Every vCenter has its own SSO domain and when installing an appliance you’ll need to determine to either join an existing one or create a new one. If you decide to create a new one, you’ll need to login to each vCenter instance separately and this could be cumbersome. Therefor it’s easier to join an existing vCenter when you deploy another one.
The security token service, also known as STS, is responsible for issuing SAML tokens, which represents the identity of a user. The administration server allows users with admin privileges to SSO to configure the SSO server and manage the users and groups. By default only the SSO administrator account has these rights.
The VMdir which is associated with the domain you specified during the installation stores and manages SSO user accounts and passwords and other configs for the SSO domain. It’s an LDAP directory and available on port 389. This directory is synced between all vcenter servers in the SSO domain. The identity management service is responsible for managing identity sources and STS auth requests that come in via the STS.
VCenter Single Sign-on provides authentication across multiple vSphere components through a secure token mechanism:
- User logs in to the vSphere Client
- vCenter SSO authenticates credentials against a directory service
- A SAML token is sent back to the user browser
- The SAML token is sent to vCenter Server, and the user is granted access
With the CLI command vdcrepadmin you can replicate one vCenter server to another, to create a circular synchronization pattern. Via this method you can ensure that if the middle vCenter server goes down, this does not affect the edge servers.
With the CLI command cmsso-util domain-repoint you can point another vCenter server to another SSO domain if you wish. However, this is a practice which should not be done regularly. It’s best to extend the SSO domain with a new vCenter server but is usually done when an old vcenter server needs to be migrated to an existing domain. With the command you can migrate VM’s and the databases to your domain and then decommission the vCenter server.
