An SSO identity source is a repository of users or groups. It can be a repository of local OS users, Active Directory or OpenLDAP and VMDir. Adding an identity source allows you to assign vCenter permissions to users from such a repository.

The VCSA Photon OS (local OS) and SSO domain (vsphere.local) are pre-recognized identity sources. However, when you try to add identity sources, you are allowed to add three different types:

• Active Directory (Windows Integrated Authentication)
• Active Directory over LDAP
• Open LDAP

In this recipe, we will learn how to add an Active Directory identity source.

The following two-part procedure will allow you to join the PSC to Active Directory and add an Active Directory identity source.

1. Log in to the vCenter Server/PSC as the SSO administrator (administrator@vsphere.local).
2. Use the Menu to navigate to Administration:

3. On the Administration page, navigate to Single Sign On | Configuration | Active Directory Domain and click on JOIN AD:

4. On the Join Active Directory Domain window, specify the name of the domain, OU (optional), and the credentials of a domain user that has permission to join the machine to the domain. Click Join.
5. Once done, the host has to be rebooted for the changes to take effect.
6. Once the reboot is complete, it should show the vCenter/PSC as joined to the domain:

Use the following process to add an identity source:

1. Go to the Administration page, navigate to Single Sign On | Configuration | Identity Sources, and click on ADD IDENTITY SOURCE:

2. On the Add Identity Source window, set the Identity Source Type to Active Directory (Windows Integrated Authentication). The Domain name will be prepopulated with the FQDN of the domain the PSC is joined to. Use the machine account to authenticate:

3. Once done, the Active Directory domain will be listed among the other identity sources:

This completes the process of configuring SSO identity sources on a vCenter Server.

VMware SSO is an authentication server that was made available starting with vSphere 5.1. With version 5.5, it has been rearchitected so that it is simple to plan and deploy, as well as easier to manage. With vSphere 6.0 and 6.5, it is now embedded into the PSC.

SSO acts as an authentication gateway, which takes the authentication requests from various registered components and validates the credential pair against the identity sources that are added to the SSO server. The components are registered to the SSO server during their installation.

Once authenticated, the SSO clients are provided with a token for further exchanges. The advantage here is that the user or administrator of the client service is not prompted for a credential pair (username and password) every time it needs to authenticate.

SSO supports authenticating against the following identity sources:

• Active Directory
• Active Directory as an LDAP server
• Open LDAP
• Local OS

Here are some of the components that can be registered with the VMware SSO and leverage its functionality. These components, in SSO terms, are referred to as SSO clients:

• VMware vCenter Server
• VMware vCenter Orchestrator
• VMware NSX
• VMware vCloud Director
• VMware vRealize Automation
• VMware vSphere Web Client
• VMware vSphere Data Protection
• VMware log browser