After installing or upgrading to vSphere 8.0 Update 3, you can configure vCenter Server hosts for VMware Single Sign-On. When you configure VMware Single Sign-On, you use an external identity provider to sign into your vCenter Server hosts.

VMware Single Sign-On enables you to connect vCenter Server hosts in a non-Enhanced Linked Mode configuration. That is, as long as you configure an external identity provider, you can leverage that configuration for single sign-on to other vCenter Server hosts. The vCenter Server host on which the external identity provider is configured acts as the identity provider for the other vCenter Server hosts.

You can configure multiple vCenter Server hosts to perform VMware Single Sign-On. To do so, you must configure each vCenter Server host to point to the vCenter Server host configured with an external identity provider.

After performing the VMware Single Sign-On configuration, you can still log in to your vCenter Server hosts with a local account.

Note: VMware Single Sign-On does not share inventories between vCenter Server hosts as occurs in Enhanced Linked Mode.

Prerequisites

VMware Single Sign-On requirements:

  • The vCenter Server on which you configure VMware Single Sign-On runs vSphere 8.0 Update 3.
  • The vCenter Server hosts you want to connect to run at least vSphere 8.0 Update 1.
  • You have configured one of the following external identity providers:
    • Microsoft Entra ID
    • Okta
    • PingFederate
  • You must add the trusted root certificate from the vCenter Server host on which the external identity provider is configured to the vCenter Server host on which you configure VMware Single Sign-On.

Procedure

  1. Download the trusted root certificate from the vCenter Server host on which the external identity provider is configured. For example, see the VMware knowledge base article at https://kb.vmware.com/s/article/2108294.
  2. Upload that trusted root certificate to the vCenter Server host on which you are configuring VMware SSO.
    See Add a Trusted Root Certificate to the Certificate Store Using the vSphere Client.
  3. Use the vSphere Client to log in as an administrator to the vCenter Server host on which you are configuring VMware SSO.
  4. Navigate to Home > Administration > Single Sign On > Configuration.
  5. Click Change Provider and select VMware SSO.
    The Configure Main Identity Provider wizard opens.
  6. In the Prerequisites panel, review the vCenter Server requirements.
  7. Click Run Prechecks.
    If the precheck finds errors, click View Details and take steps to resolve the errors as indicated.
  8. When the Precheck passes, click the confirmation checkbox then click Next.
  9. In the OpenID Connect panel, enter the following information.
    • Identity Provider Name: Filled in with VMware SSO.
    • vCenter Server FQDN: Enter the FQDN of the vCenter Server host where the external identity provider is configured.
    • Port Number: Accept the default of 443, or change to the port you want to use.
    • User Name and Password: Enter the user name and password for an administrator account on this vCenter Server host where the external identity provider is configured.
  10. Click Next.
  11. Review the information and click Finish.
    vCenter Server creates the VMware SSO provider and displays the configuration information. This vCenter Server host now contains the same external identity provider configuration as the host on which the configuration was created. For example, when you compare the OpenID configurations between the two hosts, it is the same.
  12. Configure this vCenter Server to use the external identity provider for authorization.
    You can either assign the external identity provider users to a vCenter Server group or assign inventory-level and global permissions to the users. The minimum permission required for logging in is Read-Only.
    To assign the external identity provider users to a group, see Add Members to a vCenter Single Sign-On Group. To assign inventory-level and global permissions to the users, see the topic about managing permissions for vCenter Server components in the vSphere Security documentation.
  13. Verify logging in to this vCenter Server host with an external identity provider user.
    When you launch the vSphere Client, you see the Welcome to VMware vSphere screen, with the Sign in with SSO button. When you click this button, you are redirected to the external identity provider's sign-in screen.