VMware Single-Sign on (SSO) Configurations

As part of the VCAP6 – DCV we are going to perform Objective 1.1 below are the tasks

  • Configure Single-Sign on users and groups.
  • Change the Default domain for Single Sign-On
  • List services registered with Single Sign-on

For the complete VCAP – DCV Checklist visit Checklist

Before we jump in to our objective let’s see how to configure SSO on VCenter 6 Web Client.

  1. Login to your Web Client using the VCenter root account (Administrator@vsphere.local)
  2. Then click on the Administration> and then click on the Configurations under the Single Sign-On.
  3. Once you click on the Identity Sources tab you can see as below. There you need to select “Active directory (Integrated Windows Authentication) and enter your domain name to configure the Identity source.

Once the domain is added you can set it as the default domain for SSO authentication. By default the Vsphere.local is the default domain.

SSO--1

Use Case – The only use case I can think of is, it helps to login a SSO enabled user to web client from a non-domain computer by without entering the domain details. Once the Domain is set as default it eliminates the need of entering the domain user name in User Principal Name (UPN) Format.

Now to set permissions for a particular group or User name follow the below.

  1. Click on the Global Permissions under Access Control and on the right side click on the + Sign to add the User/Group.
  2. There are pre-defined role groups available to select. We can add groups/users by clicking on the Add button.

  1. Now select the appropriate domain from the drop down list and choose the User name and group name to be added to the desired permissions sets.

Apart from the SSO configuration you can also configure SSO Policies. There are 3 policy types can be configured like 1) Password Policy 2) Lockout Policy 3) Token Policy.

All of these settings are self-explanatory and one can configure these in production based on the enterprise wide system access policy.

Now let’s see how to get the list of services registered with Single-Sign on.

To see the list of SSO services you need to execute below command from your Command Prompt in Platform services controller (PSC) Server. In my case I am running it straight from my VCenter server where I have PSC instance installed.

“%VMWARE_PYTHON_BIN%” “%VMWARE_CIS_HOME%\VMware Identity Services\lstool\scripts\lstool.py” list –url https://localhost:7080/lookupservice/sdk

Here the %VMWARE_PYTHON_BIN% folder is “C:\Program Files\VMware\vCenter Server\python” and %VMWARE_CIS_HOME% Folder is “C:\Program Files\VMware\vCenter Server” So it executes a python script file named lstool.py

You will see an output as below.