One of the key parts of administering vSphere infrastructure is being able to assign administrative permissions for vSphere resources. Managing logins and permissions in a VMware vSphere vCenter Server environment is critical not only to allow granular permissions on resources, but also for providing an audit trail of actions that are being performed within the vCenter environment.
Let’s take a look at key points, including assigning roles or permissions based on vCenter Single Sign-On and Active Directory.
vCenter Single Sign-On (SSO)
Prior to vSphere 5.1, vSphere authentication was performed either via the local security authority on vCenter server or via Active Directory (AD). However, starting with vSphere 5.1, VMware introduced Single Sign-On or SSO to address the problem of managing multiple ESXi hosts and other vSphere resources with the same user credentials. SSO allows not only Active Directory authentication, but also any other Security Assertion Markup Language (SAML) 2.0–based authentication source. SSO authentication also improves the security and agility of the VMware vSphere authentication mechanism by allowing token-based authentication.
Another reason SSO is important is that today’s suite of VMware vSphere products integrates with vCenter through the SSO authentication piece. This allows for resources across the suite of products to be controlled/granted for a particular user with SSO.
The SSO piece of the vCenter infrastructure is handled by the Platform Services Controller VM when vCenter is installed. The platform services controller is set up during the configuration of the VCSA appliance. The PSC can be configured as the Embedded Platform Services Controller or as an External Platform Services Controller.
The Single Sign-On domain for vSphere is also configured during the deployment of the VCSA appliance. The SSO administrator, password, SSO domain name, and SSO Site name are configured during installation.
The SSO domain is the default identity source of the vSphere environment when no other authentication domain (such as Active Directory) is specified. As already mentioned, SSO provides a token exchange mechanism for authenticating with identity sources such as AD, etc. Another point to remember is that issues can arise if you set the SSO domain to mirror the AD domain name. Many choose an SSO domain name with “.local” as a suffix.
The SSO domain is a critical part of any vSphere architecture, providing the mechanism for simplifying and centralizing access control as well as privilege management across the board for the vSphere family of products.
This blog post is part of a series on VMware administration. At NAKIVO, we know VMware inside and out. Our team of experts designed NAKIVO Backup & Replication specifically to work with vSphere and ESXi. This is why you can expect seamless, efficient, and reliable VM backup with our solution. VMware backup