
# **************************************************************************
# Copyright 2020 VMware, Inc.
# **************************************************************************

# Script module for module 'VMware.vSphere.SsoAdmin'
Set-StrictMode -Version Latest

$moduleFileName = 'VMware.vSphere.SsoAdmin.psd1'

# Set up some helper variables to make it easier to work with the module
$PSModule = $ExecutionContext.SessionState.Module
$PSModuleRoot = $PSModule.ModuleBase

# Import the appropriate nested binary module based on the current PowerShell version
$subModuleRoot = $PSModuleRoot

if (($PSVersionTable.Keys -contains "PSEdition") -and ($PSVersionTable.PSEdition -ne 'Desktop')) {
   $subModuleRoot = Join-Path -Path $PSModuleRoot -ChildPath 'netcoreapp3.1'
else {
   $subModuleRoot = Join-Path -Path $PSModuleRoot -ChildPath 'net45'

$subModulePath = Join-Path -Path $subModuleRoot -ChildPath $moduleFileName
$subModule = Import-Module -Name $subModulePath -PassThru

# When the module is unloaded, remove the nested binary module that was loaded with it
$PSModule.OnRemove = {
   Remove-Module -ModuleInfo $subModule

# Internal helper functions
function HasWildcardSymbols {
   (-not [string]::IsNullOrEmpty($stringToVerify) -and `
    ($stringToVerify -match '\*' -or `
     $stringToVerify -match '\?'))

function RemoveWildcardSymbols {
   if (-not [string]::IsNullOrEmpty($stringToProcess)) {
   } else {

function FormatError {
   if ($exception -ne $null) {
      if ($exception.InnerException -ne $null) {
         $exception = $exception.InnerException

      # result


# Global variables
$global:DefaultSsoAdminServers = New-Object System.Collections.Generic.List[VMware.vSphere.SsoAdminClient.DataTypes.SsoAdminServer]

# Module Advanced Functions Implementation

#region Connection Management
function Connect-SsoAdminServer {
   Created on: 9/29/2020
   Created by: Dimitar Milov
    Twitter: @dimitar_milov
    Github: https://github.com/dmilov
   This function establishes a connection to a vSphere SSO Admin server.
   .PARAMETER Server
   Specifies the IP address or the DNS name of the vSphere server to which you want to connect.
   Specifies the user name you want to use for authenticating with the server.
   .PARAMETER Password
   Specifies the password you want to use for authenticating with the server.
   .PARAMETER SkipCertificateCheck
   Specifies whether server Tls certificate validation will be skipped
   Connect-SsoAdminServer -Server my.vc.server -User myAdmin@vsphere.local -Password MyStrongPa$$w0rd
   Connects 'myAdmin@vsphere.local' user to Sso Admin server 'my.vc.server'

      HelpMessage='IP address or the DNS name of the vSphere server')]

      HelpMessage='User name you want to use for authenticating with the server')]

      HelpMessage='Password you want to use for authenticating with the server')]

      HelpMessage='Skips server Tls certificate validation')]

   Process {
      $certificateValidator = $null
      if ($SkipCertificateCheck) {
         $certificateValidator = New-Object 'VMware.vSphere.SsoAdmin.Utils.AcceptAllX509CertificateValidator'

      $ssoAdminServer = $null
      try {
         $ssoAdminServer = New-Object `
            'VMware.vSphere.SsoAdminClient.DataTypes.SsoAdminServer' `
            -ArgumentList @(
      } catch {
         Write-Error (FormatError $_.Exception)

      if ($ssoAdminServer -ne $null) {
         $existingConnectionIndex = $global:DefaultSsoAdminServers.IndexOf($ssoAdminServer)
         if ($existingConnectionIndex -ge 0) {
            $ssoAdminServer = $global:DefaultSsoAdminServers[$existingConnectionIndex]
         } else {
            # Update $global:DefaultSsoAdminServers varaible
            $global:DefaultSsoAdminServers.Add($ssoAdminServer) | Out-Null

