From the course: VMware vSphere 8 Certified Professional - Data Center Virtualization (VCP-DCV) (2V0-21.23) Cert Prep

Demo: vSphere Single Sign-On (SSO) - vSphere Tutorial

From the course: VMware vSphere 8 Certified Professional - Data Center Virtualization (VCP-DCV) (2V0-21.23) Cert Prep

Start my 1-month free trial Buy for my team

Demo: vSphere Single Sign-On (SSO)

- [Rick] In this video, I'll demonstrate how to configure single sign-on for the vCenter Server Appliance in vSphere 8. So here you can see I'm at the login page for the vSphere client, and I'm going to put in my username and password to log in as the single sign-on administrator. And so in this case, it's administrator@vsphere.local. That's my single sign-on administrator. And so I'm going to log into the vSphere client. And so because I'm logged in as the single sign-on administrator, I'm going to have certain permissions. And so if I use my little hamburger menu here for the vSphere client, I'm going to go to Administration and under Administration, I've got some options here under Single Sign-On, and one of them is Configuration. So I'm going to click on Configuration. And because I'm signed in as the single sign-on admin, I can see my identity sources here and I could potentially add new identity sources. And you can see here there is an identity source that's already been added here called vsphere.local. This one is local to vCenter and vCenter only. And any users and groups that exist within the vsphere.local domain are built right into vCenter itself. So this is a great way to get vCenter set up, to get the appliance up and running, and to have this built-in single sign-on administrator, but it's not really the ideal identity source on an ongoing basis. You're probably going to want to have an Active Directory domain or OpenLDAP or some other type of identity source present here in your vCenter Server appliance. So let's go ahead and add an identity source. And again, this is something you can only do as a single sign-on administrator. And for the identity source type, I'm going to choose Active Directory, Windows Integrated Authentication. Now, here you can see I am unable to add a new identity source for Active Directory because at the moment, my vCenter Single Sign-On server is not joined to any domain. So we'll just click on this little link here to go to the Active Directory domain page, and I'm going to join Active Directory. And so I'll fill out my domain and I'll put in my username and password and I'll click on Join. And once this Active Directory join operation is complete, we're actually going to have to reboot the vCenter Server Appliance in order to make these changes take effect. And so in order to reset the vCenter Server Appliance, I have to go to my VAMI. So I'm just going to grab the address of my vCenter Server Appliance here. I'm going to open a new browser tab, and I'm going to append :5480 to the end here. That'll bring me to the vCenter Server Appliance Management Interface. I'll put in my root credentials. And up here at the top right, you can see the Actions menu. I'm going to click on Actions and I'm going to reboot. And so now my vCenter Server Appliance is going to go through the reboot process, and when it's done, I should be able to utilize that Active Directory domain. Okay, so now my vCenter Server Appliance has finished rebooting. So let's go back to Identity Sources. I'm going to click on Add identity source. I'm going to choose this lab.local domain and hit Add. And so now we have an additional identity source available here. And these identity sources are really just repositories of users and their passwords. So if I want to create roles or permissions for a specific user or a group of users, now I can create those roles and permissions for users in my lab.local Active Directory domain. Okay, so now that we've successfully added our identity source, let's go to the users and groups of you and take a look around. And you'll notice here we've got this domain that we're currently viewing. This is the domain of the local vCenter Server. But what I really want to start by looking at is this vsphere.local domain. And look at this. Here's the account that we're signed in right now. Administrator@vsphere.local. This is my single sign-on administrator account. So that's what we're signed in as right now. And if I want to, I could manually create more users. Inside of this vsphere.local domain, I could give them roles and permissions inside vCenter, but I'm not going to do that. The way that I'm going to manage my administrative users is through their Active Directory domain credentials here in the lab.local domain. So let's pick one of these Active Directory domain users to focus on. And I'm actually going to just choose this Administrator account here. So let's go to Roles. And here's all the built-in roles that come with vCenter. And one of those built-in roles is Administrator. So I can see here Administrator basically allows you to do everything. And there's a few other built-in roles like No access or like No cryptography administrator. There's a few baked-in roles here that are built right into vCenter right out of the box. So I just wanted to take a quick look at those before we migrate over to the Hosts and Clusters View. And what I'm going to do is I'm going to create a new permission on my Training Virtual Data Center. So I'm going to go to Permissions here, and I'm going to create a new permission using one of my Active Directory domain users. So here is the user. What domain is this user coming from? I'm going to choose my Active Directory domain, lab.local. I'm going to choose an account, administrator@lab.local, and I'm going to choose which one of those built-in roles I want to give this user. So I'm going to give administrator@lab.local administrator permissions, and I can choose to propagate to children. So what that means is that if there were hosts or anything else under this Training Virtual Data Center, this permission would be effective on all of those child objects as well. And I'll just go ahead and click OK here. So now what I've essentially done is I've created a scenario in which I can start assigning administrative permissions to Active Directory domain users and groups. So now I'm just going to log out of the vSphere client here and validate that the configuration that I just set up is actually working. So I'm going to log out as administrator@vsphere.local, and I'm going to log in as administrator@lab.local, and just validate that the permissions that I just set up are actually functioning, and it looks like they are. I can see here, I can navigate to the Training Data Center. And so let's try a little test here. I've got a couple hosts under my Training Software-Defined Data Center. I'm just going to try to make a quick configuration change to one of these hosts. So I'll go to the first host and I'll click on Configure. And I'm just going to add a port group to one of my virtual switches. So I've got my standard virtual switch here. Let's just make a quick change. I'm going to add networking. I'm going to create a new port group. I'm going to choose my existing virtual switch. Just call the port group demo, Next, Finish, and let's make sure that my change takes effect and yep, there it is. So moving forward, now instead of managing users inside of the vsphere.local domain, now I can just simply have a single set of credentials and my administrators can sign in to the vSphere client using their Active Directory domain credentials. And so I can go ahead and assign permissions to them in the vSphere Web Client based on those Active Directory domain credentials.

Contents