Setting Up Single Sign-On for CCI

As a VMware Aria Automation administrator, you must configure CCI Supervisor Service Single Sign-On (SSO) authentication before enabling CCI for your users.

CCI single sign-on requires users to use a local Active Directory that has been federated to vCenters and VMware Aria Automation. Federating the Active Directory domain supports maintaining user identity during Supervisor Namespace and IaaS services, UI or command line operations.

Users access CCI services and resources through a dedicated Kubernetes proxy to allow a single sign-on flow that maintains user identity as the proxy accesses the vCenter Kubernetes APIs. The Automation Service Broker user service role and project member role would then include the necessary privileges to access the provisioned Supervisor namespaces as an SSO user.

Before configuring SSO:

Verify that your infrastructure includes the following:
- VMware Cloud Foundation (VCF) SDDC Manager 5.1.1 or later
- vCenter 8.0U2 or later
Download the following files needed to set up CCI Supervisor Single Sign-On (SSO) on a Supervisor Cluster:
- Service definition YAML file cci-supervisor-service.ymlavailable from https://tinyurl.com/ycy4b8yw.
- Python script: service_config_from_automation.py available from https://tinyurl.com/389xawm3.

Registering the Consumption Interface Service with Supervisors in vCenter

Consumption Interface Service 1.0.0 is a supervisor service that contains the following components:

Cloud Consumption Interface SSO Component. Required to support CCI end-to-end SSO communication in Aria Automation.
Local Consumption Interface Component. UI Interface in the vSphere Client that requires vSphere 8.0 U3 or higher. See https://vsphere-tmm.github.io/Supervisor-Services/#consumption-interface.

To install the Consumption Interface service on Supervisors, you must add the Consumption Interface service as a Supervisor Service by uploading its service definition YAML file, then registering the Consumption Interface service on the supervisor as described in the following steps:

Log in to the vCenter.
Under Workload Management, select the Services tab.
For the vCenter, select the vCenter that is managing the Supervisor Cluster where you are installing the CCI single sign-on service that you are planning to integrate with VMware Aria Automation.
On the Add New Service tile, click the Add button.
On the Register Service page that appears, click the Upload button and specify the YAML file.
When the YAML file details appear, verify the Service Details and click Finish.

After a few minutes, a new tile for the Supervisor Service named Consumption Interface appears. You can select actions on the tile to edit the service or install the service on supervisors. Workload Management with Consumption Interface tile

Installing the Consumption Interface service on Supervisor

You must install the Consumption Interface service on all supervisors that are part of the vCenter cloud accounts that you will add to VMware Aria Automation, which includes every supervisor added to a CCI region. Perform the following steps to install the Consumption Interface service on Supervisors:

To extract the idpConfig YAML payload from the VMware Aria Automation appliance, run the service_config_from_automation.py Python script against the VMware Aria Automation FQDN.

The following code sample shows the command and output from the run.

$ service_config_from_automation.py cava-6-001-163.eng.vmware.com
 
idpConfig: |
  {"issuer_url": "http://identity-service.prelude.svc.cluster.local:8000", "keyset": {"keys": [{"kty": "RSA", "kid": "2310570888464251322", "use": "sig", "n": "wra13Nca99mlsUtfoIeEEB7fsnMGZOiWEgalfySBCon89wM_dw1nxTmvPMFGBMUB83kp0h3e9qhs3Dc7F6UnwaGVN1cg4utZ5UtTG8paa-unWFOd8vSuYIBFonv7M5nCDH_qkURdEGkcC9TCrMSittUU117yL37z395fP5DDzvjjkGifJpAX9e1WopnKLtiAN8NT4K1GkfQu8Pv9GKvNii0732AXVkJujGGq7gpwXY8hVMlQnJ4OYvqrFpiJ5vRTQ6O8ouPYCj4g6vcV5jk3i5_ShXQORJuIy3MRVkpJGRIzLYsLqNe5oH7yHm83OERnq97nOy_juo_kuGc1iy-8lw", "e": "AQAB"}]}}

This YAML serves as input when installing Consumption Interface. Copy and save the output from the script to use later.

On the Consumption Interface tile, click Actions > Manage Service.
The service installation dialog appears.
1. Select the desired supervisors on which you want to install the Consumption Interface service. The service must be installed on any Supervisor that is to be used with CCI.
  Click Next.
2. Paste the YAML output that you saved into the YAML Service Config (optional) text area.
  Click Finish to begin installation.
Installation should complete within a few minutes.
After a successful installation, check the Consumption Interface tile under the Workload Management Services tab. The count on the Supervisors button shows an increase.
Click the Supervisors button to verify the installation.
(Optional) To check if the CCI service is running by logging into the vCenter, perform the following steps:
- From the list of namespaces, select the namespace with svc-cci...domain... in the name.
- Click the Compute tab, and under Core Kubernetes, select vSphere Pods.
- Under vSphere Pods, check to see if the CCI service is running.