vCenter Single Sign-On allows vSphere components to communicate with each other through a secure token mechanism instead of requiring users to authenticate separately with each component.
vCenter Single Sign-On uses a combination of STS (Security Token Service), SSL for secure traffic, and authentication through Active Directory or OpenLDAP, as shown in the following illustration.
A user logs in to the vSphere Web Client with a user name and password to access the vCenter Server system or another vCenter service.
The user can also log in without a password and check the Use Windows session authentication checkbox. The checkbox becomes available after you install the VMware Client Integration Plugin.
The vSphere Web Client passes the login information to the vCenter Single Sign-On service, which checks the SAML token of the vSphere Web Client. If the vSphere Web Client has a valid token, vCenter Single Sign-On then checks whether the user is in the configured identity source (for example Active Directory).
If only the user name is used, vCenter Single Sign-On checks in the default domain.
If a domain name is included with the user name (DOMAIN\user1), vCenter Single Sign-On checks that domain.
If the user is in the identity source, vCenter Single Sign-On returns a token that represents the user to the vSphere Web Client.
The vSphere Web Client passes the token to the vCenter Server system.
vCenter Server checks with the vCenter Single Sign-On server that the token is valid and not expired.
The vCenter Single Sign-On server returns the token to the vCenter Server system.
The user can now authenticate to vCenter Server and view and modify any objects that the user has permissions for..