Saturday, 13 October 2012

vCenter Single Sign-On (SSO) - Part1


This feature was introduced in vSphere 5.1 and changed the whole architecture of vSphere environment in terms of authentication and directory services.

Concept

Previously, when you login to your vCenter (for example), your username and password are authenticated against vCenter AD or vCenter local users.

With the presence of SSO, your credentials are passed from vCenter to SSO server. SSO is using Shared Token Service (STS) as authentication interface with vCenter. The credentials are passed as WS-TRUST message to STS. Your SSO server can have multiple mixed identity providers (LDAP, Local Users, OpenLDAP, System-Domain). SSO will try to authenticate the credentials received in WS-TRUST message against all identity providers till successful authentication is matched. Upon successful authentication, STS generates a SAML 2.0 token which is sent back to vCenter and to end user.

Note: vCenter will ONLY pass the credentials to SSO and won't do any authentication

At this stage the end user will get into vCenter and start browsing different components. The vCenter Server uses the token to perform operations on behalf of the primary user. From the client's perspective, the vCenter Server stands between the client and any vSphere services that the client can use via the vCenter Server.

For example, in case the end user wants to browse vShield Tab from vSphere Client, prior to vSphere 5.1 the user needs to enter new credentials. With the presence of SSO, vCenter will pass the token on behalf of the client to vShield manager and vShield manager use it to verify the user against SSO.