Configuring VMware Single Sign-On

After installing or upgrading to VMware Aria Operations for Logs 8.18, you can configure VMware Aria Operations for Logs for VMware Single Sign-On. When you configure VMware Single Sign-On, you use an external identity provider to sign into VMware Aria Operations for Logs.

Note: After configuring VMware Single Sign-On configuration for VMware Aria Operations for Logs, you can still log in to VMware Aria Operations for Logs with a local account or by using other configured authentication sources.

Prerequisites

Ensure that the External Identity Provider is configured in the vCenter Server. Currently, supported External Identity Providers for VMware SSO are Okta, Microsoft Entra ID (formerly called Azure AD) and PingFederate. For more information on configuring the vCenter Server Identity Provider, see Configuring vCenter Server Identity Provider Federation.
Verify that you are logged in to the VMware Aria Operations for Logs as a Super Admin user, or a user associated with a role that has the relevant permissions. For more information on user roles, see Create and Modify Roles.

Procedure

Expand the main menu and navigate to Configuration > Authentication
Select VMware SSO and click the Edit icon.
In the Host text box, enter the host identifier for the vCenter Server instance where the External Identity Provider is configured for federated authentication. For more information, see the Prerequisites.
For example, my-vcenter-server.com.
In the API Port text box, enter the single sign-on listening port. By default this is set to 443.
The Tenant field shows customer as the default value as that is the only supported value.
In the Username and Password text box, enter the name and password of the vCenter Server user account that can log in to the VMware SSO host machine.

Note: The user must have the VcIdentityProviders.Manage permission assigned.
Click Test Connection to verify that the connection works.
If the vCenter Server instance provides an untrusted SSL certificate, a dialog box appears with the details of the certificate. Click Accept to add the certificate to the truststores of all the nodes in the VMware Aria Operations for Logs cluster.

If you click Cancel, the certificate is not added to the truststores and the connection with the VMware Workspace ONE Access instance fails. You must accept the certificate for a successful connection.
From the Redirect URL Host drop-down, select the Hostname or IP to be used in Redirect URL for registering on VMware SSO.

If even one virtual IP is defined for the Integrated Load Balancer, the default value will be auto-selected and will point to the virtual IP. If the Integrated Load Balancer is not configured, the primary node's IP address or hostname is used instead.
Click Save.
If you did not test the connection and the vCenter Server instance provides an untrusted certificate, follow the instructions in Step 8.
Note:
- You can delete and unregister a VMware Single Sign-On authentication source. For more information see, Delete and Deregister a VMware Single Sign-On Authentication Source.

What to do next

Give permissions to VMware SSO users and groups to access the current instance of VMware Aria Operations for Logs. In the Users configuration page navigating to Management > Access Control

When you log in to VMware Aria Operations for Logs using VMware SSO, you will be redirected to an external authentication page. Enter the credentials to log in to VMware Aria Operations for Logs.