The Identity Appliance provides Single-Sign On (SSO) capability for vRealize Automation users. SSO is an authentication broker and security token exchange that interacts with the enterprise identity store (Active Directory or OpenLDAP) to authenticate users. A system administrator configures SSO settings to provide access to the vRealize Automation.

About this task

Note:

If you plan to use the vRealize Automation migration tool, you must specify a Native Active Directory when you configure the appliance.

Native Active Directories have the following characteristics:

  • Use Kerberos to authenticate

  • Do not require a search base, making it easier to find the correct Active Directory store

  • Can be used only with the default tenant

Procedure

  1. Navigate to the Identity Appliance management console by using its fully qualified domain name, https://identity-hostname.domain.name:5480/.
  2. Continue past the certificate warning.
  3. Log in with the user name root and the password you specified when the appliance was deployed.
  4. Click the SSO tab.

    The red text is a prompt, not an error message.

  5. Type the password to assign to the system administrator in the Admin Password and Repeat password text boxes.

    The System Domain text field has the value vsphere.local, which is the local default domain for the Identity Appliance. The default tenant is created with this name and the system administrator is administrator@vsphere.local. Record the user name and password in a secure place for later use.

  6. Click Apply.

    It can take several minutes for the success message to appear. Do not interrupt the process.

  7. When the success message appears, click the Host Settings tab.
  8. Verify that the SSO Hostname does not include the SSO port, :7444.
  9. Select the certificate type from the Choose Action menu.

    If you are using a PEM-encoded certificate, for example for a distributed environment, select Import PEM Encoded Certificate.

    Certificates that you import must be trusted and must also be applicable to all instances of vRealize Appliance and any load balancer by using Subject Alternative Name (SAN) certificates.

    Note:

    If you use certificate chains, specify the certificates in the following order:

    • The client/server certificate signed by the intermediate CA certificate

    • One or more intermediate certificates

    • A root CA certificate

    Option

    Action

    Import PEM Encoded Certificate

    1. Copy the certificate values from BEGIN PRIVATE KEY to END PRIVATE KEY, including the header and footer, and paste them in the RSA Private Key text box.

    2. Copy the certificate values from BEGIN CERTIFICATE to END CERTIFICATE, including the header and footer, and paste them in the Certificate Chain text box.

    3. (Optional) If your certificate uses a pass phrase to encrypt the certificate key, copy the pass phrase and paste it in the Pass Phrase text box.

    Generate Self-Signed Certificate

    1. Type a common name for the self-signed certificate in the Common Name text box. You can use the fully qualified domain name of the virtual appliance (hostname.domain.name) or a wild card, such as *.mycompany.com.

    2. Type your organization name, such as your company name, in the Organization text box.

    3. Type your organizational unit, such as your department name or location, in the Organizational Unit text box.

    4. Type a two-letter ISO 3166 country code, such as US, in the Country text box.

    Keep Existing

    Leave the current SSL configuration. Select this option to cancel your changes.

  10. Click Apply Settings.

    After a few minutes the certificate details appear on the page.

  11. Join the Identity Appliance to your Native Active Directory domain.

    For migration, you must configure Native Active Directory. If you are not migrating, Native Active Directory is optional.

    1. Click the Active Directory tab.
    2. Type the domain name of the Active Directory in Domain Name.
    3. Enter the credentials for the domain administrator in the Domain User and Password text boxes.
    4. Click Join AD Domain.
  12. Click the Admin tab.
  13. Verify that the SSH settings are correct.

    When SSH service enabled is selected, SSH is enabled for all but the root user. Select or uncheck Administrator SSH login enabled to enable or disable SSH login for the root user.

Results

The SSO host is initialized. If Identity Appliance does not function correctly after configuration, redeploy and reconfigure the appliance. Do not make changes to the existing appliance.