vSphere 5.5 Web Client Workflows – SSO Configuration

With vSphere 5.5, the vCenter Single Sign On (SSO) component was completely rewritten from the ground up. As you’d expect with such a re-write, the configuration is slightly different than in vSphere 5.1.

1. Log in to the vSphere Web Client as [email protected] (as opposed to admin@system-domain in vCenter SSO 5.1). By default, it will be the only user with vCenter SSO administrator rights.

2. Click on Administration in the left hand menu.

3. Before we add any new administrator users, let’s get vCenter SSO tied in to our local LDAP. In my lab, that’s Active Directory. Click Configuration under Single Sign-On.

4. Click on Identity Sources.

5. Click the green + to add a new Identity Source.

6. VMware has managed to simplify the addition of an Active Directory domain as an Identity Source by using the machine account of the vCenter SSO machine to authenticate (and it works great!)

Or you can use a Service Principal Name (SPN) and credentials to connect if that’s a requirement. You can also fill in LDAP information for your Active Directory as in vSphere SSO 5.1 (which is the same layout as Open LDAP).

We also have the option to add Local OS (the Windows host machine that vCenter SSO is installed on, which may be separate from vCenter Server itself) as an Identity Source.

7. Once you’ve added your new Identity Source, add it as the default domain.

8. Now, let’s go to Users and Groups.

9. Click Groups (1), then click on the Administrators group (2).

10. Click Add Member under Group Members.

11. Choose the appropriate domain (1) and user (2), click Add (3), then OK (4).

12. Now, you should see the newly added member of the Administrators group.

13. Now, as we log in with the newly added vCenter SSO administrator…

We are able to configure vCenter SSO without any issue.

Comments

  1. bgctnv says

    Single Sign-On Groups are apparently exclusive to the vsphere.local domain. Apparently due to the “feature” described here: http://kb.vmware.com/kb/2059528, You cannot add an Active Directory group, such as Domain Admins, to the Single Sign-On Administrators group and expect it to work properly. You have to manually add Active Directory users, not groups, to the Administrators Single Sign-On Group defined in the vsphere.local domain. I want to simply specify that members of my Domain Admins group defined in Active Directory have Single Sign-On Administrator rights, but this cannot be done in vSphere 5.5

    • jshiplett says

      The KB mentions the inability to grant rights via nested groups of dissimilar types, e.g., Domain Admins being given rights via Administrators group in the local vCenter Server Windows operating system. If you grant administrative rights to an Active Directory group within SSO (adding an AD group to the Administrators group in vsphere.local, as below), the rights should propagate properly.

      SSO Admins

  2. bgctnv says

    That is how I originally had it set up – the domain group Domain Admins as a member of the vsphere.local Administrators group. That did not work for me, but it worked properly when adding my individual user account instead. Did you have different results? I was also not able to see the Client Plug-Ins menu option when configured with the group, but it was accessible when the single user account was added.

    • jshiplett says

      I just tested with an AD group, and I was able to grant SSO privileges that way. This group doesn’t have rights elsewhere (such as the local OS Administrators group), so it’s only getting it from the permissions I just granted.

    • jshiplett says

      Just spitballing here, but if Domain Admins is a member of your local OS Administrators group and local OS is set as an SSO Identity Source, you might try removing it and see if that allows rights to be set properly.

  3. bgctnv says

    Here’s my scenario:

    Under Administration / Access Control / Roles, the only defined user is VSPHERE.LOCAL\Administrator.

    Under Administration / Single Sign-On / Users and Groups, the only defined user is Administrator in vsphere.local, which is defined as a member of both the Users and Administrators groups.

    With only those two permissions defined, my Active Directory Domain Admin user account can log into the vSphere Web Client, but cannot see anything.

    I then added the Active Directory Domain Admins group to the SSO Administrators group. I was still not able to see anything with my Active Directory Domain Admin user account.

    I then added the Active Directory Domain Admins group to the Administrator role under Access Control. I was then able to manage the environment, but I was still unable to see the SSO and Client Plug-Ins areas of Administration.

    • jshiplett says

      That sounds exactly like that the KB is describing. If you create a new AD group, put your user account in it, grant it administrative rights to the vCenter object, then grant it administrative rights within SSO, it should give you everything you need. I’m doing that right now in my lab, and I do it regularly with customers.

      Typically, Domain Admins will have users in it who, while needing administrative access in AD, don’t need administrative access to vSphere. I will generally remove LocalOS/Administrators permissions and create a specific vSphere admins group in AD because of this. Domain Admins will still have administrative access to the vCenter Server Windows machine, but they will have no intrinsic rights within the vCenter Server inventory.

      • bgctnv says

        Thanks for the tips but I’m unfortunately not having much luck with this.

        I created a brand new AD group with only my user account as a member. I added that group as an Administrator in SSO/Users and Groups as well as Access Control/Roles. The only other defined user or group anywhere is the vsphere.local default Administrator account.

        When I log in using my AD account that is member of the AD group, I can’t see the SSO or Client Plug-Ins areas of Administration. I even went so far as to remove the local computer as an SSO identity source.

        I went ahead and opened up a support ticket with VMware.

        • John says

          What are your resolution! :-) I’m having the exact same symptoms you’ve described.

          My user actually seems to be able to become a vCenter admin without much issue (after I’ve added it to the vCenter object permissions, not just SSO).

          However, even adding my new AD group to the SSO Admin group my user doesn’t see the SSO admin items. Doh!

  4. says

    Thanks for sharing this tips. S SO (single sing on server ) log in using any accounts of users. This is very nice blog and thanks a lot.It should be need used you every thing.

Leave a Reply