Home > Blogs > VMware vSphere Blog


Allow me to introduce you to vCenter Single Sign-On 5.5

With the announcement at VMworld on the upcoming vSphere 5.5 release, one area that I have been greatly involved with (hence why I have been in stealth mode), has been the new and improved vCenter Single Sign-On. You may still say why do we need it? and why change something that wasn’t broke to begin with! but hang in there and let me highlight the changes and the benefits you will see as you begin to look at vCenter Server 5.5.

With the new release, this shows we heard you loud and clear! vCenter Single Sign-On 5.1 at release lacked some expected functionality (limited Active Directory integration), complex to manage (SSL Certificates) as well as lack of guidance on how to best deploy vCenter Single Sign-On. Not to knock the current version with vCenter Server 5.1 Update 1b which is now a very stable platform to build on and guidance available via a recent deployment whitepaper, vCenter Single Sign-On 5.5 builds on these challenges and now provides a rich and fully capable vSphere authentication experience with much of the complexity removed.

Architecture

vCenter Single SIgn-On 5.5 has been rewritten from the ground up to provide the level of service expected from a VMware product. The new architecture is based on a multi-master model where each instance is automatically kept up to date with it peers via builtin replication. You can create sites to provide logical groupings of registered resources that maybe geographical or organizational separate as well as support for multiple tenants.

Database
Well that’s easy, we have removed the dependency on an external database completely. The multi-master architecture now provides the necessary storage for the vCenter Single Sign-On configuration as well any embedded users and groups defined.

 

Certificates
While the same concept from vCenter Server 5.1 has been maintained in vCenter Server 5.5, the vCenter Certificate Automation tool has been updated to support vCenter Server 5.5. If you are required to update certificates, simply create or obtain the new certificates and the tool will update the various vCenter Server components for you.

 

Installation
We can all agree to banging our heads on the best way to deploy vCenter Single Sign-On and with vSphere 5.5, vCenter Single Sign-On is now a simple single deployment model where the only decision is based on placement being the first vCenter Single Sign-On deployment or an additional vCenter Single deployment for an additional vCenter Server. Although we support the in-place upgrade of previous vCenter Single Sign-On 5.1 configurations, the updated architecture really benefits being local to vCenter Server, the terminology of Single Sign-On High Availability and Multisite have now merged into the single deployment option.

 

Troubleshooting and Diagnostics
In vCenter Single Sign-On little was to be said about the support tools to aid with diagnosing issues and troubleshooting authentications. With the general release of vCenter Server 5.5 and vCenter Single Sign-On 5.5 we are supplying a suite of tools that allow you to view your entire vCenter Single Sign-On configuration and make changes when necessary.

For example I may need to change the replication between many vCenter Single Sign-On instances or review certificates used by vCenter Single Sign-On.

All of these advanced or one time administration tasks are now possible with the tools being provided but remember the typical day to day administration tasks are best handled by the vSphere Web client 5.5. The best part of using these tools is there no longer is a notion of the master password which frustrated many with vCenter Single Sign-On 5.1, a vCenter Single Sign-On administrator has full functionality with no hidden extras.

 

I have plenty of great information to share with you on vCenter Single Sign-On so stay tuned for updates

 

42 thoughts on “Allow me to introduce you to vCenter Single Sign-On 5.5

  1. The FluffyAdmin

    A very welcome change! We ran into the AD cross-forest limitation and have been waiting for an update. I am also very glad to see the database vanish. Preparing that database and the users (and the bizarre limitation that they could not be domain users and other constraints) was a real pain. So glad you have smoothed that all out. Looking forward to upgrading.

    Reply
  2. papavm

    Nice to hear all the new features that’s in the pipe. When can we see this in action? Looks good in paper. Would like to try the certificate automation tool.

    Reply
  3. John

    I am sorry i disagree….. This is not a nice feature and the one major feature that was left out was to OPT out of SSO to begin with. This is a sudo AD implementation that is not needed in MOST environments. Why do i need to create a directory for security if i already have one that maintains my current environment. This is great if you have nothing to begin with or you are not a Windows shop. However if i have AD implemented why do i need to maintain, troubleshoot and figure out how or when to upgrade SSO. Most companies already have a security model and VMWare needed to integrate into it better for easier management within the vsphere product line. This just complicates the environment with NO benefit. VMWare left out the biggest and best feature…. To not install it to begin with. I am a full VMWare shop but HyperV is looking better and better to me each time VMWare comes out with something New and Great for me….

