SSO makes vSphere and NSX Data Center for vSphere more secure by allowing the various components to communicate with each other through a secure token exchange mechanism, instead of requiring each component to authenticate a user separately.

You can configure lookup service on the NSX Manager and provide the SSO administrator credentials to register NSX Management Service as an SSO user. Integrating the single sign-on (SSO) service with NSX Data Center for vSphere improves the security of user authentication for vCenter users and enables NSX Data Center for vSphere to authenticate users from other identity services such as AD, NIS, and LDAP. With SSO, NSX Data Center for vSphere supports authentication using authenticated Security Assertion Markup Language (SAML) tokens from a trusted source using REST API calls. NSX Manager can also acquire authentication SAML tokens for use with other VMware solutions.

NSX Data Center for vSphere caches group information for SSO users. Changes to group memberships take up to 60 minutes to propagate from the identity provider (for example, active directory) to NSX Data Center for vSphere.

Prerequisites

  • To use SSO on NSX Manager, you must have vCenter Server 6.0 or later, and single sign-on (SSO) authentication service must be installed on the vCenter Server. Note that this is for embedded SSO. Instead, your deployment might use an external centralized SSO server.

    For information about SSO services provided by vSphere, see the Platform Services Controller Administration documentation.

    Important: You must configure the NSX Manager appliance to use the same SSO configuration that is used on the associated vCenter Server system.
  • NTP server must be specified so that the SSO server time and NSX Manager time are in sync.

    For example:

    Time Settings page shows the NTP Server configuration.

Procedure

  1. Log in to the NSX Manager virtual appliance.
    In a Web browser, navigate to the NSX Manager appliance GUI at https://<nsx-manager-ip> or https://<nsx-manager-hostname>, and log in as admin or with an account that has the Enterprise Administrator role.
  2. Log in to the NSX Manager virtual appliance.
  3. From the home page, click Manage Appliance Settings > NSX Management Service.
  4. Click Edit in the Lookup Service URL section.
  5. Enter the name or IP address of the host that has the lookup service.
  6. Enter the port number.

    If you are using vSphere 6.0 or later, enter port 443.

    The Lookup Service URL is displayed based on the specified host and port.
  7. Enter the SSO Administrator user name and password, and click OK.
    The certificate thumbprint of the SSO server is displayed.
  8. Check that the certificate thumbprint matches the certificate of the SSO server.

    If you installed a CA-signed certificate on the CA server, you are presented with the thumbprint of the CA-signed certificate. Otherwise, you are presented with a self-signed certificate.

  9. Confirm that the Lookup Service status is Connected.

What to do next

See "Assign a Role to a vCenter User", in the NSX Administration Guide.