SSO makes vSphere and NSX more secure by allowing the various components to communicate with each other through a secure token exchange mechanism, instead of requiring each component to authenticate a user separately. You can configure lookup service on the NSX Manager and provide the SSO administrator credentials to register NSX Management Service as an SSO user. Integrating the single sign on (SSO) service with NSX improves the security of user authentication for vCenter users and enables NSX to authenticate users from other identity services such as AD, NIS, and LDAP.

About this task

With SSO, NSX supports authentication using authenticated Security Assertion Markup Language (SAML) tokens from a trusted source via REST API calls. NSX Manager can also acquire authentication SAML tokens for use with other VMware solutions.

NSX caches group information for SSO users. Changes to group memberships will take up to 60 minutes to propagate from the identity provider (for example, active directory) to NSX.


  • To use SSO on NSX Manager, you must have vCenter Server 5.5 or later, and single sign on (SSO) authentication service must be installed on the vCenter Server. Note that this is for embedded SSO. Instead, your deployment might use an external centralized SSO server.

    For information about SSO services provided by vSphere, see and

  • NTP server must be specified so that the SSO server time and NSX Manager time is in sync.

    For example:


  1. Log in to the NSX Manager virtual appliance.

    In a Web browser, navigate to the NSX Manager appliance GUI at https://<nsx-manager-ip> or https://<nsx-manager-hostname>, and log in as admin with the password that you configured during NSX Manager installation.

  2. Click the Manage tab, then click NSX Management Service.
  3. Type the name or IP address of the host that has the lookup service.

    If you are using vCenter to perform the lookup service, enter the vCenter Server's IP address or hostname, and enter the vCenter Server user name and password.

  4. Type the port number.

    Enter port 443 if you are using vSphere 6.0. For vSphere 5.5, use port number 7444.

    The Lookup Service URL is displayed based on the specified host and port.

    For example:

  5. Check that the certificate thumb print matches the certificate of the vCenter Server.

    If you installed a CA-signed certificate on the CA server, you are presented with the thumbprint of the CA-signed certificate. Otherwise, you are presented with a self-signed certificate.

  6. Confirm that the Lookup Service status is Connected.

    For example:

What to do next

Assign a role to the SSO user.