Datacenter From the Trenches Highlights How-to Knowledge Base

How to deploy SSO in a multisite configuration

For those of you administering multiple vSphere environments, getting a SSO multisite deployment up and running in a correct configuration is very important. Multisite deployments are where a local replica is maintained at remote sites of the primary vCenter Single Sign-On instance. The process of setting this up is not complicated, but it is possible to take a wrong turn and end up wasting a whole lot of time correcting it. That is why we have created a best-practice Knowledgebase article titled: Multisite Single Sign-On deployment best practices. (2042849). We highly recommend you look at the examples in that article.

We’ve written extensively in this blog about SSO in the past. You can see all the other posts on the topic here: http://blogs.vmware.com/kb/tag/sso

If you are still at the point where you are asking yourself- what is SSO? and why do I care? we recommend you start with this great introduction from Justin King: vCenter Single Sign-On Part 1: what is vCenter Single Sign-On?

Comments

0 comments have been added so far

  1. Hi, thanks for this. This is something that has always confused me, the need to export the data from one SSO multiste to the other – Even logged a call about it 🙂
    I know the KB explains how to do it but I guess my question is why do you need to do it? I am sure I am missing an obvious point but even after the call the conclusion seemed to be there was no need to do this. For example, if I export my settings from SSOA to SSOB, and I am using Linked Mode, what happens if I don’t? As I understand, and I could be wrong, the data includes information like identity source setup so what if this if different for Site B (More Local DCs in definition)? I would really appreciate me if you could educate me further on this.

    Regards

    1. Hello PG,

      It is necessary to do the manual replication between SSO nodes in a Multisite deployment regardless if Linked Mode is in use or not.

      When exporting and importing SSO data there are numerous configuration settings that get replicated. The one that is most visible is the SSO “Application Users”, also called “Solution Users”. A default install of vCenter Server 5.1 will have four “Application Users” associated with SSO. They are:

      Inventory Service
      WebClient
      vCenter Service
      vCenter Orchestrator

      You can see these users by:

      1. Logging into the vSphere WebClient using a admin account (admin@System-Domain) for SSO.

      2. Click on Administration.

      3. Click SSO users and groups.

      4. Select the “Application Users” tab.

      This will list the “Application Users” associated with a particular SSO node.

      In a Multisite deployment of SSO it is important to have all the “Application Users” from each SSO node present in all SSO nodes.

      For example:

      In a two node default deployment, properly configured, we would expect to see a total of eight “Application Users” in both SSO nodes. Four from SSO-A and four from SSO-B.

      What this allows is for proper token creation to occur between the SSO nodes.

      For proper Linked Mode configurations either all vCenter Servers need to be registered with the same SSO node OR registered to different Multisite SSO nodes that have been properly configured.

      1. Hi, i had a chance to try this out and as you mention can clearly see the “extra” Solution Users being created as you pointed out so thanks. Just a few more things it would be nice to clarify –

        A. Does the multi-site setup created the user “trustedapp”?
        B. Will it be possible to suppress what is exported in the future fro example, do n ot overwrite Identity Sources as thy maybe localised?
        C. The KB seems to mention scenarios where you are creating a new SSO install so i just wanted to clarify if once the initial configuration is complete what happens if I add another soltion to an existing site. An example might be I have Site A / Site B and in the future I “register” a new VC with site B. After the install at site B would I simply export date from B and import at A?

        Thanks again

Leave a Reply

Your email address will not be published. Required fields are marked *