vSphere Single Sign On? Rethink Your Architecture

This post has already been read 26399 times!

vSphere Single Sign On (SSO) is a new feature in vSphere 5.1, introducing a standalone service that act as an authentication broker for various VMware products such as vCenter Server, vCloud Director, VCO, vShield Manager or VMware Horizon. SSO is a critical component that is required before any other vSphere 5.1 component is installed or upgraded!

Single Sign On (SSO) uses SSL certificates to encrypt network traffic between for example vCenter Server and Horizon. VMware uses standard certificates by default, but users can replace these certificates with those signed by a trusted certificate authority to comply with security policies.

vCenter Single Sign On

Also when you are designing a new or you upgrade to vSphere 5.1, especially when you are using more than one vCenter in your environment SSO requires careful planning.

Multisite setup? Rethink your architecture before upgrading

I have had multiple multisite customers (which also run multiple vCenter servers) that just wanted to upgrade to vSphere 5.1. Before you do this make sure you need to make a decision between a MultiSite or HA Deployment of SSO:

Multi SIte Single Sign OnMultisite Single Sign On

Multisite Single Sign On deployment is designed only for faster local access to authenticationrelated services. It does not provide failover between Single Sign On servers on different sites. When the Single Sign On instance on one site fails, its role is not taken over by a peer Single Sign On instance on another site. All authentication requests on the failed site will fail, even if peer sites are fully functional. Please read this KB Article Installing vCenter Single Sign On in a multisite deployment

Multi SIte Single Sign On HAHigh Available SSO

Configure vCenter Single Sign On for High Availability (HA) by installing two nodes in HA mode and putting them behind load balancing software. In HA mode, both the nodes work with the same shared database, use the same data, and have the same user stores. Please read this KB Article Configuring vCenter Single Sign On for High Availability

In many cases I just want to have my SSO High Available. When you have multiple vCenter Servers instances you can link them to the same SSO instance on the same site.

If geographical sites are used with multiple vCenter servers, you can still utilize a central clustered environment, however a multisite configuration is recommended.

Many people who have tried to upgrade to vSphere 5.1 have reported various SSO-related failures. If you run into trouble you might want to check out the following published KB articles:

Resolution Paths to solve SSO troubles:

Installation and Deployment


Admin and Login

links borrowed from http://blogs.vmware.com/kb/2012/10/vsphere-sso-resources.html

1 thought on “vSphere Single Sign On? Rethink Your Architecture”

Comments are closed.