VMware Cloud Community
saymOU
Enthusiast
Enthusiast
‎10-17-2013 03:25 PM
Jump to solution

SSO authentication login test only allows vCenter local administrator

I am configuring vCO 5.1.1 with SSO.  I am able to successfully register Orchestrator using SSO Registration - Basic Mode; however, in the SSO Configuration portion I am unable to save settings for any vCO Admin group I select that is a domain group.  While I can find the group using the groups filter, when I click "Update Orchestrator Configuration", the group selected changes to a local group on the vCenter Server system.  If I apply a local group as the vCO Admin such as the local Administrators group of vCenter Server, then test login using credentials of one of the members, the authentication fails: "Provided credentials are not valid."  The only credential that does authenticate is the built-in administrator account of the vCenter Server system.  This prevents me from logging into the vCO client.  What could be preventing the group members from being applied as vCO admins? 

0 Kudos
1 Solution

Accepted Solutions
saymOU
Enthusiast
Enthusiast
‎10-23-2013 06:49 AM
Jump to solution

The solution was two-fold:

1. Cannot use nested groups as vCO Admins.  I made a domain group the vCO Admins, but the group had a nested group as a member.  All members in the domain group needed to be individual users.

2. SSO authentication requires the full name in the login: user@mydomain.com

I also made sure that my domain was listed as one of the default domains in SSO configuration.  Once I restarted the configuration service and the vCO server service, I could successfully login to the vCO client. 

View solution in original post

0 Kudos
4 Replies
iiliev
VMware Employee
VMware Employee
‎10-18-2013 02:11 AM
Jump to solution

I think this could be an UI glitch. That is, when you click 'Update Orchestrator Configuration' button, the group is properly updated in the configuration files, but this is not properly reflected in the UI.

Could you verify if the content of vCO configuration file named 'sso.properties' is updated when you press 'Update Orchestrator Configuration' button? The file location depends on whether you have deployed appliance or standalone vCO Windows installation (on appliance, it should be in /opt/vmo/app-server/server/vmo/conf/ directory)

0 Kudos
saymOU
Enthusiast
Enthusiast
‎10-18-2013 06:44 AM
Jump to solution

You're right about the UI glitch.  I checked sso.properties, and it showed the correct domain group for the vCO admins.  Now that I know it saved the sso configuration, I don't understand why authentication fails to allow a member of that group.

0 Kudos
iiliev
VMware Employee
VMware Employee
‎10-21-2013 04:38 AM
Jump to solution

Could be due to too aggressive caching in validation logic (that is, code tries to validate credentials using the old configuration).

What happens if you finish configuration, restart configuration service (which should invalidate all possible caches), and then try the test login?

0 Kudos
saymOU
Enthusiast
Enthusiast
‎10-23-2013 06:49 AM
Jump to solution

The solution was two-fold:

1. Cannot use nested groups as vCO Admins.  I made a domain group the vCO Admins, but the group had a nested group as a member.  All members in the domain group needed to be individual users.

2. SSO authentication requires the full name in the login: user@mydomain.com

I also made sure that my domain was listed as one of the default domains in SSO configuration.  Once I restarted the configuration service and the vCO server service, I could successfully login to the vCO client. 

0 Kudos