When a user logs in, vCenter Single Sign-On checks in the default identity source whether that user can authenticate. You can add identity sources, remove identity sources, and change the default.

You configure vCenter Single Sign-On from the vSphere Web Client. To configure vCenter Single Sign-On, you must have vCenter Single Sign-On administrator privileges. Having vCenter Single Sign-On administrator privileges is different from having the Administrator role on vCenter Server or ESXi. By default, only the user administrator@vsphere.local has administrator privileges on the vCenter Single Sign-On server in a new installation.