         # Function Output
         Write-Output $ssoAdminServer

function Disconnect-SsoAdminServer {
    Created on: 9/29/2020
    Created by: Dimitar Milov
    Twitter: @dimitar_milov
    Github: https://github.com/dmilov
   This function closes the connection to a vSphere SSO Admin server.
   .PARAMETER Server
   Specifies the vSphere SSO Admin systems you want to disconnect from
   $mySsoAdminConnection = Connect-SsoAdminServer -Server my.vc.server -User ssoAdmin@vsphere.local -Password 'ssoAdminStrongPa$$w0rd'
   Disconnect-SsoAdminServer -Server $mySsoAdminConnection
   Disconnect a SSO Admin connection stored in 'mySsoAdminConnection' varaible

         ValueFromPipeline = $true,
         ValueFromPipelineByPropertyName = $false,
         HelpMessage = 'SsoAdminServer object')]

   Process {
      if (-not $PSBoundParameters['Server']) {
         switch (@($global:DefaultSsoAdminServers).count) {
            { $_ -eq 1 } { $server = ($global:DefaultSsoAdminServers).ToArray()[0] ; break }
            { $_ -gt 1 } {
               Throw 'Connected to more than 1 SSO server, please specify a SSO server via -Server parameter'
            Default {
               Throw 'Not connected to SSO server.'

      foreach ($requestedServer in $Server) {
         if ($requestedServer.IsConnected) {

         if ($global:DefaultSsoAdminServers.Contains($requestedServer) -and $requestedServer.RefCount -eq 0) {
            $global:DefaultSsoAdminServers.Remove($requestedServer) | Out-Null

#region Person User Management
function New-SsoPersonUser {
   Created on: 9/29/2020
   Created by: Dimitar Milov
    Twitter: @dimitar_milov
    Github: https://github.com/dmilov
   This function creates new person user account.
   .PARAMETER UserName
   Specifies the UserName of the requested person user account.
   .PARAMETER Password
   Specifies the Password of the requested person user account.
   .PARAMETER Description
   Specifies the Description of the requested person user account.
   .PARAMETER EmailAddress
   Specifies the EmailAddress of the requested person user account.
   .PARAMETER FirstName
   Specifies the FirstName of the requested person user account.
   .PARAMETER LastName
   Specifies the FirstName of the requested person user account.
   .PARAMETER Server
   Specifies the vSphere Sso Admin Server on which you want to run the cmdlet.
   If not specified the servers available in $global:DefaultSsoAdminServers variable will be used.
   $ssoAdminConnection = Connect-SsoAdminServer -Server my.vc.server -User ssoAdmin@vsphere.local -Password 'ssoAdminStrongPa$$w0rd'
   New-SsoPersonUser -Server $ssoAdminConnection -User myAdmin -Password 'MyStrongPa$$w0rd'
   Creates person user account with user name 'myAdmin' and password 'MyStrongPa$$w0rd'
   New-SsoPersonUser -User myAdmin -Password 'MyStrongPa$$w0rd' -EmailAddress 'myAdmin@mydomain.com' -FirstName 'My' -LastName 'Admin'
   Creates person user account with user name 'myAdmin', password 'MyStrongPa$$w0rd', and details against connections available in 'DefaultSsoAdminServers'

      HelpMessage='User name of the new person user account')]

      HelpMessage='Password of the new person user account')]

      HelpMessage='Description of the new person user account')]

      HelpMessage='EmailAddress of the new person user account')]

      HelpMessage='FirstName of the new person user account')]

      HelpMessage='LastName of the new person user account')]

      HelpMessage='Connected SsoAdminServer object')]

   Process {
      $serversToProcess = $global:DefaultSsoAdminServers.ToArray()
      if ($Server -ne $null) {
         $serversToProcess = $Server

      foreach ($connection in $serversToProcess) {
         if (-not $connection.IsConnected) {
            Write-Error "Server $connection is disconnected"

