vCenter Single Sign-On allows you to authenticate as a user in an identity source that is known to vCenter Single Sign-On, or by using Windows session authentication. You can also authenticate by using a smart card (UPN-based Common Access Card or CAC), or by using an RSA SecurID token.
Two-Factor Authentication Methods
The two-factor authentication methods are often required by government agencies or large enterprises.
- Smart card authentication
- Smart card authentication allows access only to users who attach a physical card to the USB drive of the computer that they log in to. An example is Common Access Card (CAC) authentication.
- RSA SecurID Authentication
- For RSA SecurID authentication, your environment must include a correctly configured RSA Authentication Manager. If the Platform Services Controller is configured to point to the RSA server, and if RSA SecurID Authentication is enabled, users can log in with their user name and token.
Specifying a Nondefault Authentication Method
Administrators can set up a nondefault authentication method from the vSphere Client, or by using the sso-config script.
- For smart card authentication, you can perform the vCenter Single Sign-On setup from the vSphere Client or by using sso-config. Setup includes enabling smart card authentication and configuring certificate revocation policies.
- For RSA SecurID, you use the sso-config script to configure RSA Authentication Manager for the domain, and to enable RSA token authentication. You cannot configure RSA SecurID authentication from the vSphere Client. However, if you enable RSA SecurID, that authentication method appears in the vSphere Client.
Combining Authentication Methods
You can enable or disable each authentication method separately by using sso-config. Leave user name and password authentication enabled initially, while you are testing a two-factor authentication method, and set only one authentication method to enabled after testing.