SSO makes vSphere and NSX more secure by allowing the various components to communicate with each other through a secure token exchange mechanism, instead of requiring each component to authenticate a user separately.

About this task

You can configure lookup service on the NSX Manager and provide the SSO administrator credentials to register NSX Management Service as an SSO user. Integrating the single sign on (SSO) service with NSX improves the security of user authentication for vCenter users and enables NSX to authenticate users from other identity services such as AD, NIS, and LDAP. With SSO, NSX supports authentication using authenticated Security Assertion Markup Language (SAML) tokens from a trusted source via REST API calls. NSX Manager can also acquire authentication SAML tokens for use with other VMware solutions.

NSX caches group information for SSO users. Changes to group memberships will take up to 60 minutes to propagate from the identity provider (for example, active directory) to NSX.


  • To use SSO on NSX Manager, you must have vCenter Server 6.0 or later, and single sign on (SSO) authentication service must be installed on the vCenter Server. Note that this is for embedded SSO. Instead, your deployment might use an external centralized SSO server.

    For information about SSO services provided by vSphere, see and

  • NTP server must be specified so that the SSO server time and NSX Manager time is in sync.

    For example:

    Time Settings window shows the NTP Server settings.


  1. Log in to the NSX Manager virtual appliance.

    In a Web browser, navigate to the NSX Manager appliance GUI at https://<nsx-manager-ip> or https://<nsx-manager-hostname>, and log in as admin or with an account that has the Enterprise Administrator role.

  2. Log in to the NSX Manager virtual appliance.
  3. From the home page, click Manage Appliance Settings > NSX Management Service.
  4. Click Edit in the Lookup Service URL section.
  5. Enter the name or IP address of the host that has the lookup service.
  6. Enter the port number.

    If you are using vSphere 6.0 or later, enter port 443.

    The Lookup Service URL is displayed based on the specified host and port.

  7. Enter the SSO Administrator user name and password, and click OK.

    The certificate thumbprint of the SSO server is displayed.

  8. Check that the certificate thumbprint matches the certificate of the SSO server.

    If you installed a CA-signed certificate on the CA server, you are presented with the thumbprint of the CA-signed certificate. Otherwise, you are presented with a self-signed certificate.

  9. Confirm that the Lookup Service status is Connected.

    For example:

    Figure shows that the Lookup Service status is Connected.

What to do next

See Assign a Role to a vCenter User, in the NSX Administration Guide.