was ‘VMware KB: enter Single Sign On FAQ vmwere’ Knowledge Base vCenter Single Sign On FAQ Purpose This article provides answers to frequently answered questions about vSphere Single Sign On. Notes: © For more information, see the ySphere 5.1 documentation dutipu/wws vmware com/support/puby vsphere.cssi-voenler-server= subhinh.. The documentation contains definitive information, Ifthere is a discrepancy between the documentation and this article, assume that the documentation is correct. * For more information about troubleshooting Single Sign On issues, see “Trublshotne Sine Sion On(SSO) sues in vCenter Server 5.1 (2033137) (search, do?emd-dsplayK C&edocT ype kosedocT Resolution This article answers questions in these subject areas: . 8 tener © SSO database questions an © SSO application questions (aon oGeneral questions ‘What is vCenter Single Sign On (SSO)? vCenter Single Sign On (SSO) is a component of the VMware Cloud Suite. SSO deals with identity management for administrators and applications that interact with the vSphere platform, SSO is based on identity management technology buit by RSA and specificaly talored for VMware Cloud Inffastructure deployment. ‘What are the key capabilities of SSO? osmraare comislisericolnicrositessearch.doMtanguage=en_USBemd=csplayKCBexerallt=2004918 1ans ‘WWiuare KB: Conte Single Sign OnF AQ * SSO can add muitiple AD domains, OpenLDAP, and the local operating system where SSO is deployed, It also lets you create local users and groups. * SSO now allows VMware vSphere to connect to a non-AD Identity Source - OpenLDAP. © SSO supports SAML 2.0 standard and WS-TRUST — both of which are open industry standards. * SSO lets users delegate tasks to solutions that can run as the identity of the user. * SSO supports identity delegation for long-lived tasks with the ability to renew tokens. Is SSO a replacement for my Active Directory or LDAP setup and management? No. SSO only federates authentication and principal data queries to your Active Directory or LDAP instances. It doe not allow for managing your AD or LDAP data, Do I need an Active Directory or LDAP setup to use SSO? No. SSO has its own internal user store, You can manage all principal data init, using the SSO admin interface in the vSphere Web Client. You can abo assign vCenter Server privileges to users and groups ffom this internal datastore Alternatively, you can alo point SSO to users residing in the OS where you deployed SSO. Does SSO replace VMware's Horizon Identity Manager? No, Horizon is aimed at providing identity management in layer-3 of the VMware product suite. How does SSO work? SSO is an authentication service that implements the brokered authentication architectural patter, The SSO server provides an authentication interface called Security Token Service (STS), Clients send WS- Trust authentication messages to the STS, which checks the user's credential against one of the attached identity sources. Upon successful authentication, STS generates a SAML 2.0 token, There are two points of exposure: The SSO Server and the vCenter Server. The vCenter Server uses the token to perform operations on behalf ofthe primary user. From the client's perspective, the vCenter Server stands between the client and any vSphere services that the client can use via the vCenter Server. Howis SSO Licensed? SSO és an integral part of vCenter Server and is not a licensable feature. It is available with all licensable versions of vCenter Server. SSO és not available with the freely downloadable version of vSphere. Hasmnare.comielisericalnirositensearch doManguage=er_USBere jplaykCBexernalld=2004018 28was ‘VMware KB: enter Single Sign On FAQ What versions of vCenter Server does SSO work with? SSO works with vCenter Server 5.1 Do existing ySphere applications (such as Site Recovery Manager and vCenter Operations) work with sso? SSO exposes a new authentication API. However, the old API continues to exist for applications that are already integrated with vCenter Server. All existing applications that have not yet migrated to the SSO APIs will continue to work with Center Server 5.1, just as they work with vCenter Server 5.0. Howis SSO packaged? SSO és available as a Windows installable package. SSO is also embedded within the vCenter Server Appliance. What is the upgrade process for Center Server with SSO