Commonly, a vCenter integrated with Active Directory through SSO will provide authentication for users accessing vCenter. Creating vSphere SSO groups will achieve far more than you expected. So, if you want to integrate multiple Active Directory domains and LDAP directories or leverage local vCenter users and groups in conjunction with AD users, then these complex needs will require utilising the excellent benefits of vCenter SSO (Single Sign On).

The benefits of SSO groups

Many people consider SSO as simply a requirement for installing vCenter, and just configure it to use AD or another external authentication source, and then forget about it. Particularly with vCenter 5.5 and later, the benefits of SSO are often ignored.

  • Multiple AD and LDAP sources can be specified, enabling an SSO group to be created that contains users and groups from otherwise non connected authentication systems, or domains that have no trust.
  • SSO Groups can contain local users (vSphere.local accounts) and also contain users who are a member of the local operating system when vCenter is installed on Windows.
  • The SSO groups are solely in vCenter and so do not cause a security risk outside the virtualisation environment (such as a doman trust might cause) and so can be created based on who needs access to the virtualised resources. 

Creating vSphere SSO groups

So, now you know the benefits, here is how you do it. You need to use the Web Client to do this task, and obviously need SSO from vCenter 5.1 or vCenter 5.5 or above. Go to Home (press the little house icon in the blue bar) and then select the Administration option. You should now see that under Single Sign-On you have “Users and Groups”. Go to the Groups tab and press the green plus icon.

READ ARTICLE:   My leadership style

Create new group in vCenter SSO for vC Ops

Now give it a name and optionally a description. That’s all you need to do to create the group. Now you need to put users or external groups into the SSO group. Select your newly created group, and below it you can see an icon of a person with another green plus. Click on this and you will see a dialog for adding new users and groups.

Add AD users to create vCenter SSO group

In here, either type in the username or group name in the format DOMAIN\Group, or browse to add users from the list of objects from the domain selected in the domain drop down box. Then keep adding users and groups as you need.

Was this helpful? Post something in the comments below.

Related posts:

ToR switch placement - not at the top!
Ask for Confirmation, not Definition
What is Converged Infrastructure?
Azure Vs. AWS terminology
Share this knowledge