When a user logs in, vCenter Single Sign-On checks in the default identity source whether that user can authenticate. You can add identity sources, remove identity sources, and change the default.

You configure vCenter Single Sign-On from the vSphere Web Client. To configure vCenter Single Sign-On, you must have vCenter Single Sign-On administrator privileges. Having vCenter Single Sign-On administrator privileges is different from having the Administrator role on vCenter Server or ESXi. By default, only the user administrator@vsphere.local has administrator privileges on the vCenter Single Sign-On server in a new installation.

You can use identity sources to attach one or more domains to vCenter Single Sign-On. A domain is a repository for users and groups that the vCenter Single Sign-On server can use for user authentication.

Each vCenter Single Sign-On identity source is associated with a domain. vCenter Single Sign-On uses the default domain to authenticate a user who logs in without a domain name. Users who belong to a domain that is not the default domain must include the domain name when they log in.

Users can log in to vCenter Server only if they are in a domain that has been added as a vCenter Single Sign-On identity source. vCenter Single Sign-On administrator users can add identity sources from the vSphere Web Client.

vSphere users are defined in an identity source. You can edit the details of an identity source that is associated with vCenter Single Sign-On.

vSphere users are defined in an identity source. You can remove an identity source from the list of registered identity sources.

You can use vCenter Single Sign-On with Windows Session Authentication (SSPI). To make the checkbox on the login page available, the Client Integration Plug-in must be installed.