- As mentioned in the slide above, vCenter SSO is the Authentication Platform for just the vSphere and related management components. This is very commonly mistaken as an enterprise wide single sign on solution.You do not have to buy a separate license for SSO as it is a part of the vCenter License and installation bundle.
- SSO was launched with vCenter 5.1 and is now shipped along with vCenter 5.5 as well. SSO forms the authentication domain in a vSphere Infrastructure, hence a user unlike earlier version of vCenter, does not log in directly to vCenter Server. A user when logs into vCenter either via Web Client or C# client (thick client), first hits the SSO server which can be integrated to an AD/LDAP resource for user mapping. At this point a SAML 2.0 token is generated for the user which is exchanged as user credentials for that user to log in to vCenter or other vSphere Components which are supported today by vCenter SSO.
- No operational SSO means no access to vSphere Components, hence it is the first component which needs to be designed and implemented to have a stable access mechanism.
- Nearly all the components in a VMware Stack are integrated with SSO.
- It is important to note that for vCloud Director the Provider Side of things are integrated with SSO.
- From a future perspective, I can clearly see VMware integrating SSO with other components of the management stack in the days to come.
Thanks to the engineering teams at VMware, with vSphere 5.5, the entire SSO was re-written. This was a great move since it not only solved all the issues which were noticed in 5.1, it also improved the performance of the vCenter Server in its new avatar. Let’s have a quick look on what is new with vCenter Single Sign-On 5.5
On this note let’s see what deployment models & upgrade options you have with vCenter SSO 5.5 in the slide below.
- If you upgrade from vCenter 5.1 to vCenter 5.5, you can do so from any of the existing deployment model which you chose while install 5.1.
- If you have the option of re-installing or if you are installing the vCenter 5.5 for the first time, you do not have to worry about the complex deployment models at all. You can use a Single Virtual Machine for all vCenter components, within same site or across the sites. In case you have 6 or more local vCenter, then you can have a single instance of SSO server, where all the vCenter servers will talk to this SSO server for authentication. This is to avoid multiple streams of replications among the SSO servers within the same site.
- Use the simple installer to have all the components install on the same virtual machine, rather than performing a split install.
- You can install the database here, however having it on a separate VM would be beneficial when the environment scales.
- Make sure you give enough compute power to this single virtual machine as it is hosting all the components.
- Each site runs all its components individually while SSO replication maintains a single SSO domain across sites.
- Use of Linked Mode configuration can give you a single pane of glass here.
- So a simple install at each site would be the Best way getting rid of all the SSO nightmares you can think of.
As mentioned before, I will continue to share stuff around Architecting vSphere in the forthcoming parts.