         # Output is the result of 'CreateLocalUser'
         try {
         } catch {
            Write-Error (FormatError $_.Exception)

function Get-SsoPersonUser {
   Created on: 9/29/2020
   Created by: Dimitar Milov
    Twitter: @dimitar_milov
    Github: https://github.com/dmilov
   This function gets person user account.
   Specifies Name to filter on when searching for person user accounts.
   .PARAMETER Domain
   Specifies the Domain in which search will be applied, default is 'localos'.
   .PARAMETER Server
   Specifies the vSphere Sso Admin Server on which you want to run the cmdlet.
   If not specified the servers available in $global:DefaultSsoAdminServers variable will be used.
   Get-SsoPersonUser -Name admin -Domain vsphere.local
   Gets person user accounts which contain name 'admin' in 'vsphere.local' domain

      HelpMessage='Name filter to be applied when searching for person user accounts')]

      HelpMessage='Domain name to search in, default is "localos"')]
   $Domain = 'localos',

      HelpMessage='Connected SsoAdminServer object')]

   Process {
      $serversToProcess = $global:DefaultSsoAdminServers.ToArray()
      if ($Server -ne $null) {
         $serversToProcess = $Server

      if ($Name -eq $null) {
         $Name = [string]::Empty

      try {
         foreach ($connection in $serversToProcess) {
            if (-not $connection.IsConnected) {
               Write-Error "Server $connection is disconnected"

            foreach ($personUser in $connection.Client.GetLocalUsers(
               (RemoveWildcardSymbols $Name),
               $Domain)) {

               if ([string]::IsNullOrEmpty($Name) ) {
                  Write-Output $personUser
               } else {
                  # Apply Name filtering
                  if ((HasWildcardSymbols $Name) -and `
                      $personUser.Name -like $Name) {
                      Write-Output $personUser
                  } elseif ($personUser.Name -eq $Name) {
                     # Exactly equal
                     Write-Output $personUser
      } catch {
         Write-Error (FormatError $_.Exception)

function Set-SsoPersonUser {
   Created on: 9/29/2020
   Created by: Dimitar Milov
    Twitter: @dimitar_milov
    Github: https://github.com/dmilov
   Updates person user account.
   Specifies the PersonUser instance to update.
   Specifies the Group you want to add or remove PwersonUser from.
   Specifies user will be added to the spcified group.
   .PARAMETER Remove
   Specifies user will be removed from the spcified group.
   .PARAMETER Unlock
   Specifies user will be unloacked.
   .PARAMETER NewPassword
   Specifies new password for the specified user.
   Set-SsoPersonUser -User $myPersonUser -Group $myExampleGroup -Add -Server $ssoAdminConnection
   Adds $myPersonUser to $myExampleGroup
   Set-SsoPersonUser -User $myPersonUser -Group $myExampleGroup -Remove -Server $ssoAdminConnection
   Removes $myPersonUser from $myExampleGroup
   Set-SsoPersonUser -User $myPersonUser -Unlock -Server $ssoAdminConnection
   Unlocks $myPersonUser
   Set-SsoPersonUser -User $myPersonUser -NewPassword 'MyBrandNewPa$$W0RD' -Server $ssoAdminConnection
   Resets $myPersonUser password

      HelpMessage='Person User instance you want to update')]

      ParameterSetName = 'AddToGroup',
      HelpMessage='Group instance you want user to be added to or removed from')]
      ParameterSetName = 'RemoveFromGroup',
      HelpMessage='Group instance you want user to be added to or removed from')]

      ParameterSetName = 'AddToGroup',

      ParameterSetName = 'RemoveFromGroup',

      ParameterSetName = 'ResetPassword',
      HelpMessage='New password for the specified user.')]

      ParameterSetName = 'UnlockUser',
      HelpMessage='Specifies to unlock user account.')]

