A few years back I had submitted a PowerCLI Feature Request (PCLI-44) via the public PowerCLI Ideas platform requesting for a PowerCLI module that would support vCenter Single Sign-On (SSO) Administrative functionality such as managing SSO Users, Groups, Password, Lockout Policy and Identity Sources.
This was one of the most popular Idea voted by the PowerCLI community, which also stressed the need for such functionality which I came across on a regular basis on some of the Automation I was writing. In the past, I have written numerous blog articles in working around this limitation as the vCenter SSO Admin APIs were not and leveraging Guest Operations API, one could still automate various SSO operations using the various SSO CLIs that is included within the vCenter Server Appliance (VCSA).
Today, I received a notification from the PowerCLI Ideas platform that this feature as "Shipped" and it looks like the PowerCLI team has just released an Open Source Module called VMware.vSphere.SsoAdmin that includes the following 12 cmdlets:
To get started with the new PowerCLI SSO Module, take a look at the instructions below.
- PowerShell 5.1 (or newer) + PowerCLI 12.0 Installed
Step 1 - Clone using git command-line or download the PowerCLI Example Repo to your local system
Step 2 - Change into the modules/VMware.vSphere.SsoAdmin directory and then import SSO module using:
Step 3 - Use the Connect-SsoAdminServer to connect to your vCenter Server. If you have a self-signed certificate, you will need to pass in the -SkipCertificateCheck parameter
Connect-SsoAdminServer -Server vcsa.primp-industries.com -User *protected email* -Password VMware1! -SkipCertificateCheck
Once connected, you can start using any of the SSO cmdlets, here is an example retrieving the SSO Password and Lockout Policies:
Here is an example of creating a new SSO User and then r
New-SsoPersonUser -User lamw -Password 'MyStrongPa$$w0rd' -EmailAddress '*protected email*' -FirstName 'William' -LastName 'Lam'
Get-SsoPersonUser -Name lamw -Domain vsphere.local
Remove-SsoPersonUser -User (Get-SsoPersonUser -Name lamw -Domain vsphere.local)
To disconnect from SSO endpoint, you will need to run the following command:
Disconnect-SsoAdminServer -Server $Global:DefaultSsoAdminServers
I was hoping Disconnect-SsoAdminServer worked like other PowerCLI disconnect functions which accepts * (asterisk) but looks like it expects a specific endpoint. I have already filed a feature enhancement as this is how I normally disconnect 🙂
For detailed documentation on each cmdlet, simply use the Get-Help function and specify the name of the cmdlet to get more information. If you have been waiting for this functionality in PowerCLI, be sure to give this a try and hopefully with positive feedback, we may see this module as part of the official PowerCLI release in the future!
Is there any way to update the Password for the Service Account in the LDAPS Identity Source via commandline / PowerCLI?
Alexandre Costa says
Working well for me! Thanks a lot
Peter Anderson says
Is there a way to add an SSO Identity Source which uses LDAPS and therefore requires a certificate? I don't see any way to add a certificate.
Thanks for all of the work on this.
William Lam says
If you don’t see it as an option, probably not. You can always file feature request on GitHub
Peter Anderson says
Actually, looking at it closer, it seems like this is adding it to AD instead of what I want which is adding AD as an LDAP source. Is that correct?
Peter Anderson says
I'll put in a feature request. Thanks for the info.
Kevin Scurlock says
This is something I've been wanting for a very long time... so thank you!
Can you tell me if there's a way to manage group in a similar fashion? For example, I'd like to add an SSO user to the Administrators group. Right now I'm having to do it via an SSH session into vCenter as so:
/usr/lib/vmware-vmafd/bin/dir-cli group modify --name Administrators --add *protected email*
is there a way to get all the super admin,operation and administrator using powercli and check the password last set?
Working on vSphere 7 version too. But I can only use *protected email* account. If I use other user account Get-SsoPasswordPolicy works but Get-SsoLockoutPolicy does not.
But I can only use administrator at vsphere local account