Integrating Orchestrator into the vCenter Web Client enables vCenter Server users to directly run Orchestrator workflows just by right-clicking vCenter objects. The vRA-integrated Orchestrator is already configured with the SSO that vRA uses.
vCO 5.5 (and higher) requires an SSO server 5.5, as it won't work with an SSO 5.1 server.
We need an up-and-running Orchestrator as well as access to vCenter Web Client.
Make sure that you set the Orchestrator Network configuration (see the Configuring the network section in the Important Orchestrator base configurations recipe)
You should be comfortable with using one of the methods described in the Two ways to configure Orchestrator recipe.
You should have an AD group for your vCOAdministrators with at least one user in it. You can use the precreated SSO group [email protected]. The account [email protected] is a member of this group.
Again both configuration methods are shown. Choose the one you're most comfortable with.
If you are using the Orchestrator installation that came with vCenter, you can skip this step.
Click on the Network section and then on SSL Trust Manager.
Enter
[IP or FQDN of SSO server]:7444
as the URL and click on Import.Acknowledge the import by clicking on Import.
Repeat steps 2 to 4 and register the SSL certificate for vCenter with port 443.
Click on the Authentication section.
Select the authentication mode as SSO Authentication.
Enter the SSO server FQDN.
Enter an SSO administrative user (for example,
[email protected]
).Click on Register Orchestrator.
Select from the drop-down menu the group you would like to use for Orchestrator administrators.
Click on Accept Orchestrator Configuration.
Navigate to Library | Configuration | SSL Trust Manager.
Right-click on the Import a certificate from URL workflow and select Start Workflow.
Enter
[IP or FQDN of SSO server]:7444
as the URL.Select Yes to accept the SSL Certificate even if there are warnings and click on Submit.
Wait till the workflow has successfully finished.
Navigate to Library | Configuration | Authentication | SSO.
Right-click on the workflow Configure SSO and select Start Workflow.
Enter
[IP or FQDN of SSO server]:7444
as the URL.Enter an SSO administrative user (for example,
[email protected]
).Enter the SSO Admin Group (ignore if it says domain/group). The existing SSO default group is called VCOAdministrators (case-sensitive).
Click on Submit and wait until the workflow is completed successfully.
The integration of Orchestrator with vCenter Web Client requires us to also configure the vCenter Server plugin.
Navigate to Library | vCenter | Configuration.
Right-click on the Add a vCenter Server instance workflow and select Start Workflow.
Enter your vCenter FQDN.
Select that you would like to orchestrate this instance as well and that you would like to accept SSL certificates even if they are self-signed.
Click on Next.
Enter a vCenter Server administrative user and the password.
You can define a domain name, or leave it empty. Click on Submit.
In the Web Client only one Orchestrator Server can be paired to each vCenter Server. To configure the pairing, follow these steps:
Open vSphere Web Client.
Click on vCenter Orchestrator and then on Manage.
Mark vCenter Server and click on Edit Configuration.
The server that you have integrated should show up in the Registered as VC extension selection. If this is not the case, you can try to enter its FQDN or IP.
Click on Test Connection and make sure it works. If it doesn't, this indicates that the integration hasn't worked correctly.
Click on OK.
Since vCenter Server 5.1, vSphere Web Client is (or better, should be) the main method for accessing vCenter. Orchestrator completely integrates with vSphere Web Client, making it possible for Orchestrator workflows to be executed directly from vSphere Web Client.
You can configure which workflows can be run from the vSphere Web Client. We will discuss this configuration in detail in the Orchestrator and vSphere Web Client recipe in Chapter 5, Basic Orchestrator Operations.
Using SSO for Orchestrator login requires that you log in into Orchestrator Client or vSphere Web Client using a user that is a member of the group you defined as vCOAdmins. If you used the [email protected] group, you can add other SSO and AD groups or users to this group via the SSO group membership configuration.