Single Sign On or SSO was introduced as a requirement for deploying vCenter 5.1. SSO is based on identity management technology built by RSA but designed for VMware environments. It provides a higher level authentication mechanism than Active Directory to enable Federation. Federation in this sense allows you to authenticate once but access many vSphere environments such as multiple vCenter servers that may not have common Active Directories (ADs).
SSO treats AD as an identity source; it also supports OpenLDAP, local accounts on the vCenter server and accounts created within SSO. When you login to vCenter 5.1 you are passing the authentication to SSO which forwards it to an identity source for authentication. Once authenticated you use a token vs. a username and password. This token allows you to access multiple environments without re-authenticating.
SSO requires its own database. Multiple SSO servers can be deployed and connected to the same database. When multiple SSO servers are deployed one is designated Primary while the rest are slaves. To make this configuration Highly Available you must add a Load Balancing (LB)Solution in front of the SSO servers. The final step is to re-point the vCenter server to the new Load Balanced IP as covered in this VMware Knowledge Base article.
The easiest way to install SSO is to use the vCenter Server Appliance (vCSA) as it is integrated. For additional details on installing vCSA please see my post. Once installed the default SSO account is: admin@System-Domain. The password for this account is set during installation on a Windows server or randomly when you configure SSO on the vCSA.
Install the VMware vSphere Web Client
- Launch autorun.exe from the vCenter Server media
- Select VMware vSphere Web Client and click Install.
- Follow the prompts to choose the language and agree to the end user patent and license
- Accept the default port settings.
- Enter the information to register the vSphere Web Client with vCenter Single Sign On.
The default administrator user name is admin@System-Domain (Note: You will need to set this password first if you used the vCSA) and the Lookup Service URL is:
- Click Install.
Reset the random password for the admin@System-Domain account (vCSA Only)
Note: As mentioned, if you installed the integrated SSO on the vCSA then you will need to login using the root account and set the password for the admin@System-Domain account first.
- Login to the vCSA using the Web client and the root or administrative credentials. The vSphere Web Client is included as a part of the vCSA so the URL is https://[vCenter Server Appliance]:9443
- Navigate to the Administration Tab. Click “SSO User and Groups ”
- Right Click on the admin account and select Edit User. Specify the new password and click OK.
You should add your Active Directory vCenter Administrators Group to the SSO Administrators group as part of the configuration to enable their primary login to administer SSO (Note: this assumes you have already added your AD as an Identity Source. If you have not yet have a look at this post). To do this you will need to install the VMware vSphere Client first.
Adding your vCenter Administrators to the SSO Administrators Group
- Login to your SSO server using the VMware vSphere Web client and the admin@System-Domain account.
- Browse to Administration and under Access select SSO Users and Groups
- Select the _Administrators_ under the Principal name column
- Select the Add Principals button from the menu
- Under Identity source change from System-Domain to your Active Directory
- Search for the the right group and click Add and OK