For SAML login, is private key necessary?

[lubronzhan]

The doc I found around authentication with solution user only mentions presenting cert instead of the key

For the initial handshake, users authenticate with a user name and password, and solution users authenticate with a certificate. For information on replacing solution user certificates, see [vSphere Security Certificates](https://docs.vmware.com/en/VMware-vSphere/6.7/com.vmware.psc.doc/GUID-779A011D-B2DD-49BE-B0B9-6D73ECF99864.html#GUID-779A011D-B2DD-49BE-B0B9-6D73ECF99864).

But looking at the sessions/login.go and related test, looks like cert is required when creating solution user and when getting a saml token, both key and certificate are required. Is that true?

So I can use any certificate and key to create user and login, but then for other vsphere connection, I assume I still need the tlsthumbprint or vsphere's CA? I think this cert will only used for retrieving token. Is that correct?

Thank you

[dougm]

Hi @lubronzhan ,

The ssoadmin endpoint where users, groups, etc., are managed has its own session manager and only supports SAML token authentication. But a bearer token (issued with username+password) can be used, that's the default for the govc sso related commands, which use this helper:

govmomi/govc/sso/client.go

Lines 59 to 64 in b504836

	req := sts.TokenRequest{
	Certificate: vc.Certificate(),
	Userinfo: cmd.Session.URL.User,
	}
	header.Security, cerr = tokens.Issue(ctx, req)

We do the same in this sts test when creating a solution user:

govmomi/sts/client_test.go

Line 58 in b504836

s, err := stsClient.Issue(ctx, sts.TokenRequest{Userinfo: info})

When using LoginByToken with a solution user (HoK), the public key is included in the request and the private key is used to sign the request.

Other than govmomi/govc usage, have you looked at vSphere cloud provider? https://github.com/kubernetes/cloud-provider-vsphere/blob/65f264e5adc2daa8162348fd69b06b56c84480fd/pkg/common/vclib/connection.go#L147-L149

[lubronzhan]

Thanks Doug, I was looking at CPI code to understand this. So both cert key pair are required. Solution user also need both

govmomi/sts/client_test.go

Lines 148 to 151 in b504836

	req := sts.TokenRequest{
	Certificate: solutionUserCert(),
	Delegatable: true,
	}

And these are not to validate the VC's certificate? Still we need a TLSTHumbprint to validate that?

[dougm]

Right, SAML tokens are only used for client authentication. For server (VC), you still need to trust via RootCAs or thumbprints.