As a vSphere administrator, you can enable guest OS access on certain SSO accounts.

Enabling SSO accounts to login to guest OS provides users with additional capabilities to perform administrative tasks on guest virtual machines, such as, installing or upgrading the VMware Tools or configuring apps.

Functionality to allow vSphere administrators to configure a guest operating system to use vgauth authentication. The vSphere administrator will need to know the guest administrator password for the enrollment process.

In order to enroll SSO users to guest user account, you should enroll SSO users to accounts in guest operating systems. The enrollment process will map a vSphere user to a particular account in the guest through the use of SSO certificates. Subsequent guest management requests can then use a SSO SAML token to log into the guest

You should configure VMs to accept X.509 certificates so that vSphere administrators in your data center can use SAM tokens issued by single sign-on service to access guest OSs.