   Process {
      try {
         foreach ($u in $User) {
            $ssoAdminClient = $u.GetClient()
            if ((-not $ssoAdminClient)) {
               Write-Error "Object '$u' is from disconnected server"

            if ($Add) {
               $result = $ssoAdminClient.AddPersonUserToGroup($u, $Group)
               if ($result) {
                  Write-Output $u

            if ($Remove) {
               $result = $ssoAdminClient.RemovePersonUserFromGroup($u, $Group)
               if ($result) {
                  Write-Output $u

            if ($Unlock) {
               $result = $ssoAdminClient.UnlockPersonUser($u)
               if ($result) {
                  Write-Output $u

            if ($NewPassword) {
               $ssoAdminClient.ResetPersonUserPassword($u, $NewPassword)
               Write-Output $u
      } catch {
         Write-Error (FormatError $_.Exception)

function Remove-SsoPersonUser {
   Created on: 9/29/2020
   Created by: Dimitar Milov
    Twitter: @dimitar_milov
    Github: https://github.com/dmilov
   This function removes existing person user account.
   Specifies the PersonUser instance to remove.
   $ssoAdminConnection = Connect-SsoAdminServer -Server my.vc.server -User ssoAdmin@vsphere.local -Password 'ssoAdminStrongPa$$w0rd'
   $myNewPersonUser = New-SsoPersonUser -Server $ssoAdminConnection -User myAdmin -Password 'MyStrongPa$$w0rd'
   Remove-SsoPersonUser -User $myNewPersonUser
   Remove person user account with user name 'myAdmin'

      HelpMessage='Person User instance you want to remove from specified servers')]

   Process {
      try {
         foreach ($u in $User) {
            $ssoAdminClient = $u.GetClient()
            if ((-not $ssoAdminClient)) {
               Write-Error "Object '$u' is from disconnected server"

      } catch {
         Write-Error (FormatError $_.Exception)

#region Group cmdlets
function Get-SsoGroup {
   Created on: 9/29/2020
   Created by: Dimitar Milov
    Twitter: @dimitar_milov
    Github: https://github.com/dmilov
   This function gets domain groups.
   Specifies Name to filter on when searching for groups.
   .PARAMETER Domain
   Specifies the Domain in which search will be applied, default is 'localos'.
   .PARAMETER Server
   Specifies the vSphere Sso Admin Server on which you want to run the cmdlet.
   If not specified the servers available in $global:DefaultSsoAdminServers variable will be used.
   Get-SsoGroup -Name administrators -Domain vsphere.local
   Gets 'adminsitrators' group in 'vsphere.local' domain

      HelpMessage='Name filter to be applied when searching for group')]

      HelpMessage='Domain name to search in, default is "localos"')]
   $Domain = 'localos',

      HelpMessage='Connected SsoAdminServer object')]

   Process {
      $serversToProcess = $global:DefaultSsoAdminServers.ToArray()
      if ($Server -ne $null) {
         $serversToProcess = $Server

      if ($Name -eq $null) {
         $Name = [string]::Empty

      try {
         foreach ($connection in $serversToProcess) {
            if (-not $connection.IsConnected) {
               Write-Error "Server $connection is disconnected"

            foreach ($group in $connection.Client.GetGroups(
               (RemoveWildcardSymbols $Name),
               $Domain)) {

               if ([string]::IsNullOrEmpty($Name) ) {
                  Write-Output $group
               } else {
                  # Apply Name filtering
                  if ((HasWildcardSymbols $Name) -and `
                      $group.Name -like $Name) {
                      Write-Output $group
                  } elseif ($group.Name -eq $Name) {
                     # Exactly equal
                     Write-Output $group
      } catch {
         Write-Error (FormatError $_.Exception)

#region PasswordPolicy cmdlets
function Get-SsoPasswordPolicy {
   Created on: 9/30/2020
   Created by: Dimitar Milov
    Twitter: @dimitar_milov
    Github: https://github.com/dmilov
   This function gets password policy.
   .PARAMETER Server
   Specifies the vSphere Sso Admin Server on which you want to run the cmdlet.
   If not specified the servers available in $global:DefaultSsoAdminServers variable will be used.
   Gets password policy for the server connections available in $global:defaultSsoAdminServers

      HelpMessage='Connected SsoAdminServer object')]

