Part 16: My vCloud Journey Journal – Enabling Federation & SSO
A couple of weeks I download the latest vCenter Server Appliance for 5.1, and since then we have had the 5.0.1a. As some of you might have heard there’s been some issues configuring single-sign-on. I’m pleased to say that with the web-client at least I had very good experiences. So it was a kind of happy fortune that I turned my back on the Windows vCenter, and embraced the appliance instead. However, I was struggling with the SSO relationship between vCloud Director and the VCSA. I’m pleased to say that what with the vCloud 5.1.1 release that impasse has been overcome, and that’s what this post is all about.
But before I document that, lets just review WHY you would want to do this configuration. The SSO process that is part of vCenter is meant to alter fundamentally the way administrators are authenticated. In the past each piece of software required a configuration to a directory or LDAP service – in most peoples cases that’s Microsoft’s Active Directory. Whenever you opened a new admin tool you would be challenged for credentials. What SSO attempts to do is authenticate you once – generating a solutions user “token” which can be then relayed on to what ever management application you want to use. In the case of vCD it means you can use SSO as an authentication mechanicism, and it also means if you do access the vCenter web-client from vCD your current credentials are used. This configuration effectively replaces the vCloud Director login page with the Web-client instead. If you do need access to the vCloud Director login page, and use a local user account – you can still access it by specifying the login page:
First start with making sure that the VCSA is correctly configured for SSO. Once vCD is installed and the post-configuration complete. You can begin by selecting the >Administration Tab, >System Settings, >Federation and click the Register button.
It think the fields are pretty self explanatory – as they are paths to the Lookup Service on the VCSA and vCD – together with authentication details. Once done – enable the option to “Use vSphere Single Sign-On” and hit the “Apply” button. DO NOT LOGOUT YET! As we have to give a user from the domain that SSO is configured for rights in vCD itself. If you do log out – you will need the URL in red to get back in.
Next we can go off to the >Users node in the “Administration” tab to add in a SSO backed user from my AD Domain (called corp.com). Occasionally, I’ve found this page doesn’t refresh after adding a LDAP or SSO provider – generally a refresh on the web-browser is enough to fix this.
Click the + icon allows you to add in accounts using the SSO/Federated option – notices the source is “vSphere SSO”. Accounts must be added using the UPN format (that looks suspiciously like an email address).
Finally, as I had added vCenter in early by manually specifying the URL for the vSphere Client, I decided to switch this be the more integrated “lookup service” method. Held under >Manage & Monitor, >vSphere Resources, >vCenter and properties of vCenter entry/entries.
When you ready you can logout of vCD, and log back in. You should notice that despite typing the URL for vCD you are redirected to the vSphere Web-Client login page to pick up your SSO backed authentication token.
Note: You’ll notice I’m using FireFox here and not IE. The main reason being is I’m using untrusted certificates that come with the VCSA and vCD, and I’ve found FF handles these better than IE. Without FF I would really have no choice but to generated full-trusted certificates from a recognized CA.