VMware Cloud Community
gal2222222
Contributor
Contributor

Is it possible to connect multiple vCenters to vRealize orchestrator without VRA?

Hey!,

Want to run my workflows from several vcenters.

We dont use vra in our enviroment.

Is it possible?

Thanks!!

9 Replies
iiliev
VMware Employee
VMware Employee

Hi,

Yes, it is possible. You can have a single vCenter/PSC used by vRO as authentication provider, but many vCenters can be registered (using the vRO workflow 'Add a vCenter Server instance') and used in vRO scripting code.

Reply
0 Kudos
gal2222222
Contributor
Contributor

Thanks for the quick answer Smiley Happy

But i think that i didnt understand you in 100%.

I have vc_#1 and it connected to the vro as instance and also as extension. If i want to run my workflows i can do it from the web client of vc_#1.

Now, i want to run the same workflows from the same vro from different vCenter (from the web client), lets call it vc_#2.

I connected it the same as vc_#1, as instance and as extension but when i log into the web client of vc_#2 i cant connect the vro extension..

From what i understood from you, you gave me a solution to use the objects of vc_#2 in vro workflows.

I want something a little bit different. As i said i want to run the workflows that i wrote from the web client of two different vCenters

Reply
0 Kudos
iiliev
VMware Employee
VMware Employee

OK, thanks for clarification.

So, when you start a vRO workflow from a given vSphere Web client UI, it calls vRO server REST API, authenticating with a SAML token issued on behalf on the user currently logged into the Web client (the user who starts the workflow).

Now, when you start the workflow from vc_#1, it will pass a SAML token issued by vc_#1 authentication provider, let's name it psc_#1. And when you start the workflow from vc_#2, it will pass a SAML token issued by vc_#2 authentication provider, let's name it psc_#2.

When these REST calls reach vRO server, it will try to validate the SAML tokens against the authentication provider the vRO server is configured with, let's name it psc_#3. For this calls to pass, it is required that psc_#3 to be able to validate tokens issues from both psc_#1 and psc_#2.

In practice, the above means that either:

a) all PSCs are the same (one common PSC instance is used for authentication by vRO server, vc_#1 and vc_#2), or

b) if these PSCs are different instances, they should be configured in a way that SAML tokens issued by psc_#1 and psc_&2 can be validated on psc_#3. I'm not sure what are the requiremenets for this setup to work; perhaps all PSCs must have same set of token signing certificates.

Hope the above makes sense Smiley Happy

Reply
0 Kudos
gal2222222
Contributor
Contributor

Thanks!

You really helped me understand the problem.

I will try to work it from here..

Just to be clear, you don't have a solution for a situation of different PSCes right?

I think i will try to use this guide: Join a SAML Service Provider to the Identity Federation

Update:

Tried the guide in the link above.

I exported and imported the SAML xml file from vc_#1 to vc_#2 and the oposite and it's still not working...

Forgot to mention that psc_#1 defined as the authenticator of the VRO server..

Maybe i didn't understand the guide correctly?

Reply
0 Kudos
iiliev
VMware Employee
VMware Employee

I'm not completely sure what kind of setup is required for multiple PSCs to be able to cross-validate their SAML tokens. Maybe the steps from this guide are enough, maybe there are some other configuration necessary. Let's hope that someone from vCenter team will join this thread and clarify.

BTW, I'd suggest to check vRO server and vSphere Web client log files just in case to validate that the error is indeed 401 Unauthorized (authentication failures caused by SAML token validation issues) and not some different error, unrelated to authentication.

gal2222222
Contributor
Contributor

Still not solved..

I checked the logs, i see there:

"Error [idpmetadatasettingRetriever]  can not find configuration for tenanat https://vc_#2.dom.mil/websso/saml2/metadata/vsphere.local"

"TokenAuthenticationFilter"

Reply
0 Kudos
iiliev
VMware Employee
VMware Employee

This error means the SSO endpoint corresponding to vc_#2 cannot be found by lookup service.

You can check what endpoints are available to lookup service by opening https://{vcaddress}/lookupservice/mob?moid=ServiceRegistration&method=List  and invoking the method with empty <filterCriteria/> request body, then looking in the results for endpoints of type  com.vmware.cis.cs.identity.websso

I suppose you need to have 2 endpoints of this type (one for each vc) in order for token validation logic to succeed.

Reply
0 Kudos
gal2222222
Contributor
Contributor

Sounds like that's what i need  ..

But is there a way do it?

Reply
0 Kudos
iiliev
VMware Employee
VMware Employee

Perhaps if using Enhanced Linked Mode (see https://docs.vmware.com/en/VMware-vSphere/6.7/com.vmware.vcenter.install.doc/GUID-ACCD2814-0F0A-4786...).

But that's something I haven't tried; someone with better knowledge of vCenter deployment types may give more insights.

Reply
0 Kudos