vSphere provides services that enable you to perform certificate management tasks for vCenter Server and ESXi components, and configure authentication through vCenter Single Sign-On.

vSphere Certificate Management Overview

By default, vSphere enables you to provision vCenter Server components and ESXi hosts with VMware Certificate Authority (VMCA) certificates. You can also use custom certificates, which are stored in the VMware Endpoint Certificate Store (VECS).

vCenter Single Sign-On Overview

vCenter Single Sign-On allows vSphere components to communicate with each other through a secure token mechanism. vCenter Single Sign-On uses specific terms and definitions that are important to understand.

Table 1. vCenter Single Sign-On Glossary
Term Definition
Principal An entity that can be authenticated, such as a user.
Identity Provider A service that manages identity sources and authenticates principals. Examples: Microsoft Active Directory Federation Services (AD FS) and vCenter Single Sign-On.
Identity Source (Directory Service) Stores and manages principals. Principals consist of a collection of attributes about a user or service account such as name, address, email, and group membership. Examples: Microsoft Active Directory and VMware Directory Service (vmdir).
Authentication The means of determining whether someone or something is, in fact, who or what it declares itself to be. For example, users are authenticated when they provide their credentials, such as smart cards, user name and correct password, and so on.
Authorization The process of verifying what objects principals have access to.
Token A signed collection of data comprising the identity information for a given principal. A token might include not only basic information about the principal such as email address and full name, but also, depending on the token type, the principal's groups and roles.
vmdir VMware Directory Service. The internal (local) LDAP repository in vCenter Server that contains user identities, groups, and configuration data.
OpenID Connect (OIDC) Authentication protocol based on OAuth2. vCenter Server uses OIDC capabilities when interacting with Active Directory Federation Services (AD FS).

vCenter Single Sign-On Authentication Types

vCenter Single Sign-On uses different types of authentication, depending on whether the built-in vCenter Server identity provider or an external identity provider is involved.

Table 2. vCenter Single Sign-On Authentication Types
Authentication Type What Acts as the Identity Provider? Does vCenter Server Handle the Password? Description
Token-Based Authentication External identity provider. For example, AD FS. No vCenter Server contacts the external identity provider through a particular protocol and obtains a token, which represents a particular user identity.
Simple Authentication vCenter Server Yes The user name and password are passed directly to vCenter Server, which validates the credentials through its identity sources.