vCenter Single Sign-On includes the Security Token Service (STS), an administration server, the vCenter Lookup Service, and the VMware Directory Service (vmdir). The VMware Directory Service is also used for certificate management.
During installation, the following components are deployed as part of a vCenter Server deployment.
- STS (Security Token Service)
- The STS service issues Security Assertion Markup Language (SAML) tokens. These security tokens represent the identity of a user in one of the identity source types supported by vCenter Server. The SAML tokens allow interactive, scripted, and service users (including solution users) who authenticate successfully to vCenter Single Sign-On to use any vCenter service that vCenter Single Sign-On supports without authenticating again to each service.
- The vCenter Single Sign-On service signs all tokens with a signing certificate, and stores the token signing certificate on disk. The certificate for the service itself is also stored on disk.
- Administration server
- The administration server allows users with administrator privileges to vCenter Single Sign-On to configure the vCenter Single Sign-On server and manage users and groups from the vSphere Client. Initially, only the user administrator@ your_domain_name has these privileges. You can change the vSphere domain when you install vCenter Server. Do not name the domain name with your Microsoft Active Directory or OpenLDAP domain name.
- VMware Directory Service (vmdir)
A VMware Directory Service (vmdir) is associated with the domain you specify during installation and is included in each vCenter Server deployment. This service is a multi-tenanted, peer-replicating directory service that makes an LDAP directory available on port 389. It also stores and manages vCenter Single Sign-On user accounts and passwords, which are secured by the SHA-512 hashing algorithm.
If your environment includes multiple instances of vCenter Server configured in linked mode, an update of vmdir content in one vmdir instance is propagated to all other instances of vmdir.
The VMware Directory Service stores not only vCenter Single Sign-On information but also certificate information.
- Identity Management Service
- Handles identity sources and STS authentication requests.