   Process {
      $serversToProcess = $global:DefaultSsoAdminServers.ToArray()
      if ($Server -ne $null) {
         $serversToProcess = $Server
      try {
         foreach ($connection in $serversToProcess) {
            if (-not $connection.IsConnected) {
               Write-Error "Server $connection is disconnected"

      } catch {
         Write-Error (FormatError $_.Exception)

function Set-SsoPasswordPolicy {
   Created on: 9/30/2020
   Created by: Dimitar Milov
    Twitter: @dimitar_milov
    Github: https://github.com/dmilov
   This function updates password policy settings.
   .PARAMETER PasswordPolicy
   Specifies the PasswordPolicy instance which will be used as original policy. If some properties are not specified they will be updated with the properties from this object.
   .PARAMETER Description
   .PARAMETER ProhibitedPreviousPasswordsCount
   .PARAMETER MinLength
   .PARAMETER MaxLength
   .PARAMETER MaxIdenticalAdjacentCharacters
   .PARAMETER MinNumericCount
   .PARAMETER MinSpecialCharCount
   .PARAMETER MinAlphabeticCount
   .PARAMETER MinUppercaseCount
   .PARAMETER MinLowercaseCount
   .PARAMETER PasswordLifetimeDays
   Get-SsoPasswordPolicy | Set-SsoPasswordPolicy -MinLength 10 -PasswordLifetimeDays 45
   Updates password policy setting minimum password length to 10 symbols and password lifetime to 45 days

      HelpMessage='PasswordPolicy instance you want to update')]

      HelpMessage='PasswordPolicy description')]











   Process {

      try {
         foreach ($pp in $PasswordPolicy) {

            $ssoAdminClient = $pp.GetClient()
            if ((-not $ssoAdminClient)) {
               Write-Error "Object '$pp' is from disconnected server"

            if ([string]::IsNullOrEmpty($Description)) {
               $Description = $pp.Description

            if ($ProhibitedPreviousPasswordsCount -eq $null) {
               $ProhibitedPreviousPasswordsCount = $pp.ProhibitedPreviousPasswordsCount

            if ($MinLength -eq $null) {
               $MinLength = $pp.MinLength

            if ($MaxLength -eq $null) {
               $MaxLength = $pp.MaxLength

            if ($MaxIdenticalAdjacentCharacters -eq $null) {
               $MaxIdenticalAdjacentCharacters = $pp.MaxIdenticalAdjacentCharacters

            if ($MinNumericCount -eq $null) {
               $MinNumericCount = $pp.MinNumericCount

            if ($MinSpecialCharCount -eq $null) {
               $MinSpecialCharCount = $pp.MinSpecialCharCount

            if ($MinAlphabeticCount -eq $null) {
               $MinAlphabeticCount = $pp.MinAlphabeticCount

            if ($MinUppercaseCount -eq $null) {
               $MinUppercaseCount = $pp.MinUppercaseCount

            if ($MinLowercaseCount -eq $null) {
               $MinLowercaseCount = $pp.MinLowercaseCount

            if ($PasswordLifetimeDays -eq $null) {
               $PasswordLifetimeDays = $pp.PasswordLifetimeDays

      } catch {
         Write-Error (FormatError $_.Exception)

#region LockoutPolicy cmdlets
function Get-SsoLockoutPolicy {
   Created on: 9/30/2020
   Created by: Dimitar Milov
    Twitter: @dimitar_milov
    Github: https://github.com/dmilov
   This function gets lockout policy.
   .PARAMETER Server
   Specifies the vSphere Sso Admin Server on which you want to run the cmdlet.
   If not specified the servers available in $global:DefaultSsoAdminServers variable will be used.
   Gets lockout policy for the server connections available in $global:defaultSsoAdminServers

      HelpMessage='Connected SsoAdminServer object')]

   Process {
      $serversToProcess = $global:DefaultSsoAdminServers.ToArray()
      if ($Server -ne $null) {
         $serversToProcess = $Server

      try {
         foreach ($connection in $serversToProcess) {
            if (-not $connection.IsConnected) {
               Write-Error "Server $connection is disconnected"

