The vCenter Single Sign-On server includes a Security Token Service (STS). The Security Token Service is a Web service that issues, validates, and renews security tokens. You can manually refresh the existing Security Token Service certificate from the vSphere Web Client when the certificate expires or changes.
The STS authenticates the user using the primary credentials, and constructs a SAML token that contains user attributes. The STS service signs the SAML token with its STS signing certificate, and then assigns the token to a user. By default, the STS signing certificate is generated by VMCA.
After a user has a SAML token, the SAML token is sent as part of that user's HTTP requests, possibly through various proxies. Only the intended recipient (service provider) can use the information in the SAML token.
- Platform Services Controller appliance
- certificate_location/keys/root-trust.jks For example: /keys/root-trust.jks
- For example:
- Log in to the vSphere Web Client as email@example.com or as another user with vCenter Single Sign-On administrator privileges.
Users with vCenter Single Sign-On administrator privileges are in the Administrators group in the local vCenter Single Sign-On domain, vsphere.local by default.
- Navigate to the Configuration UI.
- From the Home menu, select Administration.
- Under Single Sign On, click Configuration.
- Select the Certificates tab, then the STS Signing subtab, and click the Add STS Signing Certificate icon.
- Add the certificate.
- Click Browse to browse to the key store JKS file that contains the new certificate and click Open.
- Type the password when prompted.
- Click the top of the STS alias chain and click OK.
- Type the password again when prompted
- Click OK.
- Restart the Platform Services Controller node to start both the STS service and the vSphere Web Client.
Before the restart, authentication does not work correctly so the restart is essential.