vCenter Single Sign On Overview
To support the requirements for secure software environments, software components require authorization to perform operations on behalf of a user. In a single sign-on environment, a user provides credentials once, and components in the environment perform operations based on the original authentication. vCenter Single Sign On authentication can use the following identity store technologies:
For information about configuring identity store support, see vSphere Installation and Setup and vSphere Security in the VMware Documentation Center.
In the context of single sign-on, the vSphere environment is a collection of services and solutions, each of which potentially requires authentication of clients that use the service or solution. Examples of solutions that might support single sign-on include vShield, SRM (Site Recovery Manager), and vCO (vCenter Orchestrator). Because a service can use another service, single sign-on provides a convenient mechanism to broker authentication during a sequence of vSphere operations.
The vCenter Single Sign On Server provides a Security Token Service (STS). A vCenter Single Sign On client connects to the vCenter Single Sign On server to obtain a token that represents the client. A token uses the Security Assertion Markup Language (SAML) which is an XML encoding of authentication data. It contains a collection of statements or claims that support client authentication. Examples of token claims include name, key, and group.
 
 
 
There are two types of vCenter Single Sign On tokens.
Holder-of-key tokens provide authentication based on security artifacts embedded in the token. Holder-of-key tokens can be used for delegation. A client can obtain a holder-of-key token and delegate that token for use by another entity. The token contains the claims to identify the originator and the delegate. In the vSphere environment, a vCenter Server obtains delegated tokens on a user’s behalf and uses those tokens to perform operations.
Bearer tokens provide authentication based only on possession of the token. Bearer tokens are intended for short-term, single-operation use. A bearer token does not verify the identity of the user (or entity) sending the request. It is possible to use bearer tokens in the vSphere environment, however there are potential limitations:
The following figure shows a vCenter client that uses a SAML token to establish a session with a vCenter Server.
Single Sign-On in the vSphere Environment – vCenter Server LoginByToken
The vCenter client also operates as a vCenter Single Sign On client. The vCenter Single Sign On client component handles communication with the vCenter Single Sign On Server.
1
The vCenter Single Sign On client sends a token request to the vCenter Single Sign On Server. The request contains information that identifies the principal. The principal has an identity in the identity store. The principal may be a user or it may be a software component. In this scenario, the principal is the user that controls the vCenter client.
2
3
4
The vCenter client connects to the vCenter Server and calls the SessionManager method LoginByToken method. The login request contains the SAML token.
The figure shows the vCenter Server, vCenter Single Sign On Server, and identity store as components running on separate machines. You can use different vCenter Single Sign On configurations.
A vCenter Single Sign On Server can operate as an independent component running on its own machine. The vCenter Single Sign On Server can use a remote identity store or it can manage user accounts in its own internal identity store.
A vCenter Single Sign On Server can operate as an embedded component running on the vCenter Server machine. In this configuration, the vCenter Single Sign On Server can use a remote identity store, its own internal identity store, or it can access user accounts on the vCenter Server machine.
For information about installing and configuring the vCenter Single Sign On Server, see vSphere Installation and Setup and vSphere Security in the VMware Documentation Center.