So when I was rebuilding my lab I took note from internal communications that we had made some changes to SSO, both under the hood and for the install.
So I started the install and selected the "Simple Install" as I was only building a lab.
SSO Admin Account
Over the installation steps you have to configure the SSO admin password. Now in 5.1 the default admin user was admin@system-domain First thing I noted was this had changed. The default administrator account for SSO is now Administrator@vsphere.local
Attach Identity Source
So after the installation I logged in with the new Administrator@vsphere.local account. I then logged out to see if the AD that the vCenter was a member of, had been added to the SSO identity sources. With vSphere 5.1 the AD was added automatically. I received an error message stating that it could not log in.
So I went to add the identity source to the SSO configuration using the Web Client.
Select the configuration option down the side menu and then select the identity sources tab, and click the green plus. You will get the below popup window.
Because this was my Lab I used the domain Administrator account and I used port 389 for LDAP. In a production environment you would need to configure a Read Only AD account specificity for vSphere to allow you to track AD access. You would also want to use SSL for LDAP to make the network communication secure.
Test the connection and then click ok. Give the Web Client a second to perform the action of adding the source.
Once the ID source is added you don't get access straight away, you need to add a group from the ID source to SSO and then to vCenter to allow it access.
Add ID source group to SSO
Next you need to add a group from the ID source to SSO to allow access from the ID source to vCenter and SSO.
If I just login with an account from the ID source I get presented with an empty vCenter or an access denied as the account has no permissions.
I now need to add the accounts I am going to administer vSphere with, to the SSO group that is assigned Administrator permissions in vCenter.
By default the SSO group called Administrators is added to the vCenter group called Administrators. This is why the account Administrator@vsphere.local has access to the vCenter and all the objects it controls.
The account I want to administer the vCenter with is called vsphere-admin and the domain admin account called Administrator this is more a backup account.
This time load the Web Client select the configuration tab, and under SSO select Users and groups. This will allow you to see the groups that are configured in SSO.
Select the Administrators group and the accounts included in this group are listed below. If you select the green cross in the window below you can add an account to the group.
Select the correct ID source from the drop down, and then find the account you want to add. Click add and then select the Ok button.
Web Client in my lab took a few mins to add this to the group but after the account has been added you should see a screen like the one below, showing the accounts you have added to the group.
You can add accounts directly to the vCenter Administrator group using the traditional methods. So we can add the domain accounts to vCenter and bypass SSO altogether, I would not recommend this as SSO is used in other products and adoption of it now will also make it less painful when it is an essential component in future releases.
