vRealize Orchestrator and vSphere 6 SSO Authentication

Starting to mess around with vRealize Orchestrator and just deployed the 6.0.3 vRO appliance. A few gotchas, many of which are well denoted by other blog posts:

  1. DNS, DNS, DNS!! Pre-configure everything and make sure names are correct
  2. Certificates, make sure they are accurate
  3. NTP

One of the first issues I ran into was registering it with my SSO. My setup has two vCenters with two separate but federated Platform Services Controllers. I wanted to authenticate my vRO instance with SSO, not my Active Directory to keep user management a bit more central to VMware. Ran into some fun gotchas.

The first one was obvious and only took me a failed registration attempt to realize it, mostly because I had forgotten my PSC (so SSO) wasn’t on my vCenter.

If you have a separate PSC outside of your vCenter, use that FQDN. Otherwise, of course registration will fail. No surprise there.

The bigger issue I ran into was the SSL certificate import. Essentially before you register the SSO server with vRO, you need to first manually import a SSL cert for that SSO source.


Here is where I got into my first issue. I would import the cert using the URL of my PSC. Which happens to be:


It would import a SSL and it would seem to be fine:


I would go back and try to register the SSO server and it would fail and say I needed to import the SSL cert!! It would recommend i rebooted the configuration server of vRO which I would do, but that did not help.

After fruitless troubleshooting it dawned on my there are many services running on my PSC, so likely there are multiple certs. Then, duh… I need to put in the correct port number indicating the SSO service, so it gets that cert. So I tried:


Bingo! The cert imports looking like this:


Note the common name: ssoserver. That looks better! I then restarted the configuration server service (which seems like you have to always do when adding a new cert). And SSO registered!

Well…I got further. Here comes issue number two. This one was a bit easier to figure out though.

So I got past the SSL thing, but it would now fail upon SSO registration because the vsphere.local tenant doesn’t exist.


I don’t use the default vsphere.local tenant, instead made it pure.vmw. So basically you have to click advanced settings and change some things.

If you look at token and admin service URL, you can see the URLs end with vsphere.local


Change them to your custom tenant and it should work.


Finish the registration and choose your admins and test your logins! Works great.


So somewhat simple problems, but can easily be overlooked.

4 Replies to “vRealize Orchestrator and vSphere 6 SSO Authentication”

  1. With SSO based authentication, is there any way we can know current vRO user identity (SAML token) inside vRO plugin code or plugin JavaScript?

    1. I am not entirely sure. Presumably. But I would recommend checking out the VMware Code site and posing this question there–someone there should know better than I

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.