VMware Cloud Community
TheVMinator
Expert
Expert
Jump to solution

Multi-site vRO configuration

I have multiple sites.  Each site has  dedicated vCenter and a dedicated SSO.  Each site uses a vRO instance and uses its own SSO for authentication.  I want to set up the multi-node plugin to manage workflows across all sites centrally.

How will a workflow created in my central site be able to have permissions to run on my remote sites?  I am currently using "session per user" and not "share a unique session"

Reply
0 Kudos
1 Solution

Accepted Solutions
cdecanini_
VMware Employee
VMware Employee
Jump to solution

It is different because it should let you specify a username and password for each remote vRO host which in turn should authenticate on their respective SSO.

If my answer resolved or helped you, please mark it as Correct or Helpful to award points. Thank you! Visit http://www.vcoteam.info & http://blogs.vmware.com/orchestrator for vCenter Orchestrator tips and tutorials - @vCOTeam on Twitter

View solution in original post

Reply
0 Kudos
5 Replies
Burke-
VMware Employee
VMware Employee
Jump to solution

I don't envision this working at all.

You are logging in to Main Site using SSO.... Session per user is sending Main Site SSO token through plug-in to remote site that is not using same SSO source = no authentication since remote site doesn't use the same SSO source..

You need to use Share a unique session when defining your remote servers in the Mult-Site plug-in.

If my answer resolved or helped you, please mark it as Correct or Helpful to award points. Thank you! Visit http://www.vcoteam.info & http://blogs.vmware.com/orchestrator for vRealize Orchestrator tips and tutorials - @TechnicalValues on Twitter
TheVMinator
Expert
Expert
Jump to solution

OK thanks for the info.  Question though:

If I use share a unique session, the session I use would be based on a service account from AD.  (I'm using SSO authentication, and SSO is in turn using AD as an identity source, and that service account lives in AD).

So I this case also, I would have the same problem - I'm using SSO at the main site as the basis for that shared unique session. 

So if the fact that I'm using different SSO servers and different vCenters and different AD servers at each site means that I can't use "session per user" authentication, why would I be able to use "share a unique session"?

If I switch to "share a unique session", that won't change the fact that I'm using different SSO servers at each site, it will only change the user name that the session at the main site is based upon from being a user account to a service account, but not change any other aspect of the authentication process.

With this in mind, how would using "share a unique session" be different?

Reply
0 Kudos
cdecanini_
VMware Employee
VMware Employee
Jump to solution

It is different because it should let you specify a username and password for each remote vRO host which in turn should authenticate on their respective SSO.

If my answer resolved or helped you, please mark it as Correct or Helpful to award points. Thank you! Visit http://www.vcoteam.info & http://blogs.vmware.com/orchestrator for vCenter Orchestrator tips and tutorials - @vCOTeam on Twitter
Reply
0 Kudos
TheVMinator
Expert
Expert
Jump to solution

ok great thanks

Reply
0 Kudos
lurims
Enthusiast
Enthusiast
Jump to solution

Hi TheVMinator,

As you are using the vRO Multi-site for several years now, how do you feel about the vRO multi-site feature robustness for an Enterprise size environment?  I work for big insurance company and want to implement this solution to cover over a dozen of sites and more than fifty vROs as slaves. Initially we run on a need basis to kickoff remote workflows from Master but later bases on the results we may expand the usage.

Any one using this feature is welcome to respond to this question.

Reply
0 Kudos