VMware vCenter Single Sign-On is an authentication service that implements the brokered authentication architectural pattern. You can configure Orchestrator to connect to a vCenter Single Sign-On server.

The vCenter Single Sign-On server provides an authentication interface called Security Token Service (STS). Clients send authentication messages to the STS, which checks the user's credentials against one of the identity sources. Upon successful authentication, STS generates a token.

In vCenter Server versions earlier than vCenter Server 5.1, when a user connects to vCenter Server, vCenter Server authenticates the user by validating the user against an Active Directory domain or the list of local operating system users. In vCenter Server 5.1 and later, users authenticate by using vCenter Single Sign-On.

For versions earlier than vCenter Server 5.1, you must explicitly register each vCenter Server system with the vSphere Web Client. For vCenter Server 5.1 and later, vCenter Server systems are automatically detected and are displayed in the vSphere Web Client inventory.

The vCenter Single Sign-On administrative interface is part of the vSphere Web Client. To configure vCenter Single Sign-On and manage vCenter Single Sign-On users and groups, you log in to the vSphere Web Client as a user with vCenter Single Sign-On administrator privileges. This might not be the same user as the vCenter Server administrator. You must provide the credentials on the vSphere Web Client login page, and upon authentication, you can access the vCenter Single Sign-On administration tool to create users and assign administrative permissions to other users.

Using the vSphere Web Client, you authenticate to vCenter Single Sign-On by providing your credentials on the vSphere Web Client login page. You can then view all of the vCenter Server instances for which you have permissions. After you connect to vCenter Server, no further authentication is required. The actions that you can perform on objects depend on the user's vCenter Server permissions on those objects.

For more information about vCenter Single Sign-On, see vSphere Security.

After you configure Orchestrator to authenticate through vCenter Single Sign-On, make sure that you configure it to work with the vCenter Server instances registered with the vSphere Web Client using the same vCenter Single Sign-On instance.

When you log in to the vSphere Web Client, the Orchestrator Web plug-in communicates with the Orchestrator server on behalf of the user profile you used to log in.