7. vCloud Security Examples : 7.1 Single Sign-On (SSO) – Provider : 7.1.6 Design Implications
   
7.1.6 Design Implications
*Use single sign-on (SSO) to provide a common service, both internally and externally.
*Single sign-on (SSO) can be combined with the use of smart cards or Common Access Cards (CACs) for initial authentication to a directory service.
*You must use a supported Identity Provider (IdP):
*Identity sources: OpenAM, Active Directory Federation Services, Shibboleth.
*Deployment models: Single mode (one node), HA mode (multiple nodes), Replication mode.
*Use a high availability architecture to provide a highly available single sign-on (SSO) service.
Deploying vCenter Single Sign-On as a cluster means that two or more instances of vCenter Single Sign- On are installed in high availability (HA) mode. vCenter Single Sign-On HA mode is not the same as vSphere HA. All instances of vCenter Single Sign-On use the same database and should point to the same identity sources. Single Sign-On administrator users, when connected to vCenter Server through the vSphere Web Client, see the primary Single Sign-On instance. In this deployment scenario, the installation process grants admin@System-Domain vCenter Server privileges by default. In addition, the installation process creates the user admin@System-Domain to manage vCenter Single Sign-On.