You can use identity sources to attach one or more domains to vCenter Single Sign-On. A domain is a repository for users and groups that the vCenter Single Sign-On server can use for user authentication.
Starting in vSphere 7.0, vCenter Server supports federated authentication to sign in to vCenter Server. VMware encourages you to use federated authentication as vSphere moves towards token-based authentication. See Understanding vCenter Server Identity Provider Federation.
An administrator can add identity sources, set the default identity source, and create users and groups in the vsphere.local identity source.
The user and group data is stored in Active Directory, OpenLDAP, or locally to the operating system of the machine where vCenter Single Sign-On is installed. After installation, every instance of vCenter Single Sign-On has the identity source your_domain_name, for example vsphere.local. This identity source is internal to vCenter Single Sign-On.
The following identity sources are available.
- Active Directory over LDAP. vCenter Single Sign-On supports multiple Active Directory over LDAP identity sources.
- Active Directory (Integrated Windows Authentication) versions 2003 and later. vCenter Single Sign-On allows you to specify a single Active Directory domain as an identity source. The domain can have child domains or be a forest root domain. VMware KB article 2064250 discusses Microsoft Active Directory Trusts supported with vCenter Single Sign-On.
- OpenLDAP versions 2.4 and later. vCenter Single Sign-On supports multiple OpenLDAP identity sources.