Single Sign-On (SSO) Improvements in vSphere 5.5
One of the biggest improvements in the recently announced vSphere 5.5 is the updates to Single Sign-On (SSO). This new version of SSO makes me extremely happy and I think it will have the same affect for the customers I work with. The initial SSO attempt in vSphere 5.1 was… well, lets just say it could have been better. Today I’ll cover the changes to this SSO update and why it makes for a better product.
vSphere 5.5, SSO, and Improved Architecture
Multi-master – No more working with a primary and secondary architecture with strict database rules. The new SSO product uses a multi-master model for the SSO servers.
Built in replication – Replication is now built in and happens automatically between SSO servers within the same domain.
Site awareness – There is now the ability within an SSO domain to define sites. Sites would typically be physical data center locations. This makes the architecture a little easier to understand and design for.
Say Goodbye to Traditional PC Lifecycle Management
Traditional IT tools, including Microsoft SCCM, Ghost Solution Suite, and KACE, often require considerable custom configurations by T3 technicians (an expensive and often elusive IT resource) to enable management of a hybrid onsite + remote workforce. In many cases, even with the best resources, organizations are finding that these on-premise tools simply cannot support remote endpoints consistently and reliably due to infrastructure limitations.
Adios, SSO Database
The big news here is that there is no SSO database any more. This change allows for the improved architecture covered earlier. While the database was not impossible, it did give many admins a rash while trying to setup the first couple of attempts.
SSO Installation Updates
With the updated version of SSO there is now just a single deployment method. This simplifies things a great deal. The previous version confused many people about when should they use simple, HA, or multi-site configurations.
New install options are as follows:
- First server in a new domain
- Add a server in an existing domain
- Add a server in an existing domain with a new site
SSO Diagnostics and Troubleshooting
VMware has also package a set of diagnostic and troubleshooting tools with this release of SSO. I welcome this because even when talking with VMware people and their support staff there was a huge void in SSO experience. Having a set of tools that can aide in resolving SSO issues.
SSO Install Recommendations
For a large portions of customers VMware recommends them to KISS (Keep It Simple SSO!) when architecting and installing their SSO environment. This means that for data centers with one to five vCenters the primary architecture choice would be to install all the components for a vCenter on a single server as shown below. This keeps things simple and still performs very well for environments with up to 1000 hors or 10,000 VMs. This model keeps all the services local and does not create any new external dependencies.
The alternative architecture for larger data centers with more than five vCenters should consider the following model. This model uses a centralized SSO and vSphere Web Client install that all vCenters will access. This model supports a mixed vCenter version of both vCenter 5.1 and 5.5. This will be welcome for customers that have mixed requirements or long upgrade processes.
To support the high availability of this model the following are some requirements and options for consideration:
- vSphere HA
- Network Load Balancer
- vCenter Heartbeat