vRealize Operations

David Davis on vRealize Operations – Post #28 – Configuring Single Sign On (SSO) in vRealize Operations (vROps)

There are some of you out there that always login to vSphere using root or admin (you know who you are). Most of those people are the same who always login to vRealize Operations using the superuser “admin” account. This is a shame because it’s so easy to configure single sign on (SSO) with vRealize Operations (vROps). The benefit of SSO is that any login that you can use to login to the vSphere web client will also allow you to login to vROps. Even better is that, once you login to the vSphere Web Client you can use vROps without any authentication whatsoever! This is a huge convenience.

Prerequisites for Configuring Single Sign On (SSO) in vRealize Operations (vROps)

To configure SSO in vROps, let’s first talk about the prerequisites. These steps assume that you already have vSphere, vCenter, and vRealize Operations Manager installed and configured. These steps are also based on vRealize Operations 6.2. Finally, make sure that the time on your vROps server is sync’ed with the time on your vCenter server. Of course, NTP was the best way to do this. Configuring NTP in vROps is easy. Just go into Administration -> Cluster Management and, on the Actions menu, click on network time protocol (NTP).


Figure 1

Then click on Add to add your NTP server.


Figure 2

Also make sure that you have DNS configured for your vCenter server and vROps server. If you don’t have DNS properly configured you’ll get the error “failed to retrieve single sign on SSL certificates, the host or port is not reachable”.

Finally, watch carefully the version, update, and patch levels of your vCenter server and your vROps server. I recommend the latest version of both of them.

I had a problem where my vCenter server (for Windows) was a slightly older patch level than my vROps server. I did a fresh install of vRealize Operations 6.2.1 build 3774215 and VMware vCenter Server Appliance (vCSA) 6.0.0 build 3634788. Prior to the use of these versions / builds, I was getting the error “authentication failed: auth exception occurred: java.net unknownhostexception: vCenter company.pri: unknown error” when trying to add vCenter as a SAML authentication source for vROps. Certainly it was a very cryptic error and it’s still unclear if it was related to vCenter for Windows or the version of vCenter. In production installations, you wouldn’t want to have to do any fresh installations so if you encounter the same error (which I hope you don’t), I’d recommend contacting VMware support.

Steps for Configuring Single Sign On (SSO) in vRealize Operations (vROps)

Once you’ve met the prerequisites you can move on to configuring SSO. To configure SSO in vROps, go to Administration, Authentication Sources and click Add, as you see in Figure 3.


Figure 3

Note that under source type you can configure authentication to SSO SAML (likely pointing to vCenter), Windows Active Directory (AD), or Open LDAP.

I’d recommend configuring your vCenter server to us Windows AD authentication then configuring vROps to point to vCenter for SSO SAML authentication instead of configuring vROps to go to AD for authentication.

Enter a name for the authentication source (whatever you want), keep the default of SSO SAML for the source type. Then, enter the vCenter IP address or host name, username, and password.


Figure 4

Next, accept the certificate from vCenter.


Figure 5

Then, specify which groups you want to import.


Figure 6

Assign vROps roles to the user or groups that you are importing.


Figure 7

And your configuration should be complete!

Did I miss anything?

To test it, log out of vROps, as you can see in Figure 8.


Figure 8 

Then, simply go back to your vROps web page and, as login as you were already logged into the vSphere web client. This should work fine the first time, unless you see the error message like I got in Figure 9.


Figure 9

What this is telling us (in a roundabout way) is that you forgot to assign any roles to the admin user that you authorized from vCenter (you can see where I forgot it in Figure 7).

What it should look like is this, where you assign a vROps role to the vCenter user group-


Figure 10

That, of course, assumes that you are starting over from the beginning. If you want to just go in and add the role assignment, go to Access Control, then to the Roles tab and assign it from there.


Figure 11

Remember! The goal of this SSO configuration is that you never have to login to vROps again (during normal usage), as long as you are already logged into the vSphere Web Client. Mission accomplished!



3 comments have been added so far

  1. Hello

    This is a very good write up, but alas I can not get it to work in my environment. It seems to error out. I am at the login page with authentication source as local users. When I log in it fails with incorrect user name/password.

    If I change the drop down for authentication source to vcenter and log in with my account I get a redirect button and when I click it I get HTTP Status 500 internal processing error. Any ideas?


  2. Is it a one time login with administrator@vsphere.local for SSO configuration, or will this account be saved/used later?
    I don’t like using the “superuser”.
    I did try with another @vsphere.local user that had global admin persmissions, but that didn’t work; probably since that is for vCenter objects and not PSC/SSO. What permissions does a user need? I presume it’s enought to put it into one of the vpshere.local groups, but which?

Leave a Reply

Your email address will not be published. Required fields are marked *