Adding an additional Identity Source to the SSO server_VMware vSphere 5.5 Cookbook-QQ阅读男生都市网

上QQ阅读APP看书，第一时间看更新

Adding an additional Identity Source to the SSO server

An identity source is nothing but a repository of users and groups. These can be the local operating system users, active directory, or open LDAP and VMDir sources.

Note

Here, VMDir is short for VM Directory which is SSO's LDAP-based internal directory that stores identity sources, SSO users, and policies. It is the source of truth for the vsphere.local domain.

Read the Upgrading the Single Sign-On (SSO) component recipe in Chapter 1, Upgrading to vSphere 5.5, for more information.

In this section, we will learn how to add identity sources to the SSO server.

How to do it…

The following procedure will guide you through the steps required to add Identity Sources to the SSO server:

Use vSphere Web Client to connect to vCenter Server. The URL will use the following syntax:

https://<IP Address or FQDN>:9443/vsphere-client

Here are a few examples:

https://localhost:9443/vsphere-client
https://vcenterhost001.vdescribed.lab:9443/vsphere-client

Log in using the default SSO administrator and its domain (administrator@vsphere.local):
Click on Administration from the left pane to bring up the Administration page:
Click on Configuration from the left pane and go to the Identity Sources tab.
The Identity Sources tab will show the current identity sources, Local OS being the default. The Local OS is the source for local Windows users on the machine to know if SSO is installed:
Click on the + icon to bring up the Add identity source window:
Select an identity source type. The user inputs required vary based on the type selected. In this case, we have selected Active Directory as a LDAP Server; we supply the details requested and click Test Connection to verify when a connection can be established using the details provided.
The following is a sample input set for a domain vdescribed.lab:

Here, the domain user domuser is a member of the AD groups domain users and read-only domain controllers:
If the test works, then you should see a message confirming this. Click on OK to close the message and return to the Add identity source window:
In the Add identity source window, click on OK to begin adding the identity source. Once added, the new identity source will be listed in the Identity Sources tab:

How it works…

Once the identity source is added, authentication requests can be processed against it to issue tokens using Secure Token Service (STS).

When you try to add an identity source, you are presented with the following identity source types:

Active directory (Integrated Windows Authentication): This can be used when your active directory is in Native mode. With this identity source type selected, you can either use the current local machine account as the Service Principal Name (SPN) or choose to specify a different SPN. For more information, refer to the VMware Knowledge Base Article KB#2058298 at http://kb.vmware.com/kb/2058298.
Active directory as an LDAP server: This is primarily used for backward-compatibility.
Open LDAP: This is used when you have an open LDAP-only-based directory service in your environment.
Local OS: This will become the source for local operating system users on the machine where SSO is installed (not vCenter Server).