    Reply
    1. Justin KingJustin King Post author

      Sorry John that you disagree, your welcome to your opinions but i need to correct some of your facts. To be able to use technologies like AD we need to have a way to interact with vSphere and SSO provides the necessary connectivity. This is not a replacement for AD or a directory of security, all SSO provides is the connectivity of users/groups from external identity sources like AD, (yes we do have customers with non AD environments). Roles and permissions are controlled as they were before SSO at the solution level. The improved architecture and installer is really simple and we have removed all the complexity found with SSO 5.1 to where you no longer need to worry about the configuration or upgrade process

      Reply
      1. Jeeves

        I think what John is trying to say is that AD was being used with vCenter Server prior to SSO. Not quite as flexible, but it worked fine. Web client could have used same type of AD integration as vSphere client. At least as an installation option that user can choose instead of more sophisticated authentication architecture using SSO. It is always a good idea to giver users choice rather than forcing. Anyway, it is history now. With streamlining of installation process in 5.5 fewer people will complain about not having choice.

        Reply
  4. Dave

    Great to hear of all the new updates and ease of deployment. The next big question is when is it expected to be available to download so we can start labing the product? Any ETAs?

    Reply
  5. Xterm

    Glad to see these changes comming. You will have to admit that SSO 5.1 was a real shame for VMware. A very confusing architecture and obscure tool relying on an external database it really did not need and with manual and cumbersome sync. It could be something technically good, but it was operationally useless. Unfortunately companies have mediocre people operating the systems everyday, SSO was not up to them.

    Reply
  6. Orange

    Sorry Justin – I am with John. A feature that has caused us so much heartache we rolled back to 5.0 U2. I too am looking at Hyper-V as the new features of vSphere offer little but added complexity for minimal gain.

    Reply
  7. VMAdmin

    What sort of time frame are we looking at for this to become available? Days, weeks, months? I have projects that need to begin and at the moment I have to either wait for this or go with Hyper-V, we have both but the new VMware setup is not yet ready. If this is coming soon I can convince people to hang on, if not the Hyper-V it is.

    Reply
  8. papavm

    I completely agree with couple of comments above. There should have been an option to opt out of SSO. we are happily running 5.0U2 and decided not to upgrade to 5.1 just reading the nightmare on SSO 5.1. Glad that we decided not to upgrade. A shop where only vCenter is in use, SSO doesn’t add any functionality, just headache of managing one more piece of software. Yes, we are investigating Hyper-V as well.

    Reply
  9. Seamus OBrien

    I have had loads of issues with SSO especially when I have tried to replace the certs with external ones. The instructions are complex and the issues I am facing make me look stupid in front of my clients. The cert automation tool did not work. I will never understand why sso was not made an optional install.

    Reply
  10. Pingback: Welcome to vSphere-land! » vSphere 5.5 Link-O-Rama

        1. March

          Windy,
          If you’re in a rush to make a decision, I don’t know why you have a decision to make.
          Hyper-V is cheaper, and MS will always find ways to improve it to the point where it comes close to vSphere. If the feature set of Hyper-V satisfies your requirements, then sure, maybe Hyper-V is right for you.
          But you better look very hard at the features you need. There’s a reason that vSphere is the leader. It costs more, but there’s a million reasons that companies choose it over Hyper-V.

          Also, I don’t quite understand all the gripe about SSO. I upgraded our infrastructure from 4.1->5 then 5->5.1, and SSO was annoying, but it has forward-thinking that is key to it. Not like SSO is some enormous component that is unwieldy or something…

          Reply
  11. Scott Gottesman

    I know everyone is asking like little kids going to Disney world “when when when” is the product being released. I would like to know when manual and a design white papers are going to be release? before I even think of doing the actual installation, we need to better understand the design requirements. once bit, twice shy.

    Reply
  12. Matt R

    Great to see a rebuilt SSO for vCenter 5.5. The SSO service with 5.1 should not have been released for primetime and was the sole reason we never used 5.1 outside of a test environment.

    Reply
  13. Mordock

    Is there documentation anywhere on doing a scripted install of SSO 5.5. I was able to get the beta/rc to install using the .exe. But the .exe is not in the RTM version, only an .msi and it does not seem to work the same as the earlier .exe file. It seems to be failing with a 1920 error starting the VMWareDirectoryService starting the rollback and then finally errors out with a 1603 error.

