vSphere provides common infrastructure services to manage certificates for both vCenter Server and ESXi components, and to manage authentication with vCenter Single Sign-On.
How Do You Manage vSphere Certificates
By default, vSphere enables you to provision vCenter Server components and ESXi hosts with VMware Certificate Authority (VMCA) certificates. You can also use custom certificates, which are stored in the VMware Endpoint Certificate Store (VECS). For more information, see What Options Do You Have to Manage vSphere Certificates.
What Is vCenter Single Sign-On
vCenter Single Sign-On allows vSphere components to communicate with each other through a secure token mechanism. vCenter Single Sign-On uses specific terms and definitions that are important to understand.
| Term | Definition |
|---|---|
| Principal | An entity that can be authenticated, such as a user. |
| Identity Provider | A service that manages identity sources and authenticates principals. Examples: Microsoft Active Directory Federation Services (AD FS) and vCenter Single Sign-On. |
| Identity Source (Directory Service) | Stores and manages principals. Principals consist of a collection of attributes about a user or a service account such as name, address, email, and group membership. Examples: Microsoft Active Directory and VMware Directory Service (vmdir). |
| Authentication | The means of determining whether someone or something is, in fact, who or what it declares itself to be. For example, users are authenticated when they provide their credentials, such as smart cards, user name and correct password, and so on. |
| Authorization | The process of verifying what objects principals have access to. |
| Token | A signed collection of data comprising the identity information for a given principal. A token might include not only basic information about the principal such as email address and full name, but also, depending on the token type, the principal's groups and roles. |
| vmdir | VMware Directory Service. The internal (local) LDAP repository in vCenter Server that contains user identities, groups, and configuration data. |
| OAuth 2.0 | An open authorization standard that enables the exchange of information among principals and web services without exposing principals’ credentials. |
| OpenID Connect (OIDC) | Authentication protocol based on OAuth 2.0 that augments OAuth with user-identifying information. It is represented by the ID token that the authorization server returns together with the access token during OAuth authentication. vCenter Server uses OIDC capabilities when interacting with Active Directory Federation Services (AD FS), Okta, Microsoft Entra ID, and PingFederate. |
| System for Cross-domain Identity Management (SCIM) | The standard for automating the exchange of user identity information between identity domains or IT systems. |
| VMware Identity Services | Starting in version 8.0 Update 1, VMware Identity Services is a built-in container within vCenter Server that you can use for identity federation to external identity providers. It serves as an independent identity broker within vCenter Server and comes with its own set of APIs. Currently, VMware Identity Services support Okta, Microsoft Entra ID, and PingFederate as external identity providers. |
| Tenant | A VMware Identity Services concept. A tenant provides a logical separation of data from other tenants’ data in one and the same virtual environment. |
| JSON Web Token (JWT) | A token format defined by the OAuth 2.0 specification. A JWT token carries authentication and authorization information about a principal. |
| Relying party | A relying party “relies” on the authorization server, VMware Identity Services or AD FS, for identity management. For example, through federation, vCenter Server establishes relying party trust to VMware Identity Services or AD FS. |
| Security Assertion Markup Language (SAML) | An XML-based open standard for exchanging authentication and authorization data between parties that is used by vCenter Server. Principals obtain a SAML token from vCenter Single Sign-On and then send it to the vSphere Automation API endpoint for a session identifier. |
What Are the vCenter Single Sign-On Authentication Types
vCenter Single Sign-On uses different types of authentication, depending on whether the built-in vCenter Server identity provider or an external identity provider is involved.
| Authentication Type | What Acts as the Identity Provider? | Does vCenter Server Handle the Password? | Description |
|---|---|---|---|
| Token-Based Authentication | External identity provider. For example, AD FS. | No | vCenter Server contacts the external identity provider through a particular protocol and obtains a token, which represents a particular user identity. |
| Simple Authentication | vCenter Server | Yes | The user name and password are passed directly to vCenter Server, which validates the credentials through its identity sources. |
