VCP6-DCV blueprint section 1: Configure and Administer vSphere 6.x Security – Objective 1.3

Home / blueprint / VCP6-DCV blueprint section 1: Configure and Administer vSphere 6.x Security – Objective 1.3

In this post we will follow the guideline from VMware VCP6-DCV blueprint

below are the objective for this post taking from VMware site:


  • Describe SSO architecture and components
  • Differentiate available authentication methods with VMware vCenter
  • Perform a multi-site SSO installation
  • Configure/Manage Active Directory Authentication
  • Configure/Manage Platform Services Controller (PSC)
  • Configure/Manage VMware Certificate Authority (VMCA)
  • Enable/Disable Single Sign-On (SSO) Users
  • Upgrade a single/multi-site SSO installation
  • Configure SSO policies
  • Add/Edit/Remove SSO identity sources
  • Add an ESXi Host to an AD domain

Describe SSO architecture and components

vCenter Single Sign-On is an authentication broker and security token exchange infrastructure. Vcenter SSO is part of the Platform Services Controller(PSC)

vCenter SSO roles:

  • Allow vSphere components to communicate securely
  • Use combination of STS and SSL for secure traffic and user authentication via AD or LDAP via certificates


Source: VMware vSphere Security document


The flow:

  1. User login to vSphere Web Client with user/pass
  2. vSphere Web Client pass the login info to vCenter SSO service which checks the SAML token of the vSphere Web Client
  3. If the user can authenticate to the identity source, vCenter Single Sign-On returns a token that represents the user to the vSphere Web Client.
  4. vSphere Web Client passes the token to the vCenter Server system.
  5. vCenter Server checks with the vCenter SSO server that the token is valid and not expired.
  6. vCenter SSO server returns the token to the vCenter Server system.

vCenter Single Sign-On Components

STS (Security Token Service) –  The STS service issues Security Assertion Markup Language (SAML) tokens.These security tokens represent the identity of a user in one of the identity source types supported byvCenter Single Sign-On.

Administration server – The administration server allows users with administrator privileges to vCenter Single Sign-On to configure the vCenter Single Sign-On server and manage users and groups from the vSphere Web Client. 

VMware Directory Service (vmdir) – The VMware Directory service (vmdir) is associated with the domain you specify during installation and is included in each embedded deployment on each Platform Services Controller.

Identity Management Service-  Handles identity sources and STS authentication requests.

Perform a multi-site SSO installation

for performing multi-site SSO installation please refer to this link :


Configure/Manage Active Directory Authentication

see my previews post about AD.

Joining vCenter to my active directory lab



Configure/Manage Platform Services Controller (PSC)

To login to PSC : use the vCenter IP/Name and add /PSC use administrator@vsphere.local

tasks available :

  • SSO users/groups  add/change
  • Adding Identity Sources
  • Managing certificates



Enable/Disable Single Sign-On (SSO) Users

To enable disable SSO users from vCenter go to :

Administration >> under SSO users and groups>> right click disable /enable



Configure SSO policies

To configure SSO policies login to the PSC >> under SSO click on Configuration under policies and you will be able configure all policies (Password/Lockout/Token)



Add an ESXi Host to an AD domain

To Add ESXi host in to AD Domain: From vCenter >>host and clusters >> choose host >> manage >> settings>> Authentication services >> Join domain 





Leave a Reply

Your email address will not be published. Required fields are marked *