find a couple websites to assist. The following links will take you there.
- How to add vRealize Operations Manager 8.x to vRealize Identity Manager Web Apps catalog (https://blanketvm.com/2021/04/14/vrops-vridm-webapps-catalog/)
- Integrating VMware Log Insight with Workspace ONE Access for SSO (http://www.techcurmudgeons.com/post/integrating-vmware-vrealize-log-insight-with-workspace-one-access-for-sso)
Table of Contents
First Things First
Make sure the Workspace ONE Access appliance has a directory configured. There should ideally be groups synced that contain administrative users.
Ensure you have configured VMware Identity Manager (AKA Workspace ONE Access) for both services.
vRealize Operations Administration > Access > Authentication Sources > Add
vRealize Log Insight Administration > Configuration > Authentication > VMware Identity Manager
Next, configure the services to use the administrative groups from Workspace ONE Access and configure appropriate roles.
vRealize Operations Administration > Access > Access Control > User Groups
vRealize Log Insight Administration > Management > Access Control > Directory Groups
Adding vRealize Operations to the Catalog
Log on to the Workspace ONE Access appliance as an admin or switch to the Administration Console.
Choose Catalog > Web Apps
Click NEW
Provide a Name such as vRealize Operations
Click NEXT
Change Authentication Type to Web Application Link and provide a Target URL.
The target URL can be obtained by navigating to the log on page for the vRealize Operations appliance ( you may need to open a new browser or private window for a new session). Don’t log on, though.
View the source of the page and search for getVidmRedirectUrl
Append the value of url to the log on URL so it is similar to the following:
https://vrops-1.aaronrombaut.com/ui/login.action?mainAction=getVidmRedirectUrl
Press Enter and view the contents.
Copy the value of the vidmRedirectURL, this is the Target URL
Click NEXT and verify the New SaaS Application details.
Click SAVE & ASSIGN. Type in Users / User Groups as appropriate.
Click SAVE
Use another browser, private window, or switch to User Portal and refresh the browser. Test logging into Workspace ONE Access by clicking CATALOG and clicking on the Catalog Item you created above. Verify that you successfully are logged on to the vRealize Operations appliance.
Locate the vRealize Log Insight Client ID
From the vRealize Log Insight appliance, once the vRealize Log Insight Authentication Configuration makes a successful connection to the Workspace ONE Access appliance, a client ID will be created.
On the Workspace ONE Access appliance, click the arrow on Catalog and choose Settings.
Under Global Catalog Settings, click Remote App Access.
In the table, under the Client ID table heading, click on the first entry.
Verify the Redirect URI matches the IP address or fully qualified domain name of the vRealize Log Insight Appliance. If this is the case, copy the Client ID. If not, click Back To Clients List and continue clicking on Client ID entries until you find the correct client configuration.
Building the vRealize Log Insight Target URL
The target URL consists of the Workspace ONE Access fully qualified domain name, the client ID, and the vRealize Log Insight fully qualified domain name. In my case, here are the details:
Workspace ONE Access FQDN: vidm.aaronrombaut.com
Client ID: 6d95cdc5-60f0-42b6-9f85-815b15b64aa7
vRealize Log Insight FQDN (must match the Redirect URL Host entry from the appliance authentication configuration): 192.168.92.33
Putting it together looks like:
https://vidm.aaronrombaut.com/SAAS/auth/oauth2/authorize?response_type=code&client_id=6d95cdc5-60f0-42b6-9f85-815b15b64aa7&redirect_uri=https://192.168.92.33/login
Test this out by copying and pasting the configured target url in a new browser window. If successful, you should be redirected to Workspace ONE Access if you are not currently logged in or just taken directly to the vRealize Log Insight appliance.
Adding vRealize Log Insight to the Catalog
Log on to the Workspace ONE Access appliance as an admin or switch to the Administration Console. Choose Catalog > Web Apps
Click NEW
Provide a name such as vRealize Log Insight.
Click NEXT. Change Authentication Type to Web Application Link and provide the Target URL that was built in the Building the vRealize Log Insight Target URL task above.
Click NEXT. Review the New SaaS Application summary.
Click SAVE & ASSIGN. Type in Users / User Groups as appropriate.
Click SAVE.
Conclusion
It would be nice if there was better documentation on this or even just a catalog with common VMware software so that these catalog items could be built easier.