      } catch {
         Write-Error (FormatError $_.Exception)

function Set-SsoLockoutPolicy {
   Created on: 9/30/2020
   Created by: Dimitar Milov
    Twitter: @dimitar_milov
    Github: https://github.com/dmilov
   This function updates lockout policy settings.
   .PARAMETER LockoutPolicy
   Specifies the LockoutPolicy instance which will be used as original policy. If some properties are not specified they will be updated with the properties from this object.
   .PARAMETER Description
   .PARAMETER AutoUnlockIntervalSec
   .PARAMETER FailedAttemptIntervalSec
   .PARAMETER MaxFailedAttempts
   Get-SsoLockoutPolicy | Set-SsoLockoutPolicy -AutoUnlockIntervalSec 15 -MaxFailedAttempts 4
   Updates lockout policy auto unlock interval seconds and maximum failed attempts

      HelpMessage='LockoutPolicy instance you want to update')]

      HelpMessage='LockoutPolicy description')]




   Process {
      try {
         foreach ($lp in $LockoutPolicy) {

            $ssoAdminClient = $lp.GetClient()
            if ((-not $ssoAdminClient)) {
               Write-Error "Object '$lp' is from disconnected server"

            if ([string]::IsNullOrEmpty($Description)) {
               $Description = $lp.Description

            if ($AutoUnlockIntervalSec -eq $null) {
               $AutoUnlockIntervalSec = $lp.AutoUnlockIntervalSec

            if ($FailedAttemptIntervalSec -eq $null) {
               $FailedAttemptIntervalSec = $lp.FailedAttemptIntervalSec

            if ($MaxFailedAttempts -eq $null) {
               $MaxFailedAttempts = $lp.MaxFailedAttempts

      } catch {
         Write-Error (FormatError $_.Exception)

#region TokenLifetime cmdlets
function Get-SsoTokenLifetime {
   Created on: 9/30/2020
   Created by: Dimitar Milov
    Twitter: @dimitar_milov
    Github: https://github.com/dmilov
   This function gets HoK and Bearer Token lifetime settings.
   .PARAMETER Server
   Specifies the vSphere Sso Admin Server on which you want to run the cmdlet.
   If not specified the servers available in $global:DefaultSsoAdminServers variable will be used.
   Gets HoK and Bearer Token lifetime settings for the server connections available in $global:defaultSsoAdminServers

      HelpMessage='Connected SsoAdminServer object')]

   Process {
      $serversToProcess = $global:DefaultSsoAdminServers.ToArray()
      if ($Server -ne $null) {
         $serversToProcess = $Server

      try {
         foreach ($connection in $serversToProcess) {
            if (-not $connection.IsConnected) {
               Write-Error "Server $connection is disconnected"

      } catch {
         Write-Error (FormatError $_.Exception)

function Set-SsoTokenLifetime {
   Created on: 9/30/2020
   Created by: Dimitar Milov
    Twitter: @dimitar_milov
    Github: https://github.com/dmilov
   This function updates HoK or Bearer token lifetime settings.
   .PARAMETER TokenLifetime
   Specifies the TokenLifetime instance to update.
   .PARAMETER MaxHoKTokenLifetime
   .PARAMETER MaxBearerTokenLifetime
   Get-SsoTokenLifetime | Set-SsoTokenLifetime -MaxHoKTokenLifetime 60
   Updates HoK token lifetime setting

      HelpMessage='TokenLifetime instance you want to update')]



   Process {

      try {
         foreach ($tl in $TokenLifetime) {

            $ssoAdminClient = $tl.GetClient()
            if ((-not $ssoAdminClient)) {
               Write-Error "Object '$tl' is from disconnected server"

      } catch {
         Write-Error (FormatError $_.Exception)

