vCenter Single Sign-On supports authentication in your management infrastructure. Only users that can authenticiate to vCenter Single Sign-On can view and manage infrastructure components. You can add identity sources such as Active Directory or OpenLDAP to vCenter Single Sign-On.

vCenter Single Sign-On Overview

vCenter Single Sign-On is an authentication broker and security token exchange infrastructure for users and solution users, which are sets of VMware services. When a user or a solution user authenticates to vCenter Single Sign-On, that user receives a SAML token. Going forward, the user can use the SAML token to authenticate to vCenter Server services. The user can then view the information and perform the actions that user has privileges for.

By using vCenter Single Sign-On, the vRealize Suite products communicate with each other through a secure token exchange mechanism, instead of requiring each product to authenticate a user separately with a directory service like Microsoft Active Directory. During installation or upgrade, vCenter Single Sign-On constructs an internal security domain, for example, vsphere.local, where the vSphere solutions and products are registered. Instead of using this internal security domain for company-specific authentication information, you can add one or more identity sources such as an Active Directory Domain to vCenter Single Sign-On.

Configuring vCenter Single Sign-On

You can configure vCenter Single Sign-On from the vSphere Web Client.

Starting with vSphere 6.0, vCenter Single Sign-On is part of the Platform Services Controller. The Platform Services Controller contains shared services that support vCenter Server and vCenter Server components. To manage vCenter Single Sign-On, you connect to the Platform Services Controller associated with your environment. See vSphere Authentication with vCenter Single Sign-On for background and details on configuration.