If you are not using an external identity provider, you must understand the underlying architecture of the built-in identity provider,
vCenter Single Sign-On, and how it affects installation and upgrades.
vCenter Single Sign-On Components vCenter Single Sign-On includes the Security Token Service (STS), an administration server, the vCenter Lookup Service, and the VMware Directory Service (vmdir). The VMware Directory Service is also used for certificate management.
Using vCenter Single Sign-On with vSphere When a user logs in to a vSphere component, or when a vCenter Server solution user accesses another vCenter Server service, vCenter Single Sign-On performs authentication. Users must be authenticated with vCenter Single Sign-On and have the necessary privileges for interacting with vSphere objects.
Groups in the vCenter Single Sign-On Domain The vCenter Single Sign-On domain (vsphere.local by default) includes several predefined groups. Add users to one of those groups to enable them to perform the corresponding actions.