As a vSphere administrator, you can enable guest OS access on certain SSO accounts.

Enabling SSO accounts to log in to a guest OS provides users with additional capabilities to perform administrative tasks on guest virtual machines, such as installing or upgrading the VMware Tools or configuring apps.

Functionality to allow vSphere administrators to configure a guest operating system to use VGAuth authentication. The vSphere administrator must know the guest administrator password for the enrollment process.

To enroll SSO users to a guest user account, you must enroll SSO users to accounts in guest operating systems. The enrollment process maps a vSphere user to a particular account in the guest by using SSO certificates. Subsequent guest management requests use an SSO SAML token to log in to the guest.

You must configure VMs to accept X.509 certificates. X.509 certificates allow the vSphere administrators in your data center to use SAML tokens issued by single sign-on service to access guest OSs.