As a VMware Aria Automation administrator, you must configure CCI Supervisor Service Single Sign-On (SSO) authentication before enabling CCI for your users.

CCI single sign-on requires users to use a local Active Directory that has been federated to vCenters and VMware Aria Automation. Federating the Active Directory domain supports maintaining user identity during Supervisor Namespace and IaaS services, UI or command line operations.

Users access CCI services and resources through a dedicated Kubernetes proxy to allow a single sign-on flow that maintains user identity as the proxy accesses the vCenter Kubernetes APIs. The Automation Service Broker user service role and project member role would then include the necessary privileges to access the provisioned Supervisor namespaces as an SSO user.

Before configuring SSO:
  • Verify that your infrastructure includes the following:
    • VMware Cloud Foundation (VCF) SDDC Manager 5.1.1
    • vCenter 8.0U2
  • Download the following files needed to set up CCI Supervisor Single Sign-On (SSO) on a Supervisor Cluster:
  • Verify that Workspace ONE Access uses userPrincipalName as the directory search attribute.

Registering the CCI service with vCenter

Before you can install the CCI service on Supervisors, you must add the CCI service as a Supervisor Service. You upload the service definition YAML file and register the CCI service with vCenter.

  1. Log in to the vCenter.
  2. Under Workload Management, select the Services tab.
  3. For the vCenter, select the vCenter that is managing the Supervisor Cluster where you are installing the CCI single sign-on service that you are planning to integrate with VMware Aria Automation.
  4. On the Add New Service tile, click the Add button. Add the YAML file to add the CCI Service
  5. On the Register Service page that appears, click the Upload button and specify the YAML file.
  6. When the YAML file details appear, verify the Service Details and click Finish.Verify Service Details and finish registering the CCI Service

After a few minutes, a new tile for the Supervisor Service named CCI Service appears. Workload Management with CCI Service tile

Installing the CCI service on Supervisor

You must install the CCI service on all supervisors that are part of the vCenter cloud accounts that you will add to VMware Aria Automation. Perform the following steps to install the CCI service on Supervisors:

  1. To extract the idpConfig YAML payload from the VMware Aria Automation appliance, run the service_config_from_automation.py Python script against the VMware Aria Automation FQDN.

    The following code sample shows the command and output from the run.

    $ service_config_from_automation.py cava-n-81-091.eng.vmware.com
 
idpConfig: |
  {"issuer_url": "http://identity-service.prelude.svc.cluster.local:8000", "keyset": {"keys": [{"kty": "RSA", "kid": "2012508753258651971", "use": "sig", "n": "nl8UIBQghopFuObcSYMoEpr-26U75rl1Z9EJwqq8qEnX-NW61So5gmoJvOdAhKdIgfIPGn3dlvXLwN04cqZFYfc5mXunXzjdfimXn8p6MhUirDzmZysYXQXiLDnozkTdJMp2M1xLwkCGfECO5KXTkRSRJZMDDoTKM_K63dVUMPncgRRV0BXHP8HFSzhWKOjqpqAjIg4jfe0IloXCQlsbXZYVL3VLmBVb52XzbjLZkzbHy7VEkft8ixlzKH4vg5hKwqlqm4NlaD0mvKLHTWYcZowY2JX9HDqTykkp2asbTU9TXMmStgnLpWEHtuZYdqib2kmb9IIoqZC7V4Mk22MDfQ", "e": "AQAB"}]}}

    This YAML serves as input when installing CCI Service. Copy and save the output from the script to use later.

  2. On the CCI Service tile, click Actions > Install on Supervisors.

    On the CCI Service tile, click Actions > Install on Supervisors.

  3. The CCI service installation dialog appears.
    1. If you have multiple Supervisors, select the ones on which you want to install CCI. The service must be installed on any Supervisor that is to be used with CCI.
    2. Paste the YAML output that you saved into the YAML Service Config (optional) text area.
    3. Click OK to begin installation. Paste YAML output into YAML Service Config (optional) text box

    Installation should complete within a few minutes.

  4. After a successful installation, check the CCI Service tile under the Workload Management Services tab. The count on the Supervisors button shows an increase.

    CCI Service Supervisors count increases

  5. Click the Supervisors button to verify the installation.Added Supervisor after installing CCI Service
  6. (Optional) To check if the CCI service is running by logging into the vCenter, perform the following steps:
    • From the list of namespaces, select the namespace with svc-cci...domain... in the name.
    • Click the Compute tab, and under Core Kubernetes, select vSphere Pods.
    • Under vSphere Pods, check to see if the CCI service is running.
    Use the vCenter UI to check if the CCI service is running.