vSphere 5.5 Improvements Part 7 – Single Sign On Completely Redesigned

For many folks, the utterance of the term vCenter Single Sign On (SSO) is met with an angry scowl and a fresh battle scar. To be perfectly blunt: it was bad. I’m not going to enumerate a list of reasons why it was bad, but let’s just say that numerous VMware KBs and blog posts sources made this a clear point. But that’s in the past, so let’s look forward to the future.

Can VMware make SSO not suck? It appears the answer is yes, and more! 🙂

SSO 5.5 Architecture

The previous SSO architecture has practically been wiped away and started from scratch. It hardly looks anything like what it used to be. And that’s a really, really good thing.


Here’s a few big improvements that I’m sure you’ll be delighted by:

  • SSO is now a multi-master model. There are no more islands of standalone architecture cobbled together with export and import scripts.
  • Replication between SSO servers is automatic and built-in.
  • SSO is now site aware.
  • The SSO database is completely removed. You heard that correctly – there is absolutely no more SSO database. Kiss RSA_USER and RSA_DBA goodbye. Good riddance!


If you’ll recall, SSO 5.1 had three different deployment models: Standalone, HA, and Multi-Site. And most people chose Standalone because the other two were dangerous and clunky.

With SSO 5.5, there is only one single deployment model based on the multi-master domain architecture. You have three basic choices during SSO installation:

  1. First server in a new SSO domain
  2. Additional server in an existing SSO domain
  3. Additional server in an existing SSO domain within a new site

Also, if you run into a snag, there’s no a full suite of diagnostic and troubleshooting tools available to you. That should equate into less headache and tier 1 support calls.

Admin@System-Domain Is Deadbring-out-your-dead2

VMware realized that they had created a funky domain name. System-Domain isn’t a fully qualified domain name.

In SSO 5.5 the new domain is called vSphere.local with a user called Administrator.

  • If you are doing a net new installation of SSO 5.5: you will set the password for [email protected] during the install.
  • If you are upgrading from SSO 5.1: the password you set for [email protected] during the upgrade will be applied to Admin@System-Domain and a mapping relationship will exist so that you can log in as either user account.

Seems like a bit more friendly of a domain and name to remember.

Server Design Recommendations

There are now published VMware recommendations around the design of vCenter Server components.

The first design recommendation is for organizations with a data center that has 1 to 5 vCenter Servers.

VMware recommends install all of the services on a local server – it’s simple and scales relatively well. This model supports up to 1000 vSphere hosts and 10,000 virtual machines. That’s a lot of objects for a single data center.


For larger organizations with a data center that need more than 5 vCenter Servers, VMware recommends a centralized SSO authentication server.

Note that in the graphic below there is a mixture of vCenter 5.1 and 5.5, which is supported. Therefore you can upgrade your vCenter servers in a timeline that makes sense for your organization.


For a distributed, multiple data center architecture, you can dictate that SSO create different sites.

Remember, SSO 5.5 is site aware, therefore you’re just telling SSO that it is managing domains for unique sites. Replication is still automatic between SSO instances across your environment. If you want to get a single view of the entire vCenter landscape, the sites can be tethered together using Linked Mode.


Other vCenter Related Improvements

Not to be left out, vCenter Server and the vCenter Server Appliance (VCSA) received some love.

  • The vCenter database is now officially supported on clustered technologies. Both Oracle RAC 11g and Microsoft Failover Clusters (formerly MSCS) are supported.
  • The VCSA has been improved with a beefier vPostgres embedded database (tweaks, changes, optimization), which supports up to 500 100 vSphere hosts and 5000 3000 virtual machines.
  • If (or when) Microsoft updates their ODBC driver from a tech preview to full production support, VMware has pledged firm commitment to support SQL as an external database for the VCSA.

vSphere Web Client Changes

And last, but not least, the vSphere Web Client underwent a few changes and improvements, too. Although until it’s using a more modern front end (such as HTML5), the Web Client will still remain in a negative light for many folks.

  • Added support for Mac OS X: VM console access, deploying OVF templates, and attaching client devices.
  • Linux support has been dropped due to Adobe dropping support for Flash player on Linux. (My thought? Get rid of Flash!)
  • The interface now supports drag and drop, filters, and recent items.