Monday, May 18, 2015

If you don't want to use user@domain.com in vRA Login page, configure SSO wisely!

I have been working on various vRealize Automation consulting engagements and have come across customers who don’t want to use the login name in UPN format i.e. user@domain.com when logging in the vRA portal. They prefer using other traditional methods like domain\user or AD user id.
In this blog post I will try to cover all those options that you may use or recommend to your customer so that they don’t have to use the format user@domain.com when logging into the vRA portal.
Following are your options:
  1. vCenter Single Sign On
If you haven’t implemented vRA yet and currently in the design phase, you may suggest customer to use vCenter Single Sign On instead of using vRealize Identity Appliance. However there are some pros and cons of using vCenter SSO over Identity Appliance which you must be aware of when taking this decision, I will rather cover that in a different blog post.
We know that if you vCenter SSO the default domain is Local OS hence you have to set your Windows Active Directory as Default Domain in order to avoid using @domain.com in the login name.
  1. Add Identity Store using Active Directory
If you are going to propose using Identity Appliance in your solution, when you add an Identity Store use Active Directory and enter the NTLM name of the domain in the Domain alias field. This would allow you to login using domain\user.
  1. Client Integration Plugin
With the Client Integration Plugin you can login using “Use Windows session authentication” option available on the vRA login page. This will enable the user to use his existing Windows session for logging into vRA. If you are using vRA 6.2 and you click on the “Download Client Integration Plugin” link it may not work however if you have a vCenter Server you may download the Client Integration Plugin from its login page and use the same for Identity Appliance SSO.
If you have installed the Client Integration Plugin and the login fails using error “Windows Session Authentication login has failed as a result of an error caused by the VMware Client Integration Plugin” then follow the instructions in VMware KB http://kb.vmware.com/kb/2090617.
Once the Client Integration Plugin is setup correctly you would be able to login using “Use Windows session authentication” and hence won’t have to use @domain.com.
  1. Change default Identity Store using JXplorer (UNSUPPORTED)
In the first option, we saw how we can configure a default Identity Store for vCenter SSO using the Web Client. Unfortunately we don’t have a similar option for Identity Appliance SSO. To workaround this, you may use JXplorer to enable a default Identity Store for Identity Appliance.
  1. First Download & Installer JXplorer, the installer is available at http://jxplorer.org/downloads/
  2. Launch JXplorer and connect to the Identity Appliance SSO. Click on File > Connect


  1. Enter the following details:
  • Host – Identity Appliance SSO FQDN or IP
  • Level – User + Password
For all other options use the values provided in the screenshot
  1. Once you have connected to the SSO, navigate to local > vsphere > Services > Identity Manager > Tenants > select vsphere.local
  2. Click on Table Editor and search for vmwSTSDefaultIdentityProvider and enter the domain name in the value section.

NOTE: This option is not supported by VMware GSS and if you run into any issues you would have to revert the value of vmwSTSDefaultIdentityProvider to local os. Its recommended that you evaluate other options before implementing this in production.

2 comments:

  1. Nice post Arun.
    How about using a third party domain authentication mechanism like PKI ?

    ReplyDelete

  2. Wonderful blog.. Thanks for sharing informative Post. Its very useful to me.

    Installment loans
    Payday loans
    Title loans

    ReplyDelete