VCD’s Progression towards Eliminating Local Users… Know More!

When it began?

Starting from version 10.4.1, we declared the deprecation of local users in VMware Cloud Director. While they are still supported during this period of deprecation, we strongly recommend that users begin transitioning away from them. Despite this, VMware Cloud Director will continue to offer full support for local users until the final announcements are made.

In version 10.4.1, you could use the user management API to remap local users or users from an existing IDP to a new IDP source. You could use this feature to remap local users to any IDP supported by VCD.

What was supported?

Migration of local users to SAML, LDAP, or OIDC was possible, provided that the Identity Provider (IDP) is appropriately configured and accessible within the organization. To perform the migration, API calls are required to transfer the user data across the different Identity Providers.

In addition, this feature also enables cloud administrators to migrate users between different Identity Providers (IDPs) that are supported and configured within the VMware Cloud Director environment. For instance, administrators can use this feature to migrate users from LDAP to SAML, among other IDP types.

What prompted this decision?

Local users have been a fundamental feature of VCD since its inception with version 1.0. They offer a simple way to securely store usernames and passwords in a hashed format within VCD. However, the absence of contemporary password management policies such as password rotation, complexity requirements, and 2FA/MFA options, among others, has highlighted some limitations. As a result, this project was initiated to address these concerns.

How is this announcement progressing?

In VMware Cloud Director 10.4.2, we have introduced a bulk user remapping UI feature to support our customers in the transition from locally-managed users to an externally-managed identity provider system. The purpose of this feature is to make the migration process smoother and more straightforward for our users.

All about the feature…

This feature is called Bulk User Migration / Remapping.

  • VMware Cloud Director 10.4.2 offers a user-friendly bulk user migration option to simplify the process of remapping users between different Identity Providers (IDPs) from the UI.

User Migration is a 3-step process:

Step a) Export User: Choose the user you wish to migrate to a different Identity Provider (IDP) and export their data to a CSV file. You can also apply filters to select the specific users you want to migrate.

Export Users

Step b) Upload CSV: Edit the user properties within the CSV file, and then proceed to upload the file with the updated information.

CSV file with user properties In the picture, you can see the name of the uploaded file, along with the count of all the users detected in the CSV file and a couple of other particulars.

Please take note that in this release, only changes made to the username and providerType user properties will be recognized. Any modifications to other fields will not be considered. Additionally, it’s important to note that the email ID field is still optional and not required.

Step c) Update Users: Perform the user update procedure based on the information provided in the CSV file.

The image displays both the progress of User Migration and the count of users who has either successfully migrated, failed to migrate, or skipped the migration process. The total duration taken to complete the task is also displayed.

Here are a few key things to keep in mind:

  1. The user migration occurs sequentially, with each user being migrated one at a time.
  2. There are presently no restrictions on the number of users that can be migrated at once.
  3. Exiting the page during the migration process is not permitted and will result in a warning message. If the warning is accepted, the migration task will be cancelled.
  4. Although it’s possible to halt the user migration option, it’s not possible to prevent users who have already been migrated.
  5. At the moment, it’s not possible to revert back to a local providerType using this tool if users are experiencing login difficulties after the user migration process.
  6. If a user is migrating to the IDP that already exists in VCD, the migration engine will skip that particular user’s migration process. (The skipped users count will increase by one).
  7. During the user migration to an IDP, the UserID of the user is retained, ensuring that all objects owned by the user remain under their ownership. This is done automatically.
  8. In the event that a user is part of a group, the same group must be created manually on the source IDP, and the user will automatically associate with the group upon their first login.
  9. Changes made to user details will take effect either after the scheduled synchronization operation has finished or after the user logs in for the first time. The biographical information of the user will be retrieved from the IDP and used to update the details of the migrated user in VCD.

Troubleshooting:

  • The UI will throw an error if there are any type or syntax errors in the CSV file.

The providerType was inaccurately specified in the image

Please be advised that the providerType value must be either LOCAL, LDAP, SAML, or OAUTH as these are the only supported IDPs in VCD.

Please note that VCD validates the CSV file first before initiating any API calls to carry out the task.

  • To view information on users who were unable to migrate or skipped, you can download the Error Report.
  • In the event of errors for certain users during the migration process, you can resolve them and then rerun the migration process. Previously migrated users will be skipped and not affected.
  • For additional information, please refer to the general VMware Cloud Director logs.

Scenarios/Questions

Migration takes too long, and the progress stops. Please ensure that the browser window containing the migration process is not minimized or made inactive and remains active and in focus throughout. If the window is minimized or made inactive, you will need to stop the process and begin again.
The migration process has finished but users’ data are not updated from the IDP Please wait for the synchronization process between VCD and IDP to complete or perform a manual login using the specified user credentials.
Can I restart the migration process with the same CSV file? That’s correct, any users that have already been updated will be skipped, and the process will resume from where it left off.
Can I restart the process for the errored migrations? If an error occurs, a download link is available that provides a CSV file containing details of the errors. This file can be used to make necessary corrections and then uploaded again.
Can I revert the process? Automating this process is not possible. Basically, it is a manual process.

Please be advised that this report is intended for informational purposes only and represents our best effort to provide accurate and useful insights.

Source

Originally posted on April 26, 2023 @ 8:07 am