#region IdentitySource
function Add-ExternalDomainIdentitySource {
   Created on: 2/11/2021
   Created by: Dimitar Milov
    Twitter: @dimitar_milov
    Github: https://github.com/dmilov
   This function adds Identity Source of ActiveDirectory, OpenLDAP or NIS type.
   Name of the identity source
   .PARAMETER DomainName
   Domain name
   .PARAMETER DomainAlias
   Domain alias
   .PARAMETER PrimaryUrl
   Primary Server URL
   Base distinguished name for users
   .PARAMETER BaseDNGroups
   Base distinguished name for groups
   .PARAMETER Username
   Domain authentication user name
   .PARAMETER Passowrd
   Domain authentication password
   .PARAMETER DomainServerType
   Type of the ExternalDomain, one of 'ActiveDirectory','OpenLdap','NIS'
   .PARAMETER Server
   Specifies the vSphere Sso Admin Server on which you want to run the cmdlet.
   If not specified the servers available in $global:DefaultSsoAdminServers variable will be used.
   Add-ExternalDomainIdentitySource `
      -Name 'sof-powercli' `
      -DomainName 'sof-powercli.vmware.com' `
      -DomainAlias 'sof-powercli' `
      -PrimaryUrl 'ldap://sof-powercli.vmware.com:389' `
      -BaseDNUsers 'CN=Users,DC=sof-powercli,DC=vmware,DC=com' `
      -BaseDNGroups 'CN=Users,DC=sof-powercli,DC=vmware,DC=com' `
      -Username 'sofPowercliAdmin' `
      -Password '$up3R$Tr0Pa$$w0rD'
   Adds External Identity Source

      HelpMessage='Friendly name of the identity source')]




      HelpMessage='Base distinguished name for users')]

      HelpMessage='Base distinguished name for groups')]

      HelpMessage='Domain authentication user name')]

      HelpMessage='Domain authentication password')]

      HelpMessage='External domain server type')]
   $DomainServerType = 'ActiveDirectory',

      HelpMessage='Connected SsoAdminServer object')]

   $serversToProcess = $global:DefaultSsoAdminServers.ToArray()
   if ($Server -ne $null) {
      $serversToProcess = $Server

   try {
      foreach ($connection in $serversToProcess) {
         if (-not $connection.IsConnected) {
            Write-Error "Server $connection is disconnected"

   } catch {
      Write-Error (FormatError $_.Exception)

function Add-LDAPIdentitySource {
   Created on: 2/11/2021
   Created by: Dimitar Milov
    Twitter: @dimitar_milov
    Github: https://github.com/dmilov
   This function adds LDAP Identity Source of ActiveDirectory, OpenLDAP or NIS type.
   Friendly name of the identity source
   .PARAMETER DomainName
   Domain name
   .PARAMETER DomainAlias
   Domain alias
   .PARAMETER PrimaryUrl
   Primary Server URL
   Base distinguished name for users
   .PARAMETER BaseDNGroups
   Base distinguished name for groups
   .PARAMETER Username
   Domain authentication user name
   .PARAMETER Passowrd
   Domain authentication password
   .PARAMETER ServerType
   Type of the ExternalDomain, one of 'ActiveDirectory','OpenLdap','NIS'
   .PARAMETER Certificates
   List of X509Certicate2 LDAP certificates
   .PARAMETER Server
   Specifies the vSphere Sso Admin Server on which you want to run the cmdlet.
   If not specified the servers available in $global:DefaultSsoAdminServers variable will be used.
   Adds LDAP Identity Source
   Add-LDAPIdentitySource `
      -Name 'sof-powercli' `
      -DomainName 'sof-powercli.vmware.com' `
      -DomainAlias 'sof-powercli' `
      -PrimaryUrl 'ldap://sof-powercli.vmware.com:389' `
      -BaseDNUsers 'CN=Users,DC=sof-powercli,DC=vmware,DC=com' `
      -BaseDNGroups 'CN=Users,DC=sof-powercli,DC=vmware,DC=com' `
      -Username 'sofPowercliAdmin@sof-powercli.vmware.com' `
      -Password '$up3R$Tr0Pa$$w0rD' `
      -Certificates 'C:\Temp\test.cer'

      HelpMessage='Friendly name of the identity source')]




      HelpMessage='Base distinguished name for users')]

