vCenter Single Sign-On is an authentication broker and security token exchange infrastructure. When a user or a solution user can authenticate to vCenter Single Sign-On, that user receives SAML token. Going forward, the user can use the SAML token to authenticate to vCenter services. The user can then perform the actions that user has privileges for.

Because traffic is encrypted for all communications, and because only authenticated users can perform the actions that they have privileges for, your environment is secure.

Starting with vSphere 6.0, vCenter Single Sign-On is part of the Platform Services Controller. The Platform Services Controller contains the shared services that support vCenter Server and vCenter Server components. These services include vCenter Single Sign-On, VMware Certificate Authority, License Service, and Lookup Service. See vSphere Installation and Setup for details on the Platform Services Controller.

For the initial handshake, users authenticate with a user name and password, and solution users authenticate with a certificate. For information on replacing solution user certificates, see vSphere Security Certificates.

After a user can authenticate with vCenter Single Sign-On, you can authorize the user to perform certain tasks. In most cases, you assign vCenter Server privileges, but vSphere includes other permission models. See Understanding Authorization in vSphere.

Note: If you want to enable an Active Directory user to log in to a vCenter Server instance by using the vSphere Client with SSPI, you must join the vCenter Server instance to the Active Directory domain. For information about joining a vCenter Server Appliance with an external Platform Services Controller to an Active Directory domain, see the VMware knowledge base article at