Monday, May 18, 2015

If you don't want to use user@domain.com in vRA Login page, configure SSO wisely!

I have been working on various vRealize Automation consulting engagements and have come across customers who don’t want to use the login name in UPN format i.e. user@domain.com when logging in the vRA portal. They prefer using other traditional methods like domain\user or AD user id.
In this blog post I will try to cover all those options that you may use or recommend to your customer so that they don’t have to use the format user@domain.com when logging into the vRA portal.
Following are your options:
  1. vCenter Single Sign On
If you haven’t implemented vRA yet and currently in the design phase, you may suggest customer to use vCenter Single Sign On instead of using vRealize Identity Appliance. However there are some pros and cons of using vCenter SSO over Identity Appliance which you must be aware of when taking this decision, I will rather cover that in a different blog post.
We know that if you vCenter SSO the default domain is Local OS hence you have to set your Windows Active Directory as Default Domain in order to avoid using @domain.com in the login name.
  1. Add Identity Store using Active Directory
If you are going to propose using Identity Appliance in your solution, when you add an Identity Store use Active Directory and enter the NTLM name of the domain in the Domain alias field. This would allow you to login using domain\user.
  1. Client Integration Plugin
With the Client Integration Plugin you can login using “Use Windows session authentication” option available on the vRA login page. This will enable the user to use his existing Windows session for logging into vRA. If you are using vRA 6.2 and you click on the “Download Client Integration Plugin” link it may not work however if you have a vCenter Server you may download the Client Integration Plugin from its login page and use the same for Identity Appliance SSO.
If you have installed the Client Integration Plugin and the login fails using error “Windows Session Authentication login has failed as a result of an error caused by the VMware Client Integration Plugin” then follow the instructions in VMware KB http://kb.vmware.com/kb/2090617.
Once the Client Integration Plugin is setup correctly you would be able to login using “Use Windows session authentication” and hence won’t have to use @domain.com.
  1. Change default Identity Store using JXplorer (UNSUPPORTED)
In the first option, we saw how we can configure a default Identity Store for vCenter SSO using the Web Client. Unfortunately we don’t have a similar option for Identity Appliance SSO. To workaround this, you may use JXplorer to enable a default Identity Store for Identity Appliance.
  1. First Download & Installer JXplorer, the installer is available at http://jxplorer.org/downloads/
  2. Launch JXplorer and connect to the Identity Appliance SSO. Click on File > Connect


  1. Enter the following details:
  • Host – Identity Appliance SSO FQDN or IP
  • Level – User + Password
For all other options use the values provided in the screenshot
  1. Once you have connected to the SSO, navigate to local > vsphere > Services > Identity Manager > Tenants > select vsphere.local
  2. Click on Table Editor and search for vmwSTSDefaultIdentityProvider and enter the domain name in the value section.

NOTE: This option is not supported by VMware GSS and if you run into any issues you would have to revert the value of vmwSTSDefaultIdentityProvider to local os. Its recommended that you evaluate other options before implementing this in production.

14 comments:

  1. Nice post Arun.
    How about using a third party domain authentication mechanism like PKI ?

    ReplyDelete
  2. I must really thank you for giving me knowledge about JEE.This article is really informative and useful as far as I concern and keep going.


    Cloud Computing Training in Chennai

    ReplyDelete
  3. Benefits of reading your post. this may facilitate within the maintenance of our health.The daily routine can assist you lose weight quickly and safely.My life is completely reworked once I followed this diet.I feeling nice concerning myself.

    Herbalife in Chennai
    Wellnesscoaches in Chennai
    Weight Loss in Chennai
    Weight Gain in Chennai

    ReplyDelete


  4. Cari Situs Judi Online yang fair ?
    No BOT - No ADMIN dan murni PLAYER vs PLAYER
    Solusinya hnya di NAGAQQ AGEN BANDARQ TERPERCAYA
    Bonus Refferal 20%
    Bonus Turn Over 0,5%
    Hanya dengan nominal deposit 15ribu sudah bisa bermain 5 game
    Dan raih jackpot puluhan sampai ratusan juta setiap harinya..
    WHATSAPP : +855967014811
    PIN BB : 2B209F68

    ReplyDelete
  5. That was a great message in my carrier, and It's wonderful commands like mind relaxes with understand words of knowledge by information's.
    python training Course in chennai | python training in Bangalore | Python training institute in kalyan nagar

    ReplyDelete
  6. Hi, Great.. Tutorial is just awesome..It is really helpful for a newbie like me.. I am a regular follower of your blog. Really very informative post you shared here. Kindly keep blogging.
    Java training in Rajaji nagar | Java training in Kalyan nagar

    Java training in Kalyan nagar | Java training in Jaya nagar

    ReplyDelete
  7. Thank you for allowing me to read it, welcome to the next in a recent article. And thanks for sharing the nice article, keep posting or updating news article.

    Data Science course in Chennai | Data science course in bangalore

    Data science course in pune | Data science online course

    Data Science Interview questions and answers

    ReplyDelete
  8. Hi,
    Best article, very useful and well explanation. Your post is extremely incredible.Good job & thank you very much for the new information, i learned something new. Very well written. It was sooo good to read and usefull to improve knowledge. Who want to learn this information most helpful. One who wanted to learn this technology IT employees will always suggest you take Training Institute for Hadoop in Bangalore.

    ReplyDelete