With a single SSO instance I get a single pane of glass for multiple vCenter servers at our primary site. Best practices state that vCenter at a remote site would be better served by another SSO server at the same site. To gain a single pane of glass, the SSO servers need to be in multi-site mode and then linked. This setup requires maintaining two SSO databases and manually syncing data between the sites. I can’t be alone in thinking that things won’t always be this way.
Is it safe to assume SSO will automatically replicate DB changes to remote sites in the future? If so, I would also assume that connecting to any linked SSO servers would allow the single pane of glass view using the web client. If this is the future, linked mode and generation 1 multi-site SSO is dead.
If my above assumptions are correct and a redesign of SSO is in our near future, the best implementation of SSO (future proof, simple upgrade path, ease of initial installation and configuration) is to create SSO using the basic installer option and then join my remote vCenter server to a single SSO at the main site (the latency is under 12ms between sites). Until SSO supports database replication, SRM, Recoverpoint, or a VM clone could be used to bring SSO up on the remote site should the primary site fail (the sites use stretched VLANs).
I’d hate to build out the multi-site linked mode design only to have it ripped out from under me in the next release. What is the general consensus?
Welcome to the communities.
If will answer in single line its the feature which will integrate with your ad or other application that should not ask for more credential .
Once you login to the system every application should working without pooping any more credential or different credential.
Thanks, Ethen. I'm not concerned about the authentication features of SSO. I'm just trying to determine what VMware's future plans for SSO are with regard to a single pane of glass view within the vCenter web client. Specifically, I'm wondering if linked mode and a multi-site configuration will be a requirement for this view in the future. I'm speculating because the configuration documents seem rushed and the proposed solution for syncing SSO databases is limited at best.
Not sure about the "future plans" of SSO per se, but on my environment, this works as well
1. Single SSO server
2. Two Virtual Centers (remote/local does not matter as long as everything is in the same domain/network)
3. Hook both VC's to the same SSO instance
4. Configure vSphere Web Client and hook it to the SSO
This allows for a singler pane view without the manual intervention of syncing data in a multisite setup.
Not sure this is the way to go for a large production environment but works fine where a simple set up is required without the hassles of a multisite SSO
Note: I am unsure about the suitability or even supportability of the above set up but I know this is working fine for me as well a couple of other set-ups
I'm very tempted to go that route. I'm guessing that future releases will allow me to stand up a second SSO instance at the remote site and simply link the two. It would be a gamble at this point though... Eventually, I'd like to be able to lose the primary site and authenticate to vCenter on the remote site without having to recovery the SSO instance first.