After you deploy vCenter Server initially, you can configure an external identity provider for federated authentication.
You configure vCenter Server Identity Provider Federation from the vSphere Client or the API. You also must perform some configuration on your external identity provider. To configure vCenter Server Identity Provider Federation, you must have vCenter Single Sign-On administrator privileges. Having vCenter Single Sign-On administrator privileges is different from having the Administrator role on vCenter Server or ESXi. In a new installation, only the vCenter Single Sign-On administrator (firstname.lastname@example.org by default) can authenticate to vCenter Single Sign-On.