vCenter Single Sign-On allows vSphere components to communicate with each other through a secure token mechanism instead of requiring users to authenticate separately with each component.

vCenter Single Sign-On uses a combination of STS (Security Token Service), SSL for secure traffic, and authentication through Active Directory or OpenLDAP, as shown in the following illustration.

Figure 1. vCenter Single Sign-On Handshake
When the user logs in to the vSphere Web Client, the Single Sign-On server establishes the authentication handshake.
  1. A user logs in to the vSphere Web Client with a user name and password to access the vCenter Server system or another vCenter service.

    The user can also log in without a password and check the Use Windows session authentication checkbox. The checkbox becomes available after you install the VMware Client Integration Plugin.

  2. The vSphere Web Client passes the login information to the vCenter Single Sign-On service, which checks the SAML token of the vSphere Web Client. If the vSphere Web Client has a valid token, vCenter Single Sign-On then checks whether the user is in the configured identity source (for example Active Directory).

    • If only the user name is used, vCenter Single Sign-On checks in the default domain.

    • If a domain name is included with the user name (DOMAIN\user1), vCenter Single Sign-On checks that domain.

  3. If the user is in the identity source, vCenter Single Sign-On returns a token that represents the user to the vSphere Web Client.

  4. The vSphere Web Client passes the token to the vCenter Server system.

  5. vCenter Server checks with the vCenter Single Sign-On server that the token is valid and not expired.

  6. The vCenter Single Sign-On server returns the token to the vCenter Server system.

The user can now authenticate to vCenter Server and view and modify any objects that the user has permissions for..

Note:

Initially, each user is assigned the No Access permission. A vCenter Server administrator must assign the user at least Read Only permissions before the user can log in. See Assign Permissions in the vSphere Web Client and vCenter User Management Tasks.