You can use the Password grant type to exchange user credentials for an access token and an ID token from the authorization server. From the user's perspective, the password grant type functions exactly as basic authentication with the only difference that you use your AD FS, and not your local vCenter Single Sign-On credentials.

The Password grant type is possible among native apps but is not recommended for authentication to third-party apps. Modern security best practices require that primary user credentials such as passwords do not leave the native API environment. Therefore, it is more secure to use other OAuth 2.0 grant types for authentication to third-party apps.

To use the Password grant type with AD FS, you provide your AD FS user name and password to the Common Infrastructure Services (CIS) Session endpoint.

In the background, the client application calls the authorization server (AD FS) and obtains an access token and an ID token in JWT format. vCenter Single Sign-On converts the JWT tokens into a SAML token which is used to obtain a session identifier and authenticate your application to vCenter Server.

For authentication with the Password grant type to AD FS through the Java or Python SDKs, you use the same workflows as in Create a vSphere Automation Session with User Credentials.