As a system administrator or virtual infrastructure administrator, you use single sign-on to enable SSO users to log in securely to your vRealize Operations environment.

After the single sign-on source is configured, users are redirected to an SSO identity source for authentication. When logged in, users can access other vSphere components such as the vCenter Server without having to log in again.

Prerequisites

  • Verify that the server system time of the single sign-on source and vRealize Operations are synchronized. If you need to configure the Network Time Protocol (NTP), see vRealize Operations Cluster and Node Maintenance.
  • Verify that you have access to a Platform Services Controller through the vCenter Server. See the VMware vSphere Information Center for more details.

Procedure

  1. Log in to vRealize Operations as an administrator.
  2. From the left menu, click Administration, and then click the Authentication Sources tile.
  3. Click Add.
  4. In the Add Source for User and Group Import dialog box, provide information for the single sign-on source.
    Option Action
    Source Display Name Type a name for the import source.
    Source Type Verify that SSO SAML is displayed.
    Host Enter the IP address or FQDN of the host machine where the single sign-on server resides. If you enter the FQDN of the host machine, verify that every non-remote collector node in the vRealize Operations cluster can resolve the single sign-on host FQDN.
    Port Set the port to the single sign-on server listening port. By default, the port is set to 443.
    User Name Enter the user name that can log into the SSO server.
    Password Enter the password.
    Grant administrator role to vRealize Operations Manager for future configuration? Select Yes so that the SSO source is reregistered automatically if you make changes to the vRealize Operations setup. If you select No, and the vRealize Operations setup is changed, single sign-on users will not be able to log in until you manually reregister the single sign-on source.
    Automatically redirect to vRealize Operations single sign-on URL? Select Yes to direct users to the vCenter single-sign on log in page. If you select No, users are not redirected to SSO for authentication.
    Import single sign-on user groups after adding the current source? Select Yes so that the wizard directs you to the Import User Groups page when you have completed the SSO source setup. If you want to import user accounts, or user groups at a later stage, select No.
    Advanced options If your environment uses a load balancer, enter the IP address of the load balancer.
  5. Click Test to test the source connection, and then click OK.
    The certificate details are displayed.
  6. Select the Accept this Certificate check box, and click OK.
  7. In the Import User Groups dialog box, import user accounts from an SSO server on another machine.
    Option Action
    Import From Select the single sign-on server you specified when you configured the single sign-on source.
    Domain Name Select the domain name from which you want to import user groups. If Active Directory is configured as the LDAP source in the PSC, you can only import universal groups and domain local groups if the vCenter Server resides in the same domain.
    Result Limit Enter the number of results that are displayed when the search is conducted.
    Search Prefix Enter a prefix to use when searching for user groups.
  8. In the list of user groups displayed, select at least one user group, and click Next.
  9. In the Roles and Objects pane, select a role from the Select Role drop-down menu, and select the Assign this role to the group check box.
  10. Select the objects users of the group can access when holding this role.
    To assign permissions so that users can access all the objects in vRealize Operations, select the Allow access to all objects in the system check box.
  11. Click OK.
  12. Familiarize yourself with single-sign on and confirm that you have configured the single sign-on source correctly.
    1. Log out of vRealize Operations.
    2. Log in to the vSphere Web Client as one of the users in the user group you imported from the single sign-on server.
    3. In a new browser tab, enter the IP address of your vRealize Operations environment.
    4. If the single sign-on server is configured correctly, you are logged in to vRealize Operations without having to enter your user credentials.