New Open Source PowerCLI Module for managing vCenter Single Sign-On (SSO)

This blog post was originally shared on virtuallyghetto.com.

A few years back I had submitted a PowerCLI Feature Request (PCLI-44) via the public PowerCLI Ideas platform requesting for a PowerCLI module that would support vCenter Single Sign-On (SSO) Administrative functionality such as managing SSO Users, Groups, Password, Lockout Policy and Identity Sources.

This was one of the most popular Idea voted by the PowerCLI community, which also stressed the need for such functionality which I came across on a regular basis on some of the Automation I was writing. In the past, I have written numerous blog articles in working around this limitation as the vCenter SSO Admin APIs were not and leveraging Guest Operations API, one could still automate various SSO operations using the various SSO CLIs that is included within the vCenter Server Appliance (VCSA).

Today, I received a notification from the PowerCLI Ideas platform that this feature as “Shipped” and it looks like the PowerCLI team has just released an Open Source Module called VMware.vSphere.SsoAdmin that includes the following 12 cmdlets:

Add-ActiveDirectoryIdentitySource
Connect-SsoAdminServer
Disconnect-SsoAdminServer
Get-SsoGroup
Get-SsoLockoutPolicy
Get-SsoPasswordPolicy
Get-SsoPersonUser
Get-SsoTokenLifetime
New-SsoPersonUser
Remove-SsoPersonUser
Set-SsoLockoutPolicy
Set-SsoPasswordPolicy
Set-SsoPersonUser
Set-SsoTokenLifetime

To get started with the new PowerCLI SSO Module, take a look at the instructions below.

Pre-Req:

PowerShell 5.1 (or newer) + PowerCLI 12.0 Installed

Step 1 – Clone using git command-line or download the PowerCLI Example Repo to your local system

Step 2 – Change into the modules/VMware.vSphere.SsoAdmin directory and then import SSO module using:

Import-Module ./VMware.vSphere.SsoAdmin.psd1

1	Import-Module ./VMware.vSphere.SsoAdmin.psd1

Step 3 – Use the Connect-SsoAdminServer to connect to your vCenter Server. If you have a self-signed certificate, you will need to pass in the -SkipCertificateCheck parameter

Connect-SsoAdminServer -Server vcsa.primp-industries.com -User [email protected] -Password VMware1! -SkipCertificateCheck

Once connected, you can start using any of the SSO cmdlets, here is an example retrieving the SSO Password and Lockout Policies:

Get-SsoPasswordPolicy
Get-SsoLockoutPolicy

1 2	Get-SsoPasswordPolicy Get-SsoLockoutPolicy

Here is an example of creating a new SSO User and then r

New-SsoPersonUser -User lamw -Password 'MyStrongPa$$w0rd' -EmailAddress 'lamw@primp-industries.com' -FirstName 'William' -LastName 'Lam'
Get-SsoPersonUser -Name lamw -Domain vsphere.local
Remove-SsoPersonUser -User (Get-SsoPersonUser -Name lamw -Domain vsphere.local)

New-SsoPersonUser -User lamw -Password 'MyStrongPa$$w0rd' -EmailAddress '[email protected]' -FirstName 'William' -LastName 'Lam'

Get-SsoPersonUser -Name lamw -Domain vsphere.local

Remove-SsoPersonUser -User (Get-SsoPersonUser -Name lamw -Domain vsphere.local)

To disconnect from SSO endpoint, you will need to run the following command:

Disconnect-SsoAdminServer -Server $Global:DefaultSsoAdminServers[0]

1	Disconnect-SsoAdminServer -Server $Global:DefaultSsoAdminServers[0]

For detailed documentation on each cmdlet, simply use the Get-Help function and specify the name of the cmdlet to get more information. If you have been waiting for this functionality in PowerCLI, be sure to give this a try and hopefully with positive feedback, we may see this module as part of the official PowerCLI release in the future!

Related Articles

New Release - Power Actions 1.0

Managing VICredentials on PowerShell 7 using VMware.VISecret Module!

Managing vSphere Certificates with PowerCLI

New Release - PowerCLI 12.3

Use-Case: Execute PowerCLI Scripts as vSphere Alarm Actions using Script Runtime Service