in the mix? ‘vCenter Server 5.1 needs SSO to nun, Upgrades of vCenter Server to version 5.1 include the mandatory SSO installation step, followed by upgrading the Inventory Service and vCenter Server and pointing it to the installed SSO instance, What are the compatibility requirements for SSO? The compatibility requirements for SSO are the same as those for vCenter Server. What is the memory and HDD consumption of the SSO server itself? * 400 MB RAM on average, and up to 1 GB RAM © 200 MB HDD without the logs © Upto 5 GB HID for the logs (for the long run) What is the deployment model for SSO? For more information, see the vCenter Single Sign On Deployment Modes section in the vSphere Installation and Je (https: wn: vmnare, com /nmpportuheivephere nter-server-pube html) What is the deployment model for vCenter Server with SSO? Hasmnare.comielisericalnirositensearch doManguage=er_USBere jplaykCBexernalld=2004018 38was ‘WWiuare KB: Conte Single Sign OnF AQ For more information, see the How vCenter Single Sign On Affects vCenter Server Installation and Upgrades section ofthe vSphere Upgrade Guide (itis: muare com /unporsublvaphee-csi.veenterserver-pub htm Why would I install SSO on a separate machine from yCenter Server? IfSSO jis on the same machine as one of your vCenter Servers, and the machine goes down, you will lose not only that vCenter Server, but alo the abilty to log into all your other vCenter Servers. Why would I install SSO on the same machine as vCenter Server? vCenter and SSO on the same machine isthe default configuration, if you have only one vCenter Server instance How many vCenter Servers can an SSO instance serve? SSO poses no restriction on the number of vCenter Servers registered to it What happens when the SSO server is down? When SSO is down, any operation that requires authentication or session validation cannot fimetion. This implies som vCenter capabilities will not be available. It also implies users cannot connect to vCenter or the Web Client. The hypervisor layer continues to work as usual and your workloads continue to run, Is SSO available in High Availability mode? For more information, see the vCenter Single Sign On Deployment Modes section in the vSphere Installation and Sel Je (https: wn: com /nmportpube/vsphere-esx- voentr-cerverpubs htm) How does SSO back up and restore data? SSO stores data in a database similar to vCenter Server. The sensitive database data is encrypted with an encryption key, which should be backed up afier instalation, Can SSO be used with yCenter Server Heartbeat? Yes. vCenter Server Heartbeat can be also used to protect SSO. How does SSO integrate with the ySphere Client? SSO does not integrate with the vSphere Client. However, when you log in through the vSphere Client, vCenter Server sends the authentication request to SSO. Hasmnare-comislisericainirasitensearch doManguage=en_USBere jplaykCBexernalld=2004018 48was ‘VMware KB: enter Single Sign On FAQ How does SSO integrate with the ySphere Web Client? SSO is very closely integrated with the vSphere Web Client. Administrators must authenticate to SSO as part of the Web Client login process. The SSO configuration and management UL is integrated into the vSphere Web Client Can I disable SSO and revert to the old method of authentication in vCenter Server? No. Is there a published API associated with SSO? Yes. A client can use the vCenter Single Sign On API to obtain a SAML token. The client can then use that token to establish a vCenter session. The SSO Server presents a WSDL-based API that supports a subset of the WS-TRUS* and WS-SECURITY standards. For more information, see the vCenter Single Sign On Programming Guide (bpsoubs vmusre.comvaphere-S/topilcom vmware IChaseiPDFivmvare sso client prog suide 1 O-pd) Is there an SSO SDK that I can reference? Yes. The SDK can be downloaded from My VMware duipeiiny vmvare comuabiumvareogin) oSSO database questions Can I use Windows Authentication for the MSSQL database user name and password, as the JDBC Setup sereen implies? ‘No. For MSSQL databases, you must use SQL Server Authentication database users, Windows Authentication user are not supported. For more information, see Connection to the MSSOL database fails during vCenter Single Sign On installation section of the VMware vSphere 5.1 Release Notes (ipsa. ymnare comlanportivets5oc'vphete