The remote plug-in server operates outside the vCenter Server instance, and must authenticate with the Web Services API to identify and authorize its access to vSphere resources. The authentication procedure requires several steps, summarized below.

The plug-in user interface communicates with the vsphere-ui service through a plug-in sandbox in the browser. The plug-in sandbox uses the vSphere Client session token to authenticate with the vsphere-ui service in vCenter Server. The plug-in server needs to get a SOAP client session token to authenticate its operations with the Web Services API. The following diagram shows the basic communication paths involved in converting the vSphere Client session token to a plug-in server SOAP session token.

Figure 1. Plug-in Server Communication Paths for Authentication
shows communication paths for authentication of plug-in server
Cloning a session consists of three stages of interactions involving the plug-in server:
  1. The plug-in user interface retrieves its session ID and the GUID of the context object, then sends them to the plug-in server.
  2. The plug-in server sends a REST request to vCenter Server to acquire a ticket that allows it to clone the user session.
  3. The plug-in server sends a SOAP request to vCenter Server to clone the user session and acquire a new session ID.
These interactions are described in more detail in How to Delegate Session Authority to the Plug-in Server.