To allow the users and groups in your Microsoft Active Directory domain to use their Active Directory credentials to log in to the SDDC Manager client as well as the vCenter Server instances that are deployed in your Cloud Foundation environment, you configure your Microsoft Active Directory domain as an identity source for the authentication services.
The Platform Services Controller component provides the single sign-on capability for the vCenter Server Single Sign-On authentication service. During the environment's initial bring-up process, you enter your root domain, domain name server (DNS) subdomain, and Platform Services Controller single sign-on domain information in the configuration wizard. When you intend to use your Active Directory domain as identity sources for logging into SDDC Manager and to the vCenter Server instances, you typically enter vsphere.local in the configuration wizard as the Platform Services Controller single sign-on domain. Once the software stack is deployed, you can log in using the email@example.com account that is generated by the bring-up process, and then configure your Active Directory domain as an identity source.
After you configure your Active Directory domain as an identity source, the users and groups in the joined Active Directory domain become available to grant permissions to users and groups for logging in to the Web interfaces using their Active Directory credentials:
You grant permissions for logging in to the SDDC Manager client by assigning roles provided by the SDDC Manager role-based access control capabilities. See Assign Permissions to Users and Groups and Role-Based Access Control.
You can grant permissions for logging in to the vSphere Web Client and to access all of the software components that are integrated with vSphere in Cloud Foundation by assigning roles using the Global Permissions feature in the vSphere Web Client. See Grant Permission to Active Directory Users and Groups to Log in to the vSphere Web Client in Your Cloud Foundation Installation.