    It does seem strange that every other component of vCenter 5.5 is installed with an exe, but SSO only has an .msi file on the distribution CD.

    Reply
    1. Mordock

      Finally determined that every one of the 7 apps in the prerequisites folder within the Single Sign-on folder have to be installed individually before doing the .msi install of Single Sign-on. The .exe in the beta/RC did these for you as does the GUI based install. Never a dull moment.

      Now if only someone would tell me how to script adding the identity source to the domain and I will be a happy camper. The VMware FAQ says you can’t script Identity Sources. Somehow I don’t believe that. I can’t see them adding them manually after every daily build during development of the products. I am almost ready to start reverse engineering their Java code to figure it out.

      Reply
        1. Mordock

          your email address isn’t here, so I had to guess, I also sent you a friend request with my email from Linked-in. David

          Reply
  14. Ron

    So far so good.. I still have a gripe about the GUI configuration interface. Regarding the AD Authentication tab. It would be a simple thing to add some verbage on this tab to say that you are joining the appliance to AD. Thus is you have policies like we do that require computer objects to be created first prior to joining, you’ll tear less hair.

    Reply
  15. Hollister

    Won’t be futile cotton-canvas sacks depart, this game is resplendent, proper? Virtually all brands which often look to hard work the specific non-leather voodoo their homeowners do the work offering hand bags which happens to be obnoxiously boring or perhaps enormously fast; remaking gorgeous home owner and all sorts of it truly is signature important information with the metal can be described as feature large significance observing. Equally sincerely worth stating certainly is the affordability: $1550, which is to be, in truth, a substantial amount of finances for just a material bag, might be their own cut near set properly as whether or not it has been attached all together because of the easily magic elves about Celine.Quite, I actually simply cannot aid to still get curious. Celine cost is notoriously difficult to come up with, sadly my studies show certain skin style for this carrier could possibly be a $2600, if not more. Mainly because, the $1550 charge represents an enormous selling price tag price, do not its always fairly extremely high. At least, Celine is ample follow mainly because site visitors to listen to that people don’t do a substandard products for a $200 reduction.I could see browsing this key fact box should i were initially generously successful that will create the handbag outfit i’d been needing; itd continually be exhilarating that will help celebration it’s inside of the island clubhouse for your season and also two, therefore youre looking intended for living long (cost-effective a particular designer handbag this will stand against smudges and colors stickers much better), Id badges yet advise a sensible and / or maybe Phantom Luggage in a different way because black color neutral. Save the price, itll turn into more than worth it over the years. Things assume your site?

    Reply
  16. trinidaduyyy.newsvine.com

    According to the survey, China has more than 150 million professional
    beauty institutions, but too closse the closure oof one third
    each year more than. Always apply a heat protectant
    sptay to your hair before using a curling iron, flat
    iron or hair dryer. In fact look around and you will see several
    successful business ideas already operational as franchises
    in thee market place and all you neewd to do iss to sign the franchise agreement and get started,
    instead of searching 101 vendors, suppliers,
    how to do’s, etc.

    Reply
  17. forbsy

    Hi. Am I able to change the SSO deployment mode post install? I recently installed vCenter Server 5.5 at two sites. I installed each site with the vCenter SSO for your First Site deployment option.

    I’ve since learned that I will be deploying SRM between these 2 sites. I would like to change the SSO deployment model on my secondary site to vCenter SSO for an additional vCenter Server with a new Site option. Is this possible? How do I go about that?

    Thanks

    Reply
  18. Flappy Bird Cheat

    Definitely believe that which you stated. Your favorite justification seemed to be on
    the web the simplest factor to take into accout of.
    I say to you, I certainly get annoyed at the
    same time as folks consider issues that they plainly don’t understand
    about. You controlled to hit the nail upon the highest as well as
    outlined out the entire thing without having side-effects
    , folks can take a signal. Will likely be again to get more.
    Thanks

    Review my blog post: Flappy Bird Cheat

    Reply
  19. Mark

    Where can I find the SSO Diagnostic & Troubleshooting Tools? 5.5 has been out for months and I have been searching and only find mentions that they are great (or will be great) but can’t find the download for them.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>