Automating vCenter Single Sign-On (SSO) Users creation and management was not possible in prior releases of vSphere and this operation had to be performed manually using the vSphere Web Client.

With vSphere 6.0, you can now easily create and manage SSO Users using a new command-line utility that is included within the Platform Services Controller (PSC) called dir-cli. Below are the paths to the dir-cli utility on both Windows VC and VCSA.

Windows VC 6.0:

  • C:\Program Files\VMware\vCenter Server\vmafdd\dir-cli.exe

VCSA 6.0:

  • /usr/lib/vmware-vmafd/bin/dir-cli

Below are a few examples on using the dir-cli command and you can find more information in the vSphere 6.0 Documentation here. If you wish to automate the dir-cli operations without needing to specify an SSO Administrator password, just specify the --password option. You can also change the SSO Administrator username by specifying the --login option.

Creating a new SSO user:

/usr/lib/vmware-vmafd/bin/dir-cli user create --account william --first-name william --last-name lam --user-password 'VMware1!'

Adding new user to SSO group called "Administrators":

/usr/lib/vmware-vmafd/bin/dir-cli group modify --name Administrators --add william

List users in an SSO group:

/usr/lib/vmware-vmafd/bin/dir-cli group list --name Administrators

Reset the password for an SSO user:

/usr/lib/vmware-vmafd/bin/dir-cli password reset --account william --new 'VMware1!!'


7 thoughts on “vCenter Server 6.0 Tidbits Part 9: Creating & managing SSO users using dir-cli

  1. William, thanks for this, helped immensely. Upon further Googling, there’s a VMware document here:

    This contains the line in reference to the dir-cli command: “Use this command only during prototyping”. Are there going to be any differences between a user created via the GUI vs the CLI, or is there another reason for VMware to include this warning?

    • I would like to know if is possible after I create new SSO users if is possible to add that user to an existing Role instead of a Group. I was searching for a similar command as the one provided for the group but I was unable to find role parameter in dir cli.
      I have also tried in power cli (get folder xxxx |NewVIPermissions – Role YYYYY -Principal ‘user” ) error that NewVIPermissions is not recognized..
      Any suggestion on what I could try ?

  2. Without having tried it yet, I would like to ask whether it is possible to use this to add AD users to SSO groups, for an ID source that is already configured?

    • I would like to know if this is possible as well. I have my domain Identity source available, however I cannot use the dir-cli command to add an AD user to a Vsphere group.

  3. Thanks William. Is there a way to add user to vsphere.local or localos domain on PSC via API. Is it possible in 6.5 ? If yes, can you point me in what APIs I need to look at.

Thanks for the comment!