Joy

4.1 – Describe single sign-on (SSO) deployment topology

Table of Contents

Every vCenter has its own SSO domain and when installing an appliance you’ll need to determine to either join an existing one or create a new one. If you decide to create a new one, you’ll need to login to each vCenter instance separately and this could be cumbersome. Therefor it’s easier to join an existing vCenter when you deploy another one.

The security token service, also known as STS, is responsible for issuing SAML tokens, which represents the identity of a user. The administration server allows users with admin privileges to SSO to configure the SSO server and manage the users and groups. By default only the SSO administrator account has these rights.

The VMdir which is associated with the domain you specified during the installation stores and manages SSO user accounts and passwords and other configs for the SSO domain. It’s an LDAP directory and available on port 389. This directory is synced between all vcenter servers in the SSO domain. The identity management service is responsible for managing identity sources and STS auth requests that come in via the STS.

VCenter Single Sign-on provides authentication across multiple vSphere components through a secure token mechanism:

  1. User logs in to the vSphere Client
  2. vCenter SSO authenticates credentials against a directory service
  3. A SAML token is sent back to the user browser
  4. The SAML token is sent to vCenter Server, and the user is granted access

With the CLI command vdcrepadmin you can replicate one vCenter server to another, to create a circular synchronization pattern. Via this method you can ensure that if the middle vCenter server goes down, this does not affect the edge servers.Table Description automatically generated with low confidence

With the CLI command cmsso-util domain-repoint you can point another vCenter server to another SSO domain if you wish. However, this is a practice which should not be done regularly. It’s best to extend the SSO domain with a new vCenter server but is usually done when an old vcenter server needs to be migrated to an existing domain. With the command you can migrate VM’s and the databases to your domain and then decommission the vCenter server.

Share this post with your friends
Leon Moris

Auteur

Welkom op switchtojoy.be. Door inventief en op de juiste manier om te gaan met technologie proberen wij jouw leven net iets makkelijker te maken. Als je vragen hebt, contacteer ons dan via het contact formulier.

Facebook Twitter Dribbble Behance

Ik geloof dat elke persoon uniek is. Bij alles wat we doen, zorgen we ervoor dat we dat met passie en empathie uitvoeren. Geen enkel project is hetzelfde. 

Daarom behandel ik elke klant als familie, zorgen we dat we deel uitmaken van de klant zijn droom en maken we deze werkelijkheid.

Joy
Contact

Egstraat 8

2491 Olmen

België

+32 (0) 499 05 08 05

happiness@switchtojoy.be

Volg ons
Facebook Twitter Whatsapp Linkedin Github
Overzicht
Diensten
laatste nieuws
Onze Producten
© 2023 all rights reserved
Gemaakt met ❤ door Leon Moris van Joy