vRSLCM SSO with CNAME

With vRSLCM we are able to integrate with vIDM for SSO purposes. This works flawlessly as long as we use the actual hostname fqdn’s, but as soon as customers use a CNAME to access the same vRSLCM instance with SSO enabled, we encounter SSO logon redirect issues.

With this blog-post I will try to explain how to workaround this issue with help of official VMware documentation. Starting point is a working vRSLCM installation based on Server/VM-name, with vIDM integration enabled, and with a CNAME pointing to the same IP-address. In this situation the SSO set up will not work if we use CNAME’s to access vRSLCM.

Below some screenshots of the starting point:

Note the Target URL! This is one of the reasons for SSO to fail with CNAME.
Note the Redirect URI! This is one of the reasons for SSO to fail with CNAME.
The vIDM local user that we will be using to SSO into vRSLCM.
That same user has all administrative rights in vRSLCM

So far, the default vRSLCM<>vIDM integration will work when used with the actual hostname we deployed it with. But, if we now access the environment with a CNAME (lcm-sso.vmw.local) pointing to the same address, we encounter an empty page.

Notice we got redirected to the original hostname!

This is expected because, as we have seen in the vIDM configuration, a Redirect-URI is used pointing to vrslcm.vmw.local. This is where it gets interesting and some might think of just changing the fields in vIDM to point to lcm-sso.vmw.local instead. Unfortunately, this is not as easy as is seems. Instead, we need to follow the procedure below to make it work as expected!

First, we need to clean-up the Catalog-item and Remote Access config in vIDM.

Secondly, if not already in place, we need to create an updated certificate that contains both the Server and CNAME as Subject Alternate Names and replace it.

If needed, please check the result as seen after a browser refresh! This should now contain the SAN’s.

Then we can use the official procedure to update a vRSLCM Hostname to point it to the CNAME we want to use. Below an example from my lab:

root@vrslcm [ / ]# rm /opt/vmware/etc/vami/flags/vami_setnetwork
root@vrslcm [ / ]# /opt/vmware/share/vami/vami_set_hostname lcm-sso.vmw.local
	== set_ipv4 ==
	DEFULT_INT: eth0
	DEFAULT_IPV4: 192.168.1.87
	HN: lcm-sso
	DN: vmw.local
	==============
	== set_ipv6 ==
	DEFULT_INT: eth0
	DEFAULT_IPV6: 
	HN: lcm-sso
	DN: vmw.local
	==============
	Host name has been set to lcm-sso.vmw.local
>> Power down VM and change OVF-hostname value
>> Start VM
>> Check config:
root@lcm-sso [ ~ ]# /opt/vmware/share/vami/vami_config_net
	Main Menu 
	0)      Show Current Configuration (scroll with Shift-PgUp/PgDown)
	1)      Exit this program
	2)      Default Gateway
	3)      Hostname
	4)      DNS
	5)      Proxy Server
	6)      IP Address Allocation for eth0
	Enter a menu number [0]: 3
	New hostname [lcm-sso.vmw.local]: 
root@lcm-sso [ ~ ]# hostname
lcm-sso.vmw.local
root@lcm-sso [ ~ ]# cat /etc/hosts
# Begin /etc/hosts (network card version)

# End /etc/hosts (network card version)
# VAMI_EDIT_BEGIN
# Generated by Studio VAMI service. Do not modify manually.
127.0.0.1  lcm-sso.vmw.local lcm-sso localhost
::1  lcm-sso.vmw.local lcm-sso localhost ipv6-localhost ipv6-loopback
# VAMI_EDIT_END
>> Reboot vRSLCM host

And finally we need to re-register with vIDM to get the new Redirect-URI in place.

Notice the change!

You can now use your vRSLCM instance based on the CNAME. Enjoy!

Marco Baaijen

Leave a Reply

Your email address will not be published.

Post comment