Configuring SSO (Single Sign On) on VMware vSphere 5.1

Starting from version 5.1 of vSphere, VMware introduced the SSO – Single Sign On, a feature which allows us to log on once, and access many cloud components without need to log in all over again. Cute. The SSO database supports local users database, OpenLDAP, Microsoft AD and NIS+. Not sure about versions, so this has to be checked out.

In this short blog, we will set up the SSO to include additional Microsoft AD domain.

For administering the SSO, we must use the vSphere Web Client.

Let’s take a look at the following screenshot:

image

We can see two things here. First, we must be logged in as admin@System-Domain in order to have the option of changing SSO configuration. Only this user has the right to see the “Sign-On and Discovery->Configuration” option. A password for this user was given during the installation of the SSO. Of course, using this user, we could make an user from a different identity store a permission to make changes to the SSO configuration.

Second, we have our domain in which we installed the VC, already added to the list of identity stores, so we can authenticate our users against that domain.

What if we would like to add another identity store? For example another AD domain. Easy. We click the green plus sign, and a dialog pops up in which we should fill in some data:

image

First we need to select the identity source type. In this case, it is Active Directory. After giving a name, we need to specify the Primary server URL. This is given in the form of ldap://x.y.z.w:389,   where the x.y.z.w is the IP address of other domain’s domain controller, and the TCP/389 is the default LDAP port that domain controller is using.

We should give a domain name and select the authentication type to be Password. Then we specify the username and password combination valid for that domain. This username does not have to be a domain administrator account, but should have complex password and should never expire.

When we click the Test Connection we should get this response:

image

Once again, if there is a firewall in between the VC and the domain controller, appropriate port should be opened. In this case TCP/389.

Now we have additional domain added to the identity sources:

image

In a similar fashion we add other supported identity sources.

Once added, we can use the identity source to assign roles/privileges to users from that identity source.

We log out from admin@System-Domain and log in as an user with the admin role on the VC. Then we navigate to the VC we want to set up a new permissions on, select Manage->Permissions and click the green plus sign:

image

Then we click the Add button:

image

We select the newly created domain:

image

Then we search for a user or a group. When searching, we type a part of a name and hit <ENTER>. We select the name, click Add and then OK:

image

Instead of default Read-only role, we assign the Administrator role (or some other as appropriate):

SNAGHTML1f621b72

We must make sure that the option Propagate to children of the <thenameofvcserver> option is selected and we click OK:

image

Then we have this situation:

SNAGHTML1f658a98

Now we can use this user from a different domain to manage the virtual infrastructure. We need to provide our credentials in the form user@somedomain and provide a domain password:

 image

 

Thanks for reading.

Advertisements
This entry was posted in VMWare, Virtualization, Cloud and tagged , , , , . Bookmark the permalink.

One Response to Configuring SSO (Single Sign On) on VMware vSphere 5.1

  1. The database build up after the sign up process and all the authorization process is secure and reliable and its has various other main features for its implementation.

    Regards Mike

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s