The VMware vCenter Single Sign-On role is integrated into the VMware Platform Services Controller™ component of vCenter Server, and provides an authentication broker and a security token exchange. The aim of the vCenter Single Sign-On is to provide a secure, centralized way of accessing a mixed vSphere solution with multiple vCenter Server instances as well as other VMware products.

vCenter Single Sign-On is used to form the authentication domain in a vSphere infrastructure. When the user logs into vCenter Server, either through the vSphere Web Client or an API, they first connect with the SSO server, which will typically be integrated to a directory service such as Microsoft Active Directory. When logging in, a SAML 2.0 token is generated for that user, which is then exchanged as user credentials for that user to log into vCenter Server.

vCenter Server also validates the users and groups in Windows Active Directory against the users and groups in vCenter Server through SSO. Therefore, if a user or group exists in vCenter Server, but does not exist in the domain, VMware will delete the permissions associated with the user or group during validation.

It is important to recognize that without an operational SSO service there will be no access to vCenter Server. Therefore, it is the first component that needs to be designed and implemented to achieve a stable mechanism to gain access to the shared vCenter Server infrastructure. For this reason, Platform Services Controller high availability is a key design factor required to provide consistent and reliable access to the platform.