vCenter Single Sign On lets you add identity sources, manage default domains, configure a password policy, and edit the lockout policy.

Before you configure vCenter Single Sign On, understand the following elements.

Identity Source

An identity source is a collection of user and group data. The user and group data is stored in a repository, such as Active Directory, LDAP, or a database that is internal to Single Sign On or local to an operating system. Upon installation, every instance of Single Sign On has the identity source System-Domain. This identity source is internal to Single Sign-On. Administrator users can create Single Sign-On users and groups. Single Sign-On users have one of the following roles:

The password policy defined in the vCenter Single Sign-On configuration tool determines when your password expires. By default, Single Sign-On passwords expire after one year, but your system administrator might change this depending on the policy of your organization.


The vSphere Web Client does not remind you when your password is about to expire. If your password expires and you are unable to log in to the vSphere Web Client, a Single Sign-On user with administrator privileges can reset it.

Regular access users are allowed limited self-management capabilities, such as updating an email address or password. Regular users can browse Single Sign-On users and groups. They can view but not edit Single Sign-On configuration options.

Administrator access allows a user complete super user privileges on the Single Sign On system, including the ability to create users and groups, assign permissions, add identity sources, and modify policies (lockout and password). Upon installation, only one user (admin@System-Domain) has this role.


On the vCenter Server Appliance, local operating system administrators (for example, root) also have vCenter Single Sign-On administrator privileges.

Default Domain

Every identity source is associated with a domain, and you can specify one or more domains as default. When attempting to authenticate a user, Single Sign-On searches default domains in the order specified.

Password Policy

A Single Sign-On password policy is a set of rules and restrictions on the format and age of Single Sign-On user passwords. Password policies apply only to Single Sign-On users. They do not apply to users that are a part of an Active Directory or OpenLDAP domain, nor do they apply to local operating system users.

Lockout Policy

A lockout policy specifies the conditions under which a user's Single Sign-On account will be locked. In vSphere 5.1, you log in to Single Sign-On rather than into individual vCenter Server systems. The lockout policy applies to users who access vCenter Server by logging in to the vSphere Web Client.

An account might be locked when a user exceeds the allowed number of failed attempts to log in. The lockout policy lets you specify the maximum number of failed login attempts and how much time can elapse between failed attempts. The policy also specifies how much time must elapse before the account is automatically unlocked.

To set up vCenter Single Sign-On, you must have Single Sign-On administrator privileges. Having Single Sign-On administrator privileges is different from having the Administrator role on vCenter Server or ESXi.