The vSphere Web Client is automatically registered as a trusted SAML 2.0 Service Provider (SP) to vCenter Single Sign-On. You can add other trusted service providers to an identity federation where vCenter Single Sign-On is acting as the SAML Identity Provider (IDP). The service providers must conform to the SAML 2.0 protocol. After the federation is set up, the service provider grants access to a user if that user can authenticate to vCenter Single Sign-On.

Note: vCenter Single Sign-On can be the IDP to other SPs. vCenter Single Sign-On cannot be an SP that uses another IDP.

A registered SAML service provider can grant access to a user that already has a live session, that is, a user that is logged in to the identity provider. For example, vRealize Automation 7.0 and later supports vCenter Single Sign-On as an identity provider. You can set up a federation from vCenter Single Sign-On and from vRealize Automation. After that, vCenter Single Sign-On can perform the authentication when you log in to vRealize Automation.

To join a SAML service provider to the identity federation, you have to set up trust between the SP and the IDP by exchanging SAML metadata between them.

You must perform integration tasks for both vCenter Single Sign-On and the service that is using vCenter Single Sign-On.
  1. Export IDP metadata to a file, then import it to the SP.
  2. Export SP metadata and import it into the IDP.

You can use the vSphere Web Client interface to vCenter Single Sign-On to export the IDP metadata, and to import the metadate from the SP. If you are using vRealize Automation as the SP, see the vRealize Automation documentation for details on exporting the SP metadata and importing the IDP metadata.

Note: The service must fully support the SAML 2.0 standard or integration does not work.