Hello,
We are building a script to make an audit of the configuration our multiple vCenters and we do not find any information related to SSO Configuration in PowerCLI side, for example : Identity sources, Policies ... Mainly anything in the following section accessible through the WebClient : Administration >> Single Sign-ON.
Is this possible with PowerCLI ? If not what other scriptable ways are availbale ? (we are exploring getting the information through sql scripts against the DB)
Thanks for your help
Regards,
I worked with EcoBassam on this subject and using the information provided by lamw I managed to make a script that retrives the required information.
Thanks for the links provided by lamw, they really helped me a lot.
wmdird is an LDAP based system, so firstly we can use JXplorer to explorer the tree structure of LDAP:
We will find all identity sources in the path: /Services/IdentityManager/Tenants/vsphere.local/IdentityProviders
If we would like to use powercli/powershell to get the same information as we can see in the JXplorer, we may want to use ldapsearch in sso server, of course we must have ldapsearch installed in the server:
Here is an exemple of Invoke-VMScript which I used in my script for a SSO server 5.5:
$scriptsso = @"
&"$env:C:\the\directory\to\ldapsearch.exe" -h localhost -w $password -p 11711 -x -D "cn=Administrator,cn=users,dc=vsphere,dc=local" -b "cn=IdentityProviders,cn=vsphere.local,cn=Tenants,cn=IdentityManager,cn=Services,dc=vsphere,dc=local" -s one "vmwSTSDomainName=*"
"@
$invokesso = Invoke-VMScript -ScriptText $scriptsso -VM $Vm -GuestUser $user -GuestPassword $password
$invokesso.ScriptOutput | out-string -Stream | set-content $VMsubfolder\infosso.txt
Then we get a txt file infosso.txt with all Identity Sources
We can get all the information available in Edit Identity Source screenshot above:
They are just under different names:
Domain Type | vmwSTSDomainType |
Identity source type | vmwSTSProviderType |
Name | vmwSTSName |
Primary server URL | vmwSTSConnectionStrings |
Domain Name | vmwSTSDomainName |
Domain alias | vmwSTSAlias |
Regards,
Fan
No PowerCLI integration at the moment I'm afraid.
Although there is a SSO SDK, I have the impression it only provides API to work with tokens (acquire, renew, validate).
There don't seem to be any SSO Management API as far as I can tell (but lamw will surely correct me if I'm wrong on this :smileygrin:)
There are a number .Net and Java examples in the SDK
And there is a fling with sample code, as you can read in William's vSphere SDK for JavaScript Fling released
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
LucD is absolutely correct. Today, we only have the SSO Consumer APIs which is about retrieving SAML tokens/etc. and does not provide access to the SSO configurations which is under the SSO Admin APIs which are unfortunately not public today. This is true for any of the vSphere SDKs.
Having said that, depending on what you're looking for, some of this is still retrievable by connecting to the vmdird which is an LDAP based system. Here's several articles that provides some options on collecting some of this information:
vCenter Server 6.0 Tidbits Part 7: Connecting to SSO/PSC using JXplorer | virtuallyGhetto
Thanks for both replies LucDLucD and lamwlamw
I forgot to mention that we are still in version 5.5 of vSphere, is the "vmdir" available also for vSphere 5.5 ?
What we are trying to get for the moment is the "Identity sources" configuration elements shown on the screenshot below :
Yes.
If that is on a Windows-based vCenter 5.5, you can have a look at vCenter Server 5.5 Single Sign-On VMDir deep dive
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
I worked with EcoBassam on this subject and using the information provided by lamw I managed to make a script that retrives the required information.
Thanks for the links provided by lamw, they really helped me a lot.
wmdird is an LDAP based system, so firstly we can use JXplorer to explorer the tree structure of LDAP:
We will find all identity sources in the path: /Services/IdentityManager/Tenants/vsphere.local/IdentityProviders
If we would like to use powercli/powershell to get the same information as we can see in the JXplorer, we may want to use ldapsearch in sso server, of course we must have ldapsearch installed in the server:
Here is an exemple of Invoke-VMScript which I used in my script for a SSO server 5.5:
$scriptsso = @"
&"$env:C:\the\directory\to\ldapsearch.exe" -h localhost -w $password -p 11711 -x -D "cn=Administrator,cn=users,dc=vsphere,dc=local" -b "cn=IdentityProviders,cn=vsphere.local,cn=Tenants,cn=IdentityManager,cn=Services,dc=vsphere,dc=local" -s one "vmwSTSDomainName=*"
"@
$invokesso = Invoke-VMScript -ScriptText $scriptsso -VM $Vm -GuestUser $user -GuestPassword $password
$invokesso.ScriptOutput | out-string -Stream | set-content $VMsubfolder\infosso.txt
Then we get a txt file infosso.txt with all Identity Sources
We can get all the information available in Edit Identity Source screenshot above:
They are just under different names:
Domain Type | vmwSTSDomainType |
Identity source type | vmwSTSProviderType |
Name | vmwSTSName |
Primary server URL | vmwSTSConnectionStrings |
Domain Name | vmwSTSDomainName |
Domain alias | vmwSTSAlias |
Regards,
Fan
Thanks for sharing that, great find!
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Many thanks to you LucDLucD and lamwlamw, your help is very appreciated