WilliamLam.com

  • About
    • About
    • Privacy
  • VMware Cloud Foundation
  • VKS
  • Homelab
    • Resources
    • Nested Virtualization
  • VMware Nostalgia
  • Apple
You are here: Home / Automation / PowerCLI Module for managing vCenter Single Sign-On (SSO)

PowerCLI Module for managing vCenter Single Sign-On (SSO)

10.05.2020 by William Lam // 18 Comments

A few years back I had submitted a PowerCLI Feature Request (PCLI-44) via the public PowerCLI Ideas platform requesting for a PowerCLI module that would support vCenter Single Sign-On (SSO) Administrative functionality such as managing SSO Users, Groups, Password, Lockout Policy and Identity Sources.


This was one of the most popular Idea voted by the PowerCLI community, which also stressed the need for such functionality which I came across on a regular basis on some of the Automation I was writing. In the past, I have written numerous blog articles in working around this limitation as the vCenter SSO Admin APIs were not and leveraging Guest Operations API, one could still automate various SSO operations using the various SSO CLIs that is included within the vCenter Server Appliance (VCSA).

Today, I received a notification from the PowerCLI Ideas platform that this feature as "Shipped" and it looks like the PowerCLI team has just released an Open Source Module called VMware.vSphere.SsoAdmin that includes the following 12 cmdlets:

  • Add-ActiveDirectoryIdentitySource
  • Add-GroupToSsoGroup
  • Add-LDAPIdentitySource
  • Add-UserToSsoGroup
  • Connect-SsoAdminServer
  • Disconnect-SsoAdminServer
  • Get-IdentitySource
  • Get-SsoAuthenticationPolicy
  • Get-SsoGroup
  • Get-SsoLockoutPolicy
  • Get-SsoPasswordPolicy
  • Get-SsoPersonUser
  • Get-SsoTokenLifetime
  • New-SsoGroup
  • New-SsoPersonUser
  • Remove-GroupFromSsoGroup
  • Remove-IdentitySource
  • Remove-SsoGroup
  • Remove-SsoPersonUser
  • Remove-UserFromSsoGroup
  • Set-LDAPIdentitySource
  • Set-SsoAuthenticationPolicy
  • Set-SsoGroup
  • Set-SsoLockoutPolicy
  • Set-SsoPasswordPolicy
  • Set-SsoPersonUser
  • Set-SsoSelfPersonUserPassword
  • Set-SsoTokenLifetime

To get started with the new PowerCLI SSO Module, take a look at the instructions below.

Pre-Req:

  • PowerShell 5.1 (or newer) + PowerCLI 12.0 Installed

Step 1 - Clone using git command-line or download the PowerCLI Example Repo to your local system

Step 2 - Change into the modules/VMware.vSphere.SsoAdmin directory and then import SSO module using:

Import-Module ./VMware.vSphere.SsoAdmin.psd1

Step 3 - Use the Connect-SsoAdminServer to connect to your vCenter Server. If you have a self-signed certificate, you will need to pass in the -SkipCertificateCheck parameter

Connect-SsoAdminServer -Server vcsa.primp-industries.com -User *protected email* -Password VMware1! -SkipCertificateCheck


Once connected, you can start using any of the SSO cmdlets, here is an example retrieving the SSO Password and Lockout Policies:

Get-SsoPasswordPolicy
Get-SsoLockoutPolicy


Here is an example of creating a new SSO User and then removing an existing user:

New-SsoPersonUser -User lamw -Password 'MyStrongPa$$w0rd' -EmailAddress '*protected email*' -FirstName 'William' -LastName 'Lam'
Get-SsoPersonUser -Name lamw -Domain vsphere.local
Remove-SsoPersonUser -User (Get-SsoPersonUser -Name lamw -Domain vsphere.local)


To disconnect from SSO endpoint, you will need to run the following command:

Disconnect-SsoAdminServer -Server $Global:DefaultSsoAdminServers[0]

I was hoping Disconnect-SsoAdminServer worked like other PowerCLI disconnect functions which accepts * (asterisk) but looks like it expects a specific endpoint. I have already filed a feature enhancement as this is how I normally disconnect 🙂

For detailed documentation on each cmdlet, simply use the Get-Help function and specify the name of the cmdlet to get more information. If you have been waiting for this functionality in PowerCLI, be sure to give this a try and hopefully with positive feedback, we may see this module as part of the official PowerCLI release in the future!

More from my site

  • Automating Cross vCenter vMotion (xVC-vMotion) between the same & different SSO Domain
  • Quick Tip - Retrieving vSAN File Share Network Permissions using vSAN API & PowerCLI
  • Quick Tip - Using PowerCLI to query VMware Tools Configuration at scale 
  • Managing vSAN internet connectivity configuration using the vSAN API
  • Quick Tip - Retrieving NSX segment information from vCenter Server

Categories // Automation, PowerCLI, vSphere Tags // PowerCLI, sso

Comments

  1. *protectedChristian says

    10/08/2020 at 2:22 am

    Is there any way to update the Password for the Service Account in the LDAPS Identity Source via commandline / PowerCLI?

    Reply
  2. *protectedAlexandre Costa says

    12/11/2020 at 5:42 am

    Working well for me! Thanks a lot

    Reply
  3. *protectedPeter Anderson says

    01/04/2021 at 7:08 am

    Is there a way to add an SSO Identity Source which uses LDAPS and therefore requires a certificate? I don't see any way to add a certificate.

    Thanks for all of the work on this.

