You can use the vdmutil command-line interface to configure and enable or disable True SSO.

About this task

This procedure is required to be performed on only one connection server in the cluster.

Important:

This procedure uses only the commands necessary for enabling True SSO. For a list of all the configuration options available for managing True SSO configurations, and a description of each option, see Command-line Reference for Configuring True SSO.

Prerequisites

Procedure

  1. On a connection server in the cluster, open a command prompt and enter the command to add an enrollment server.
    vdmUtil --authAs admin-role-user --authDomain domain-name --authPassword admin-user-password --truesso --environment --add --enrollmentServer enroll-server-fqdn

    The enrollment server is added to the global list.

  2. Enter the command to list the information for that enrollment server.
    vdmUtil --authAs admin-role-user --authDomain domain-name --authPassword admin-user-password --truesso --environment --list --enrollmentServer enroll-server-fqdn --domain domain-fqdn

    The output shows the forest name, whether the certificate for the enrollment server is valid, the name and details of the certificate template you can use, and the common name of the certificate authority. To configure which domains the enrollment server can connect to, you can use a Windows Registry setting on the enrollment server. The default is to connect to all trusting domains.

    Important:

    You will be required to specify the common name of the certificate authority in the next step.

  3. Enter the command to create a True SSO connector, which will hold the configuration information, and enable the connector.
    vdmUtil --authAs admin-role-user --authDomain domain-name --authPassword admin-user-password --truesso --create --connector --domain domain-fqdn --template TrueSSO-template-name --primaryEnrollmentServer enroll-server-fqdn --certificateServer ca-common-name --mode enabled

    In this command, TrueSSO-template-name is the name of the template shown in the output for the previous step, and ca-common-name is the common name of the enterprise certificate authority shown in that output.

    The True SSO connector is enabled on a pool or cluster for the domain specified. To disable True SSO at the pool level, run vdmUtil --certsso --edit --connector <domain> --mode disabled. To disable true SSO for an individual virtual machine, you can use GPO (vdm_agent.adm).

  4. Enter the command to discover which SAML authenticators are available.
    vdmUtil --authAs admin-role-user --authDomain domain-name --authPassword admin-user-password --truesso --list --authenticator

    Authenticators are created when you configure SAML authentication between VMware Identity Manager and a connection server, using View Administrator.

    The output shows the name of the authenticator and shows whether True SSO is enabled.

    Important:

    You will be required to specify the authenticator name in the next step.

  5. Enter the command to enable the authenticator to use True SSO mode.
    vdmUtil --authAs admin-role-user --authDomain domain-name --authPassword admin-user-password --truesso --authenticator --edit --name authenticator-fqdn --truessoMode {ENABLED|ALWAYS}

    For --truessoMode, use ENABLED if you want True SSO to be used only if no password was supplied when the user logged in to VMware Identity Manager. In this case if a password was used and cached, the system will use the password. Set --truessoMode to ALWAYS if you want True SSO to be used even if a password was supplied when the user logged in to VMware Identity Manager.

What to do next

In View Administrator, verify the health status of the True SSO configuration. For more information, see Using the System Health Dashboard to Troubleshoot Issues Related to True SSO.

To configure advanced options, use Windows advanced settings on the appropriate system. See Advanced Configuration Settings for True SSO.