Wednesday, December 4, 2013

Part 2 - Architecting vCenter Single Sign On (SSO) – A Scoop from my vForum Prezo

This article is the second part of the series of articles on - "Architecting vSphere Environments - Everything you wanted to know!"

Although, each part of this series can be used as an individual tool to learn about architecting different components of a VMware vSphere Infrastructure, I would highly recommend that you read the first part before reading this article to understand the context and reason behind me writing this series.

In this article I will specifically talk about Best Practices around vCenter Single Sign-On Server and the related components. I would began this discussion with giving you a bite into the need and importance of vCenter Single-Sign On and later move towards recommendations on how to lay out the architecture of SSO. I would also like to give the credits for these slides to Nick Marshall from VMware. Nick presented this material at vForum Sydney and was kind enough to share it with his global counterparts.

  • As mentioned in the slide above, vCenter SSO is the Authentication Platform for just the vSphere and related management components. This is very commonly mistaken as an enterprise wide single sign on solution.You do not have to buy a separate license for SSO as it is a part of the vCenter License and installation bundle.
  • SSO was launched with vCenter 5.1 and is now shipped along with vCenter 5.5 as well. SSO forms the authentication domain in a vSphere Infrastructure, hence a user unlike earlier version of vCenter, does not log in directly to vCenter Server. A user when logs into vCenter either via Web Client or C# client (thick client), first hits the SSO server which can be integrated to an AD/LDAP resource for user mapping. At this point a SAML 2.0 token is generated for the user which is exchanged as user credentials for that user to log in to vCenter or other vSphere Components which are supported today by vCenter SSO.
  • No operational SSO means no access to vSphere Components, hence it is the first component which needs to be designed and implemented to have a stable access mechanism.

With this I will move to the 2nd slide which talks about the VMware solutions which are integrated with vCenter SSO today. This makes it even more obvious that SSO is here to stay and we need to ensure that we design & implement it properly for a stable infrastructure.

  • Nearly all the components in a VMware Stack are integrated with SSO.
  • It is important to note that for vCloud Director the Provider Side of things are integrated with SSO. 
  • From a future perspective, I can clearly see VMware integrating SSO with other components of the management stack in the days to come.

For those who have used SSO with vSphere 5.1 would agree that there were issues & concerns around implementing and using SSO. There was a lot of buzz around the community which was not in favor of the concept of Single Sign-On as a vSphere component. I, being hands on guy would completely agree with the community since I faced many of those issues which made circles around the blogs & forums.

Thanks to the engineering teams at VMware, with vSphere 5.5, the entire SSO was re-written. This was a great move since it not only solved all the issues which were noticed in 5.1, it also improved the performance of the vCenter Server in its new avatar. Let’s have a quick look on what is new with vCenter Single Sign-On 5.5

I believe the slide itself is self-explanatory, however I would like to point out to a few changes which I am impressed with. One being Built-in Replication and the other being Exclusion of Database. With these features you do not have to manually update new roles/users if you have multiple SSO instances. You can just go ahead and update one site and the replication will take care of syncing that information between all the SSO servers which are paired together. With no database, you do not have to run those nasty scripts to ensure you have a working database for SSO. Quite Cool.. Ain't it!

On this note let's see what deployment models & upgrade options you have with vCenter SSO 5.5 in the slide below.

  • If you upgrade from vCenter 5.1 to vCenter 5.5, you can do so from any of the existing deployment model which you chose while install 5.1.
  • If you have the option of re-installing or if you are installing the vCenter 5.5 for the first time, you do not have to worry about the complex deployment models at all. You can use a Single Virtual Machine for all vCenter components, within same site or across the sites. In case you have 6 or more local vCenter, then you can have a single instance of SSO server, where all the vCenter servers will talk to this SSO server for authentication. This is to avoid multiple streams of replications among the SSO servers within the same site.

The recommendation of having a single virtual machine for all the components of the vCenter Server is showcased in the slide below.

  • Use the simple installer to have all the components install on the same virtual machine, rather than performing a split install.
  • You can install the database here, however having it on a separate VM would be beneficial when the environment scales.
  • Make sure you give enough compute power to this single virtual machine as it is hosting all the components.

Let us also look at recommendations around multi-site deployment model in the last slide.

  • Each site runs all its components individually while SSO replication maintains a single SSO domain across sites.
  • Use of Linked Mode configuration can give you a single pane of glass here.
  • So a simple install at each site would be the Best way getting rid of all the SSO nightmares you can think of.

With this, I would close this article. Hopefully you will enjoy reading this and apply the recommendations which are mentioned in this article in your environments. Feel free to leave your thoughts in the comments section.

As mentioned before, I will continue to share stuff around Architecting vSphere in the forthcoming parts. 

Stay tuned!!

Share & Spread the Knowledge!!


  1. Nice Article Sunny.. Glad 5.5 has a lot to offer on simplicity and save us from nightmares of SSO :)

  2. Glad you liked it!! Yup SSO with 5.5 is easy peasy!!

  3. Good Informative blog!! I was browsing over internet for some information around single sign on solutions when I happened to see ur post.Though I'm very late to comment on this topic.Anyway thank you for sharing this blog with everyone.