In this post we will follow the guideline from VMware VCP6-DCV blueprint
below are the objective for this post taking from VMware site: https://mylearn.vmware.com/mgrReg/plan.cfm?plan=64180&ui=www_cert
- Describe SSO architecture and components
- Differentiate available authentication methods with VMware vCenter
- Perform a multi-site SSO installation
- Configure/Manage Active Directory Authentication
- Configure/Manage Platform Services Controller (PSC)
- Configure/Manage VMware Certificate Authority (VMCA)
- Enable/Disable Single Sign-On (SSO) Users
- Upgrade a single/multi-site SSO installation
- Configure SSO policies
- Add/Edit/Remove SSO identity sources
- Add an ESXi Host to an AD domain
Describe SSO architecture and components
vCenter Single Sign-On is an authentication broker and security token exchange infrastructure. Vcenter SSO is part of the Platform Services Controller(PSC)
vCenter SSO roles:
- Allow vSphere components to communicate securely
- Use combination of STS and SSL for secure traffic and user authentication via AD or LDAP via certificates
- User login to vSphere Web Client with user/pass
- vSphere Web Client pass the login info to vCenter SSO service which checks the SAML token of the vSphere Web Client
- If the user can authenticate to the identity source, vCenter Single Sign-On returns a token that represents the user to the vSphere Web Client.
- vSphere Web Client passes the token to the vCenter Server system.
- vCenter Server checks with the vCenter SSO server that the token is valid and not expired.
- vCenter SSO server returns the token to the vCenter Server system.
vCenter Single Sign-On Components
STS (Security Token Service) – The STS service issues Security Assertion Markup Language (SAML) tokens.These security tokens represent the identity of a user in one of the identity source types supported byvCenter Single Sign-On.
Administration server – The administration server allows users with administrator privileges to vCenter Single Sign-On to configure the vCenter Single Sign-On server and manage users and groups from the vSphere Web Client.
VMware Directory Service (vmdir) – The VMware Directory service (vmdir) is associated with the domain you specify during installation and is included in each embedded deployment on each Platform Services Controller.
Identity Management Service- Handles identity sources and STS authentication requests.
Perform a multi-site SSO installation
for performing multi-site SSO installation please refer to this link : http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2034074
Configure/Manage Active Directory Authentication
see my previews post about AD.
Configure/Manage Platform Services Controller (PSC)
To login to PSC : use the vCenter IP/Name and add /PSC use email@example.com
tasks available :
- SSO users/groups add/change
- Adding Identity Sources
- Managing certificates
Enable/Disable Single Sign-On (SSO) Users
To enable disable SSO users from vCenter go to :
Administration >> under SSO users and groups>> right click disable /enable
Configure SSO policies
To configure SSO policies login to the PSC >> under SSO click on Configuration under policies and you will be able configure all policies (Password/Lockout/Token)
Add an ESXi Host to an AD domain
To Add ESXi host in to AD Domain: From vCenter >>host and clusters >> choose host >> manage >> settings>> Authentication services >> Join domain