vCenter Single Sign-On is an authentication broker and security token exchange infrastructure. When a user can authenticate to vCenter Single Sign-On, that user receives a SAML token. Going forward, the user can use the SAML token to authenticate to vCenter services. The user can then perform the actions that user has privileges for.

Because traffic is encrypted for all communications, and because only authenticated users can perform the actions that they have privileges for, your environment is secure.

If you use VMware Cloud on AWS, VMware performs much of the management of the vCenter Single Sign-On service for you. You can perform the following tasks.

Table 1. vCenter Single Sign-On tasks in VMware Cloud on AWS



Add an identity source.

By default, VMware Cloud on AWS includes two preconfigured identity sources. If you want to use your own Active Directory domain as an identity source, you can add it. If you want to set up Hybrid Linked Mode, both vCenter Server instances must be in the same vCenter Single Sign-On domain, that is, they use the same identity source.

Configure vCenter Single Sign-On policies.

You can configure password policies, lockout policies, and token policies. These policies apply only to the vmc.local domain.

View users and groups.

You can view the users and groups in the vCenter Single Sign-On domain. In contrast to an on-premises SDDC, you cannot make changes to users and groups.