VMware introduced SSO with vSphere 5.1 and over the release SSO has matured very much. SSO can now be connected to multiple authentication domains, like active directory and ldap, so that it can exchange authentication for tokens which are used to access multiple vSphere services.
An Identity Source is a collection of user and group data, which is stored in either Active Directory, OpenLDAP or locally in the OS.
At the time of PSC/vCenter deployment we create one identity source (SSO domain) and after vCenter installation is completed, only the users defined under this SSO domain or localos can login to vCenter. This identity source is internal to vCenter SSO.
A SSO administrator can add additional identity sources for centralized authentication, can define the default identity source, and create users and groups in the default identity source.
In this post we will focus on below tasks:
- Define Identity sources for single sign-on.
- Change Default domain for single sign-On
- Configure Global Permissions for vCenter services
Lets get started.
Verify current SSO configuration
Login to Web Client using administrator@domain and verify the current SSO configuration. You will only see localos and the SSO domain defined at the time of installation.
Before adding any identity source for SSO, we have to make sure that vCenter Server/PSC is joined to the domain which you want to add. To do so navigate to System Configuration > Nodes > vCenter Server/PSC > Manage > Active Directory
Click on join button and provide domain information.
Reboot the node (for changes to take effect) by clicking on Reboot button from Actions menu.
Post reboot of server, verify that domain is listing under Active Directory.
Add new Identity Source
From home page navigate to Administration > Configuration > Identity Sources and click on green plus button to add a new identity source for sso.
There are various options available for identity sources such as AD,AD as LDAP and openldap.
For windows based AD you have 2 choices:
- AD (Integrated Windows Authentication) : This is the default choice when your environment is comprised by a single domain. If you have multiple child domains then refer VMware KB-2064250
In this method you just need to supply your domain name and define the user whose credentials will be used to authenticate against domain.
- AD as an LDAP Server
In this method you have to define numerous entries as shown below. You can reference this article from VMware for filling up the information.
If you are using above method, then make sure to Test Connection between your vCenter server and AD
Hit OK to finish adding the identity source.
Change Default domain for single sign-On
By default, the local OS Identity Source is the default domain. vCenter SSO uses the default domain to authenticate users who log in without a domain name. If users from a domain other than the default want to log in, they must include the domain name when entering their username.
When the newly added domain is set as default domain, users’s from that domain can authenticate against vCenter server by just passing username and password. There is no need to define @domain name along with username.
Select the newly added identity source and click on blue button adjacent to the red cross button.
Click Yes for the warning presented.
Configure Global Permissions for vCenter services
To assign global permissions to a user/group, navigate to Administration > Global Permissions and click on green plus button to add a new user or a group.
Select the domain from which you want to add a user and search for the specific user/group which you want to add and click on Add button.
Select the role which you want to assign to the user/group which you just added and make sure Propagate to children button is selected.
If you assign a global permission and do not select Propagate, the users or groups associated with this permission do not have access to the objects in the hierarchy. They only have access to some global functionality such as creating roles.
Now if you want to add any user with System Administrator role, Select users and Groups > Groups and select System.Configuration.Administrators and click on Group Members button to add a user/group. We are doing this so that we can counter issue as described in this article
I hope you enjoyed reading this post. Feel free to share this on social media if it is worth sharing. Be sociable 🙂