      HelpMessage='Base distinguished name for groups')]

      HelpMessage='Domain authentication user name')]

      HelpMessage='Domain authentication password')]

      HelpMessage='Ldap Certificates')]

      HelpMessage='Ldap Server type')]
   $ServerType = 'ActiveDirectory',

      HelpMessage='Connected SsoAdminServer object')]

   $serversToProcess = $global:DefaultSsoAdminServers.ToArray()
   if ($Server -ne $null) {
      $serversToProcess = $Server

   try {
      foreach ($connection in $serversToProcess) {
         if (-not $connection.IsConnected) {
            Write-Error "Server $connection is disconnected"

   } catch {
      Write-Error (FormatError $_.Exception)

function Set-LDAPIdentitySource {
   Created on: 2/17/2021
   Created by: Dimitar Milov
    Twitter: @dimitar_milov
    Github: https://github.com/dmilov
   This function adds LDAP Identity Source of ActiveDirectory, OpenLDAP or NIS type.
   .PARAMETER IdentitySource
   Identity Source to update
   .PARAMETER Certificates
   List of X509Certicate2 LDAP certificates
   .PARAMETER Server
   Specifies the vSphere Sso Admin Server on which you want to run the cmdlet.
   If not specified the servers available in $global:DefaultSsoAdminServers variable will be used.
   Updates LDAP Identity Source
   Updates certificate of a LDAP identity source
   Get-IdentitySource -External | `
   Set-LDAPIdentitySource `
      -Certificates 'C:\Temp\test.cer'

      HelpMessage='Identity source to update')]

      HelpMessage='Ldap Certificates')]

      HelpMessage='Connected SsoAdminServer object')]

Process {
   $serversToProcess = $global:DefaultSsoAdminServers.ToArray()
   if ($Server -ne $null) {
      $serversToProcess = $Server

   try {
      foreach ($connection in $serversToProcess) {
         if (-not $connection.IsConnected) {
            Write-Error "Server $connection is disconnected"

   } catch {
      Write-Error (FormatError $_.Exception)

function Get-IdentitySource {
   Created on: 11/26/2020
   Created by: Dimitar Milov
    Twitter: @dimitar_milov
    Github: https://github.com/dmilov
   This function gets Identity Source.
   .PARAMETER Localos
   Filter parameter to return only the localos domain identity source
   .PARAMETER System
   Filter parameter to return only the system domain identity source
   .PARAMETER External
   Filter parameter to return only the external domain identity sources
   .PARAMETER Server
   Specifies the vSphere Sso Admin Server on which you want to run the cmdlet.
   If not specified the servers available in $global:DefaultSsoAdminServers variable will be used.
   Get-IdentitySource -External
   Gets all external domain identity source


      HelpMessage='Returns only the localos domain identity source')]

      HelpMessage='Returns only the system domain identity source')]

      HelpMessage='Returns only the external domain identity sources')]

      HelpMessage='Connected SsoAdminServer object')]

   $serversToProcess = $global:DefaultSsoAdminServers.ToArray()
   if ($Server -ne $null) {
      $serversToProcess = $Server
   foreach ($connection in $serversToProcess) {
      if (-not $connection.IsConnected) {
         Write-Error "Server $connection is disconnected"

      $resultIdentitySources = @()
      $allIdentitySources = $connection.Client.GetDomains()

      if (-not $Localos -and -not $System -and -not $External) {
         $resultIdentitySources = $allIdentitySources

      if ($Localos) {
         $resultIdentitySources += $allIdentitySources | Where-Object { $_ -is [VMware.vSphere.SsoAdminClient.DataTypes.LocalOSIdentitySource] }

      if ($System) {
         $resultIdentitySources += $allIdentitySources | Where-Object { $_ -is [VMware.vSphere.SsoAdminClient.DataTypes.SystemIdentitySource] }

      if ($External) {
         $resultIdentitySources += $allIdentitySources | Where-Object { $_ -is [VMware.vSphere.SsoAdminClient.DataTypes.ActiveDirectoryIdentitySource] }

      #Return result