csx-veener- seve 51-olnte- notes i What SQL access rights does the database user require? The database user you specify during installation must have the DBA privilege. However, you can grant the DBA privilege just before you encounter this screen in the installer and revoke the privilege after installation is complete. For more information about required database users and permissions, see Required Information for Installing or Upgrading vCenter Single Sign On, Inventory Service, and vCenter Server section in the vSphere Installation Guide (toss mare com/smpor /pubenher-cexvoen subs. Hasmnare.comielisericalnirositensearch doManguage=er_USBerewas ‘VMware KB: enter Single Sign On FAQ Is the database user that I specify during installation a separate user from the RSA_USER and RSA_DB4 (the database users that are created during SSO installation)? Yes. The database user you specify during installation is used to create the users RSA_USER and RSA_DBA. For more information, see the Required vCenter Single Sign On Database Users section of the vSphere Installation and ‘Setup Guide tips: ww vmsare com/support/ubs/vsphere-csxi-vosntcr-scrver-pubs htm). Do RSA_USER and RSA_DBA need to be SQL users? Yes. When the installer creates RSA_USER and RSA_DBA, it assigns a password that does not meet my organization's password complexity requirements. Can I change the password for these automatically created users? No, but you have the option to manually specify created users rather than allowing the installer to create these users for you. Manually create RSA_USER and RSA_DBA before you begin the installation process and assign a password that meets your requirements. Enter the names and passwords of the users when you run the installer. ‘VMware provides optional scripts that you can run to create the required database users. For more information, see the Required vCenter Single Sign On Database Users section of the vSphere Installation and Setup Guide Why are the RSA_DBA and RSA_USER users required, and what SQL access rights do they require? RSA_DBA is used for creating the schema (DDL) and requires DBO permissions, RSA_USER reads and writes dat (only DML). For a list of the required access rights, see the Required vCenter Single Sign On Database Users section of the vSphere Installation and Set . . i se _ (s Hapherees What information is stored in the SSO Database? The SSO database stores system users and groups, SSO configuration information, and conection details for the attached identity sources, including domain accounts Why does the SSO administration interface and disabled domain accounts? the vSphere Web Client display information about locked The SSO administration interface provides a single view ofall attached identity sources, including Active Directory domain accounts. The SSO administrator does not need to open the Active Directory management interface to view information about locked or disabled domain accounts. Hasmnare.comielisericalnirositensearch doManguage=er_USBere jplaykCBexernalld=2004018 cowas ‘VMware KB: enter Single Sign On FAQ oSSO application questions Can I change the SSO administrator user name from admin@system-Domain to another user name? The adn in@systen-Domain user name cannot be changed. Itis similar to the Administrator user name on a Windows system, You can disable admin@systen-Domain after you grant SSO administrator privileges to another user. The user is only necessary when you perform HA/muttisite setup or recovery. When configuring vCenter with an external SSO, which user should I specify for Account with right to register vCenter with the SSO server? Specify a user with SSO administrative privileges. If your SSO runs on the vCenter Server Appliance (VCSA), this is the root user of the operating system encapsulating the appliance. If your SSO runs on Windows, this user is admin@systen-domain with the password you picked during installation, What Single Sign On deployment modes are possible with the vCenter Server Appliance? Only basic mode is supported with the vCenter Server appliance at this time, Windows SSO is currently required to deploy in HA or Multi-Site Modes. Which user should I specify for Account that will be assigned as vCenter administrator? ‘You can specify any user, but VMware recommends picking the operating system administrator ("root", "Administrators") or the administrators group ("root", "Administrators"). During the installation process, the installer appears to initiate a scan of the Active Directory domains to automatically add them as identity sources. Can I disable this functionality? The installer does not scan Active Directory domains. It only verifies that it can connect to the Active Directory identity source and configure connection data. During the installation process, I get the error, rdentity source discovery error. Is this related to the installer’s scan of the Active Directory domains in my environment? No, This error is usually due to an incorrect configuration of the environment. How many vCenter Single Sign On servers can be part of a High Availability SSO cluster? There is no limit to the number of SSO systems you can add to a High Availability SSO cluster. Is a multisite configuration made up of multiple instances of High Availability SSO clusters in separate Hasmnare.comielisericalnirositensearch doManguage=er_USBere jplaykCBexernalld=2004018 78treats ‘VMware KB: Cente Single Sign On FAQ physical sites? Yes. Do the clusters of a multisite configuration share one common global database, or is a database aligned to each cluster? A database is aligned to cach chister. Do clusters ina multisite configuration have any form of federation? You can nm manual replication scripts to synchronize the data across a multisite configuration. For more information, see the Manually Replicate Data in a Multisite vCenter Single Sign On Deployment section of the vSphere snares hens emr-vcentes- server pubs hal ‘When we configure an Active Directory identity source, we are required to use the Password Authentication type because Active Directory is locked down in our organization. What rights does this user require? The user you specify when you choose Password Authentication requires read-only access to Base DN for users and groups. yCenter Single Sign On seems to use auto-generated certificates. Can we replace these certificates with internally generated certificates? Yes. For more information, see Replacing Default vCenter 5.1 and ESXi Certificates (ipuioew vmware com/resourcettechresourcex) On the Technical Resources page at www. vinware,cOm (htip/ww.smvare com) Can we mix components from the vCenter Server Appliance and Windows stack? For example, could a Windows-based vCenter Server installation use SSO services provided by an SSO instance on a vCenter Server Appliance? Yes. You can point vCenter Server Appliance and Windows-based vCenter Server installations to SSO instances installed on either platform. How can I split out vCenter components such as SSO, vCenter Server, and the vSphere Web Client to comply with placement strategies for optimal failover and availability? For more information, see ySphere Installation and Setup tin: sacs con sinsor ibs bre styler sri, os. bem Hieruare comislfsonicalnicrosiestsearch doManguage=en_USBemd=clsplayKCSexterall=2094818 aewas ‘VMware KB: enter Single Sign On FAQ See Also © Troubleshooting Single Sign On (SSO) issues in vCenter Server 5.1 (avaserntopenDocunentLinkt2033137"" Request a Product Feature To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature dips suc htmi2depar «page. Permalink to: vCenter Single Sign On FAQ (hitp:/kb vmusre.comikh/2054918 Rend our blog (httpihlogs vate com Watch KBTV (http dbo. vmuare com/kbtvi) Follow us dutpsiwusetvitercomvmuncekh) Request New Content (hipitioww vmusce,comlanding pagesnowledgebte-content request hn) 1 Gavascript oid rate his) ‘2 ciavascriptvoil rater? his ‘B iiavascrinevoidl ratel3 hie A Giavascriptvoidl ratte ‘S Giavasciptvid ratet 5h 9 Ratings Actions, Bookmark Document ijavassript:addBookmarkioctionBoxUtil dooURL, actionBox til docTitle) Email Document ijavaserit:emsilDoc(actionDoxUtiLextI,sctionBoxUtilsiceld ation oxi docTitle, actionBoxUti epplaver, astionBioxUti bid scribe to Document vseifservice microstesmieroste do? SsplayKCR ducT ype-e€dacT ypelD-DT_KR 1 Lent crnalld-203491 84 form: GB SHARE ELE (ntep:/umcaddthis.com/bookmark phpv=250 d&username=xa-hsf42f36e60429¢) KB: 2034918 Updated: Sep 27, 2012 Categories: Informational Product(s VMware vCenter Server Product Version(s): VMware vCenter Server 5.1.x Hieruare comislfsonicalnicrosiestsearch doManguage=en_USBemd=clsplayKCSexterall=2094818