vRealize Orchestrator and vSphere 6 SSO Authentication

Starting to mess around with vRealize Orchestrator and just deployed the 6.0.3 vRO appliance. A few gotchas, many of which are well denoted by other blog posts:

  1. DNS, DNS, DNS!! Pre-configure everything and make sure names are correct
  2. Certificates, make sure they are accurate
  3. NTP

One of the first issues I ran into was registering it with my SSO. My setup has two vCenters with two separate but federated Platform Services Controllers. I wanted to authenticate my vRO instance with SSO, not my Active Directory to keep user management a bit more central to VMware. Ran into some fun gotchas.

The first one was obvious and only took me a failed registration attempt to realize it, mostly because I had forgotten my PSC (so SSO) wasn’t on my vCenter.

If you have a separate PSC outside of your vCenter, use that FQDN. Otherwise, of course registration will fail. No surprise there.

The bigger issue I ran into was the SSL certificate import. Essentially before you register the SSO server with vRO, you need to first manually import a SSL cert for that SSO source.

ssl1st

Here is where I got into my first issue. I would import the cert using the URL of my PSC. Which happens to be:

psc-vmw-1.csgvmw.local

It would import a SSL and it would seem to be fine:

wrongcert

I would go back and try to register the SSO server and it would fail and say I needed to import the SSL cert!! It would recommend i rebooted the configuration server of vRO which I would do, but that did not help.

After fruitless troubleshooting it dawned on my there are many services running on my PSC, so likely there are multiple certs. Then, duh… I need to put in the correct port number indicating the SSO service, so it gets that cert. So I tried:

https://psc-vmw-1.csgvmw.local:7444

Bingo! The cert imports looking like this:

ssocorrect

Note the common name: ssoserver. That looks better! I then restarted the configuration server service (which seems like you have to always do when adding a new cert). And SSO registered!

Well…I got further. Here comes issue number two. This one was a bit easier to figure out though.

So I got past the SSL thing, but it would now fail upon SSO registration because the vsphere.local tenant doesn’t exist.

registerfailed

I don’t use the default vsphere.local tenant, instead made it pure.vmw. So basically you have to click advanced settings and change some things.

If you look at token and admin service URL, you can see the URLs end with vsphere.local

wrongtenant

Change them to your custom tenant and it should work.

righttenant

Finish the registration and choose your admins and test your logins! Works great.

workedlogin

So somewhat simple problems, but can easily be overlooked.

4 thoughts on “vRealize Orchestrator and vSphere 6 SSO Authentication”

  1. With SSO based authentication, is there any way we can know current vRO user identity (SAML token) inside vRO plugin code or plugin JavaScript?

    1. I am not entirely sure. Presumably. But I would recommend checking out the VMware Code site and posing this question there–someone there should know better than I

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.