After you obtain a SAML token from the vCenter Single Sign-On server, you can use the vSphere Web Services API method LoginByToken to establish a single sign-on session with a vCenter Server. See vCenter Single Sign-On Client Example (.NET) for a description of how to obtain a vCenter Single Sign-On token.

To establish a vCenter Server session that is based on SAML token authentication, the client must embed the SAML token in the SOAP header of the LoginByToken request. The C# LoginByToken example uses the .NET services in vCenter Server Single Sign-On Session to support a single sign-on session.

Table 1. Microsoft .NET Elements for vCenter Single Sign-On Sessions
.NET Element /


vCenter Single Sign-On Usage


The sample creates a custom policy assertion derived from the SecurityPolicyAssertion class. The custom assertion contains the SAML token and X509 certificate.


The sample defines a custom output filter derived from the SendSecurityFilter class. The custom filter adds the token and certificate to the outgoing SOAP message.

The sample uses the ServicePointManager to specify SSL3 and HTTP 100-Continue behavior.


The sample uses the ConfigurationManager to specify certificate metadata (password and certificate type).


The sample uses the CookieContainer class to manage vCenter Server session cookies.