SSO Integration - ItsMmmike/SYS-350 GitHub Wiki

Configuring vCenter AD SSO Integration

In this milestone, we configure an AD SSO Integration for our vCenter Server in order to be able to setup user permissions for users/groups within the AD Domain. This is useful in enterprise environments as it can allow organizations to have more control how specific users and groups are able to interact with their internal/virtual resources.

Pre-Reqs:

  • Make sure that both AD01 and the vCenter Server are both using the same NTP Server (pool.ntp.org) - Important as both servers need to be able to sync with each other within a specific time-frame for this to work
  • Ensure that both your AD Domain and vCenter Environments have been set up and are in proper working order (See previous Guide Pages for more info)

Adding a New AD Identity Source to vCenter:

  • In vCenter: Navigate to Administration > Single Sign On > Configuration > Select "Join AD"

image

  • From here, enter the relevant AD Information and Domain Admin Credentials to join the domain to vCenter.

image

image

  • Lastly, reboot the vCenter Server to apply the new changes. Your AD Domain should now be selected as the default/primary Identity Source used to login to vCenter similar to the screenshot below.

image

Adding Domain Admins to the vCenter Administrator Group

This essentially allows domain admins to have admin privileges to access the vCenter environment.

  • On AD01, I created a new "vSphere-Admins" Global Security Group and added Domain Admins to this Group (this includes my "michael-adm" user)

image

  • To add the new "vSpehre-Admins" group to the vSphere Administrator Group, I first navigated to vCenter > Administration > Single Sign On > Users and Groups > Under Groups I selected Administrators > Clicked on Edit, then added the michael.local "vSphere-Admins" group to the vCenter Administrators Group.

image

  • Lastly, you should now be able to login and manage vCenter using my "michael-adm" domain admin user

image