VMware Cloud Community
StuDuncanHPE
Enthusiast
Enthusiast
‎09-22-2021 07:40 AM
Jump to solution

SsoAdmin module questions

As part of a larger set of scripts (import/export/restore), I have a restore script for permissions, roles, global permissions, and sso users. Everything works fine, except that I can't get the passwords of the sso users.  The SsoAdmin module allows you to set it when (re)creating a user, but does not allow you to get the password.  Any idea if this is possible?

Along these lines, is there any way to get 'all non VMware sso users'? ie is there any flag to uniquely identify those accounts?

 

 

0 Kudos
1 Solution

Accepted Solutions
LucD
Leadership
Leadership
‎09-22-2021 08:34 AM
Jump to solution

Ok, got you.

No, afaik the GetLOcalUsers method, which is what Get-SsoPersonUser calls, does not return that kind of information.
The properties you see coming out of Get-SsoPersonUser is all the info the method returns I'm afraid.



Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

View solution in original post

3 Replies
LucD
Leadership
Leadership
‎09-22-2021 07:54 AM
Jump to solution

Afaik no, that is not possible.
In fact, I would consider having the ability to retrieve passwords a serious security issue 😉

But since the VMware.vSphere.SsoAdmin module is published in the PowerCLI Examples repository, I would suggest to also open an Issue there.

With the Get-IdentitySource cmdlet you have the External switch to find other domains.
Then with Get-SSOPersonUser and the Domain parameter you should be able to find these users. 


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
StuDuncanHPE
Enthusiast
Enthusiast
‎09-22-2021 07:59 AM
Jump to solution

I very much hear you about the security issue - but in a large institution, finding the actual password is ... sometimes impossible.  And just a hash that I can extract & push back into the new-ssopersonuser would be good enough. I don't really want to know the actual password.

 

As for the non-vmware sso users, I was meaning in the local sso domain ie a user that's 'svcacct@vsphere.local' and differentiate it from a VMware sso account programatically.   And not just (-like *svc*) because there's a bunch of randomly named accts.

0 Kudos
LucD
Leadership
Leadership
‎09-22-2021 08:34 AM
Jump to solution

Ok, got you.

No, afaik the GetLOcalUsers method, which is what Get-SsoPersonUser calls, does not return that kind of information.
The properties you see coming out of Get-SsoPersonUser is all the info the method returns I'm afraid.



Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference