February 15, 2017
VMware vSphere: vCenter Single Sign-On (SSO)
One of the key pieces to administering a vSphere infrastructure is being able to assign administrative permissions on vSphere resources. Managing logins and permissions in a VMware vSphere vCenter Server environment is critical to not only allowing granular permissions on resources but also providing an audit trail of actions that are being performed within the vCenter environment. Let’s take a look at key features to assigning permissions including vCenter Single Sign-On, Active Directory, roles and permissions assignment based on these.
vCenter Single Sign-On (SSO)
Prior to vSphere 5.1, vSphere authentication was either via the local security authority on vCenter server or via Active Directory. However, starting with vSphere 5.1, VMware introduced Single Sign-On or SSO to address the problem of being able to manage multiple ESXi hosts and other vSphere resources with the same user credentials. SSO allows not only Active Directory authentication but also any other Security Assertion Markup Language (SAML) 2.0 based authentication source. SSO authentication also improves security and agility of the VMware vSphere authentication mechanism by allowing token based authentication.
SSO is also important as today’s suite of VMware vSphere products integrate with the SSO authentication piece with vCenter. This allows for resources across the suite of products to be controlled/granted for a particular user with SSO.
The SSO piece of the vCenter infrastructure is handled by the Platform Services Controller VM when vCenter is installed. The platform services controller is configured during the configuration of the VCSA appliance. The PSC can be configured as the Embedded Platform Services Controller or can be configured as an External Platform Services Controller.
The Single Sign On domain for vSphere is also configured during the deployment of the VCSA appliance. The SSO administrator, password, SSO Domain name, and SSO Site name are configured during the install.
The SSO domain is the default identity source of the vSphere environment when no other authentication domain is specified such as Active Directory. As already mentioned, it provides a token exchange mechanism for authenticating with identity sources such as AD, etc. Another item to remember when thinking about setting up your SSO domain is that this should not be the same as your Active Directory domain name and can cause issues if you set the SSO domain to mirror the AD domain name. Many choose an SSO domain name with *.local” as the suffix.
The SSO domain is a critical part of any vSphere architecture that provides the necessary mechanism to simplify and centralize access control and privilege management across the board with the vSphere family of products.