Configuring external authentication
To use Orchestrator to its fullest possibilities we should configure it with an external authentication.
Getting ready
We need an up and running Orchestrator and access to the Control Center (root account). Also see, the recipe Deploying the Orchestrator appliance in this chapter.
You should have an AD/LDAP group for your Orchestrator Administrators with at least one user in it. I will use the AD group vroAdmins
with its member vroAdmin
and my domain is called mylab.local
. My PSC/SSO is on vcenter.mylab.local
.
If you are using AD/LDAP, then you need only to know the LDAP path to your vroAdmin user and group.
If you are using SSO or vSphere(PSC), you should either have configured SSO to use AD or created a local SSO group and user.
How to do it...
We are splitting the recipe into multiple parts, one for each authentication method.
vSphere (PSC) and vRealize Automation (vRA)
For both vSphere 6 and vRA7, the entry forms look alike and follow the same pattern. However, there are some really important considerations to take into account for both. Please see the How it works... section of this recipe.
To set either vSphere (PSC) or vRealize Automation (vIDM), follow these steps:
- Open the Control Center and click on Configure Authentication Provider.
- Choose vSphere or vRealize Automation.
- Enter the host name of your vSphere PSC or vRA.
- After clicking on Connect, you may need to accept the SSL certificate.
- You are now asked to enter the User name and Password of an SSO administrator.
- Clicking on Configure licenses will automatically configure Orchestrator licensing with the vCenter license.
- Enter the default tenant of your SSO and click on Register:
- After the registration, you are asked for the admin group. Enter the name of your admin group (or the first letters, such as
vro
) and click on Search. - Select your admin group from the drop-down menu, such as mylab.local\vroAdmins. In vRA, there is a preconfigured group called vsphere.local\vcoAdminis.
- Click on Save Changes and restart the Orchestrator service.
SSO (legacy)
If you are using vRO7 with vSphere 5.5 (minimum update 2) you need to use the SSO configuration:
- Open the Control Center and click on Configure Authentication Provider.
- Choose SSO (legacy).
- Enter the following for Admin URL:
https://vcenter.mylab.local:7444/sso-adminserver/sdk/vsphere.local
. - Enter the following for STS URL:
https://vcenter.mylab.local:7444/sts/STSService/vsphere.local
. - Click on Save Changes.
- You will now need to accept the SSL certificate of your SSO server (not shown in the following picture).
- After you have accepted the certificate you will be asked to enter an SSO admin account and its password, followed by the Default tenant, which is
vsphere.local
for all 5.5 systems. - Click on Register.
- If everything is fine you will now be asked to restart the Orchestrator service. However, we can ignore that for the moment:
- Now you need to choose admin group. Enter the name of your admin group (or the first letters, such as
vro
) and click on Search. - Select your admin group from the drop-down menu, such as
mylab.local\vroAdmins
. SSO 5.5 has a preconfigured Orchestrator group called[email protected]
. - Click on Save Changes and restart the Orchestrator service again.
LDAP
Please note LDAP will be discontinued in further Orchestrator releases and should not be used anymore. Furthermore, using LDAP won't allow Orchestrator to use all its awesome features.
If you are using LDAP, you can choose from the In-process LDAP (ApacheDS), the built-in LDAP, Active Directory, or OpenLDAP.
Please note that LDAP entries are case sensitive. To configure Orchestrator with Active Directory, follow these steps:
- Open the Control Center and click on Configure Authentication Provider.
- Choose LDAP and then Active Directory.
- Enter the domain name of your AD and set the port to
389
. - As root, enter your domain in LDAP
dc=mylab,dc=local
. - Enter the username in LDAP and then the password. Be mindful that in AD, the folder
Users
is not an OU but a CN,cn=vroAdmin,cn=Users,dc=mylab,dc=local
. - It is easiest to set the user and group lookup base to the root of your domain, for example,
dc=mylab,dc=local
. However, if your AD or LDAP is large, it might be better performance-wise to choose a different root. - Enter the Orchestrator admin group in LDAP,
cn=vroAdmins,cn=Users,dc=mylab,dc=local
. - Click on Save Changes.
- If everything is fine you will be asked to restart the Orchestrator service.
How it works...
Configuring Orchestrator to work with an external authentication enables AD users to log in to the Orchestrator Client. The alternative would be to either have only one user using it or adding users to the embedded LDAP. However, for a production Orchestrator, the embedded LDAP solution is not viable.
PSC/vIDM/SSO is a highly integrated part of vSphere, it can proxy multiple AD and/or LDAP domains and lets you integrate Orchestrator directly into vCenter as well as other corner pieces of VMware software offerings.
If you are using vSphere or vRealize Automation authentication, you have the additional benefit of having Orchestrator automatically licensed. If you are using LDAP or SSO you have to assign a license to Orchestrator.
When using SSO or vSphere, Orchestrator will register in SSO as a Solution User with the prefix vCO.
vRealize Automation and vSphere Authentication
The entry masks look the same, however, they are not. vSphere uses SSO and vRA 7 uses vIDM and those are very different beasts indeed.
When you register Orchestrator with vRealize Automation or you use the vRA embedded Orchestrator you will not be able to use a per-user session with vCenter as the SSO token and the vIDM token are incompatible at this time. I have been informed that the ability to configure the vRA embedded Orchestrator version will not be able to use PSC configuration anymore. The best way to solve this is to use a secondary Orchestrator.
Test login
With the test login, you can test if you can log on to Orchestrator using the Control Center:
If you get a reply in yellow saying Warning: The user does not have administrative rights in vRealize Orchestrator. Login to the Orchestrator client depends on the user view permissions, it means that the user has been found by Orchestrator but he is not a member of the Orchestrator admin group. See also, the recipe User management in Chapter 7, Interacting with Orchestrator.
Internal LDAP
The internal LDAP has the following preconfigured entries:
Username |
Password |
Group membership |
|
|
|
|
|
|
The LDAP installation is protected to only allow local access to it. Using the internal LDAP is not recommended at all.
There's more...
Changing the Authentication Provider is quite easy. If you choose LDAP and now want to change it to something else, just select the new provider.
If you chose vSphere SSO or vRealize Automation you need to first unregister the existing Authentication Provider. To do this, follow these steps:
- Open the Control Center and click on Configure Authentication Provider.
- Click on Unregister and then enter the SSO admin's password and click Unregister.
- Now you can select another Authentication mode.
See also
Recipes in Chapter 11, Additional Plugins, depict which authentication is the most preferable for the plugins discussed there.