vCenter Single Sign-On is an authentication broker and security token exchange infrastructure. vCenter Single Sign-On issues a token when a user authenticates. The user can use the token to authenticate to vCenter Server services. The user can then perform the actions that user has privileges for.
Because traffic is encrypted for all communications, and because only authenticated users can perform the actions that they have privileges for, your environment is secure.
Users and service accounts authenticate with a token, or a user name and password. Solution users authenticate with a certificate. For information on replacing solution user certificates, see vSphere Security Certificates.
The next step is authorizing the users who can authenticate to perform certain tasks. Usually, you assign vCenter Server privileges, typically by assigning the user to a group that has a role. vSphere includes other permission models such as global permissions. See the vSphere Security documentation.