vSphere 5.1 Single Sign On – part 1

One of the new features in vSphere 5.1 is Single Sign On. What vCenter Single Sign On is ?

 vCenter Single Sign On (SSO) is a component of the VMware Cloud Suite. SSO deals with identity management for administrators and applications that interact with the vSphere platform. SSO is based on identity management technology built by RSA and specifically tailored for VMware Cloud Infrastructure deployment.

Other words saying, you need to install at least one instance of SSO for your vSphere deployment in order to have possibility to authenticate for each and every piece of your virtual infrastructure, which is supported by vCenter SSO, as well as is mandatory service for vCenter server.

What services rely on SSO (see below figure) ?

  • vCenter server
  • vSphere WEB client
  • vCenter server inventory services

The vCenter server  is key here – you MUST have SSO up and running because vCenter server service relay on. Looks like Single Point Of Failure (SPOF) – Thanks VMware for making our life more complicated 😛 . If, for some reasons, SSO service stop work, vCenter server will continue working but you will not be able authenticate to vCenter server neither using vSphere client nor vSphere Web client.

Fortunately, there are several ways to eliminate SPOF from design.

#1 – VMware Single Sign On in cluster mode

You can set up SSO in clustered mode, two or more SSO instances can run in Active\Slave mode and share the single SSO database. One  SSO instance is defined as Primary, the remainders as a slaves. Third party (Apache) loadbalancer providing redundancy and High Availability. Single SSO HA cluster can provides service for multiple vCenter server in different geographical locations.

SSO in cluster mode

 #2 VMware Single Sign-On multisite deployment

However, for deployment with multiple vCenter servers placed in different physical location multisite deployment is recommended. Heaving SSO instance at each location allow fast authentication for local users and it DOESN’T provide automatic fail-over and High Availability.  Single Sign On instance is connect to local directory services and can be deployed as a single Sign-On in standard or clustered mode.

VMware vSphere SSO multisite deployment

#3 vCenter Single Sign-On protected by vSphere replication.

The cheapest and quickest way of protecting your Single Sign On instance (if runs on separate server) or whole VMware vSphere vCenter server is vSphere replication. Build feature in vSphere 5.1 suite, easy to set up, reliable and easy to recover service. Within next few days I will write an article how to set up replication and how to recover vCenter server or SSO server from disaster.

vSphere 5.1 replication of vCenter SSO

#4 vCenter server Heartbeat

Using vCenter server you can protect vCenter server and its components and VMware Single Sign-On is on the list. vCenter server heartbeat greatly simplify protection of Single Sign-on as well as other components of vCenter server including data (

Good article on Michael site about vCenter server deployment considerations will give you more deep in detail info about product.

#5 Cloning (applicable only for VM)

As simple as it is, using PowerCLI you can schedule a clone (backup) of virtual machine where SSO run, it can run on separate VM as well as on the same VM where vCenter server run. Script created by Simon Long (http://www.simonlong.co.uk/blog/)


If you want to get an email notifications visit Simon’s blog and get the rest of the script

[learn_more caption=”resources” state=”open”]


[button link=”http://vmwaremine.com/2012/11/26/vsphere-5-1-single-sign-on-part-2/”] vSphere 5.1 Single Sign On – part 2[/button]

Artur Krzywdzinski

Artur is Consulting Architect at Nutanix. He has been using, designing and deploying VMware based solutions since 2005 and Microsoft since 2012. He specialize in designing and implementing private and hybrid cloud solution based on VMware and Microsoft software stacks, datacenter migrations and transformation, disaster avoidance. Artur holds VMware Certified Design Expert certification (VCDX #077).

  • Preetam

    I guess

    relay=rely & Michel = Michael

    Thanks for the information. I have one question. If have two different sites should I have two SSO? As both SSO will be authenticating against single AD domain.


    • artur_ka

      thx, mistakes fixed 🙂

      yep, you should have two Single Sign On instances, one per site, in case link between DC’s or whole AD become inaccessible you will be able login to both vCenter servers against SSO local users

      • Surya Pendyala

        Hello ,
        we have two datacenters with diffrent two vcenters with and single AD domain.Now i want to update my environment 5.0 to 5.1.How to design my SSO. which is best option for me HA mode or multisitemode.


        • artur_ka

          I understand that you have stretched network across both DC, correct ? Few more questions: how big is the pipe between DC’s? Are we talking about HA concept or DR concept or both ?