    Reply
    • William Lam says

      01/04/2021 at 7:52 am

      If you don’t see it as an option, probably not. You can always file feature request on GitHub

      Reply
    • *protectedPeter Anderson says

      01/04/2021 at 8:29 am

      Actually, looking at it closer, it seems like this is adding it to AD instead of what I want which is adding AD as an LDAP source. Is that correct?

      Reply
      • *protectedPeter Anderson says

        01/04/2021 at 8:30 am

        I'll put in a feature request. Thanks for the info.

        Reply
  4. *protectedKevin Scurlock says

    01/06/2021 at 5:18 am

    This is something I've been wanting for a very long time... so thank you!

    Can you tell me if there's a way to manage group in a similar fashion? For example, I'd like to add an SSO user to the Administrators group. Right now I'm having to do it via an SSH session into vCenter as so:

    /usr/lib/vmware-vmafd/bin/dir-cli group modify --name Administrators --add *protected email*

    Reply
  5. *protectedmarlon says

    02/19/2021 at 3:20 pm

    is there a way to get all the super admin,operation and administrator using powercli and check the password last set?

    Reply
  6. *protectedvmware says

    04/18/2023 at 2:34 pm

    Working on vSphere 7 version too. But I can only use *protected email* account. If I use other user account Get-SsoPasswordPolicy works but Get-SsoLockoutPolicy does not.

    Reply
    • *protectedvmware says

      04/18/2023 at 2:35 pm

      But I can only use administrator at vsphere local account

      Reply
  7. *protectedSteff says

    06/06/2023 at 2:22 am

    May be you could help
    via powercli I am connected to my VCenter. In this context I need to connect to LDAP. but only in this context. because only this machine has access to AD, not my own PC. Is it possible ??

    Reply
  8. *protectedRalph says

    07/14/2023 at 4:38 am

    Hello !

    Get-SsoGroup seems not to work with domain vsphere.local,
    tried this with vcenter 6.7 and vcenter 7.0. Getting an exception:

    Get-SsoGroup -Name administrators -Domain vsphere.local
    Get-SsoGroup : Idm client exception: null
    In Zeile:1 Zeichen:1
    + Get-SsoGroup -Name administrators -Domain vsphere.local
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Get-SsoGroup

    Get-SsoGroup -Domain vsphere.local gives the same result,
    while Get-SsoGroup -Domain localos works fine.

    Any hints ?
    Regards, Ralph

    Reply
    • *protectedgreedj says

      04/12/2024 at 1:18 pm

      I used this module to create LDAPS sources on a vCenter that is linked to 7 other via ELM. It created the LDAPS entry on the targeted vCenter (01) but it somehow breaks SSO DB replication to the others in its replication partner list in the process, some sort of corruption. Using the GUI does not appear to break anything.
      vCenter 7.0.3.01700

      Reply
  9. *protectedMario Grunert says

    04/22/2024 at 1:41 am

    None of these Commandlets allow me to list Users and their membership in groups or which group map to which role. We need to report users and their rights somehow and fail to get this in any way automated. Any suggestion ?

    Reply
    • William Lam says

      04/22/2024 at 8:27 am

      If these are vCenter Server roles, you need to use Get-VIPermission cmdlets (shipped as part of PowerCLI)

      Reply
  10. *protectedJohn White says

    10/09/2024 at 2:12 pm

    Is this really the only powercli way to remove an sso user? 🙁

    The fact that Get-VIAccount exists but the Remove/Delete/Set counterparts don't really grinds my gears.

    Reply
    • William Lam says

      10/09/2024 at 5:42 pm

      You can use dir-cli (https://williamlam.com/2015/05/vcenter-server-6-0-tidbits-part-9-creating-managing-sso-users-using-dir-cli.html) but most users want remote invocation and PCLI module makes that easier 🙂

      Reply
  11. *protectedWolficool says

    03/18/2025 at 3:26 pm

    It looks like that something happens.. In the past i can create new SSO Users..

    No cmdlet is working anymore.. Tested on vCenter 7 and 8.

    for example:
    New-SsoPersonUser -User lamw -Password 'MyStrongPa$$w0rd'
    New-SsoPersonUser : One or more errors occurred.
    At line:1 char:1
    + New-SsoPersonUser -User lamw -Password 'MyStrongPa$$w0rd'
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,New-SsoPersonUser

    Get-SsoPersonUser -Name "automation"
    Get-SsoPersonUser : One or more errors occurred.
    At line:1 char:1
    + Get-SsoPersonUser -Name "xauto"
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Get-SsoPersonUser

    I am connected on vCenter with Connect-SsoAdminServer

    any suggestions why now these not working?

    I have no other options to add automatically a new SSO User for example..

    Reply

Thanks for the comment!Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Search

Thank Author

Author

William is Distinguished Platform Engineering Architect in the VMware Cloud Foundation (VCF) Division at Broadcom. His primary focus is helping customers and partners build, run and operate a modern Private Cloud using the VMware Cloud Foundation (VCF) platform.

Connect

  • Bluesky
  • Email
  • GitHub
  • LinkedIn
  • Mastodon
  • Reddit
  • RSS
  • Twitter
  • Vimeo

Recent

  • Programmatically accessing the Broadcom Compatibility Guide (BCG) 05/06/2025
  • Quick Tip - Validating Broadcom Download Token  05/01/2025
  • Supported chipsets for the USB Network Native Driver for ESXi Fling 04/23/2025
  • vCenter Identity Federation with Authelia 04/16/2025
  • vCenter Server Identity Federation with Kanidm 04/10/2025

Advertisment

Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy

Copyright WilliamLam.com © 2025

 

Loading Comments...