The vCenter Single Sign-On Security Token Service (STS) is a Web service that issues, validates, and renews security tokens.

Users present their primary credentials to the STS interface to acquire SAML tokens. The primary credential depends on the type of user.
User name and password available in a vCenter Single Sign-On identity source.
Application user
Valid certificate.

STS authenticates the user based on the primary credentials, and constructs a SAML token that contains user attributes. STS signs the SAML token with its STS signing certificate, and assigns the token to the user. By default, the STS signing certificate is generated by VMCA. You can replace the default STS signing certificate from the vSphere Web Client. Do not replace the STS signing certificate unless your company's security policy requires replacing all certificates.

After a user has a SAML token, the SAML token is sent as part of that user's HTTP requests, possibly through various proxies. Only the intended recipient (service provider) can use the information in the SAML token.