Configuring vCenter 6 SSO Identity Sources

vCenter Single Sign-On (SSO) is an authentication broker and act as a security token exchange.  vCenter Single Sign-On performs the following steps to authenticate a user:
vSphere6_0131.  A user logs in to vSphere Web Client with a user name and password to access the vCenter Server.
2.  vSphere Web Client sends an authentication request to the vCenter Single Sign-On server.
3.  The Security Token Service (STS) receives the request and forwards the request to Identity Manager Service (IDM) by using the IDM client.
4.  IDM identifies the request as an authentication request and forwards the request to the authentication interface subsystem. The authentication interface subsystem contacts the appropriate identity source and requests that the credentials be validated.
5.  If authentication is successful, IDM informs STS. STS generates a token and sends it to vSphere Web Client. If authentication fails with a negative response, the response is sent to vSphere Web Client.
6.  The user uses vSphere Web Client to access vCenter Server.

Following are the vCenter Single Sign-On (SSO) Components:

Component Description
STS (Security Token Service) The STS service issues Security Assertion Markup Language (SAML) tokens. These security tokens represent the identity of a user and allow both human users and solution users who authenticate successfully to vCenter Single Sign-On to use any vCenter service. This eliminates the need to for authenticating again to each service.
Administration Server This allows users with administrator privileges to configure the vCenter SSO server and manage users/ groups from the vSphere Web Client. Initially, only the user administrator@your_domain_name has these privileges. In vSphere 5.5 this user was administrator@vsphere.local but starting vSphere 6.0, you can change the vSphere domain when you install vCenter Server or deploy the vCenter Server Appliance with a new Platform Services Controller. Do not name the domain name with your Microsoft Active Directory or OpenLDAP domain name.
VMware Directory Service (vmdir) This service (vmdir) is associated with the domain that is specified during installation (default is vsphere.local) and is included in Platform Services Controller (PSC). This service is a multi-tenanted, multi-mastered directory service that makes an LDAP directory available on port 389. The service still uses port 11711 for backward compatibility with vSphere 5.5 and earlier systems. Starting with vSphere 6.0, the vmdir service stores not only vCenter Single Sign-On information but also certificate information.
Identity Management Service Handles identity sources and STS authentication requests. STS passes authentication requests to the Identity Manager client, which then forwards the request to the Identity Manager service. The Identity Manager service authenticates the user credentials against one of the identity sources and responds back to STS.
vCenter Lookup Service
vCenter Lookup Service contains topology information about the vSphere infrastructure, enabling vSphere components to connect to each other securely. Services, such as Inventory Service and vCenter Server, register with vCenter Lookup Service so that other vSphere components, like vSphere Web Client, can find them.

To add an Identity Source to vCenter SSO, follow the steps below:
1.  Log in to the vSphere Web Client as administrator@your_domain_name e.g. administrator@security.local or administrator@vsphere.local
2.  Go to Administration > Single Sign-On > Configuration.
3.  On the Identity Sources tab, click the “+” Add Identity Source icon.
4.  Select the identity source type as “Active Directory as an LDAP Server”
5.  Complete the rest of identity source settings as:
•    Name: mytestlab
•    Base DN for users: cn=users,dc=mytestlab,dc=net
•    Domain name:
•    Base DN for groups: cn=users,dc=mytestlab,dc=net
•    Primary server URL: ldap://
•    Username:
6.  Click Test Connection to verify and then click OK.


Set the Default Domain for vCenter Single Sign-On:
1.  Go to Administration > Single Sign-On > Configuration.
2.  On the Identity Sources tab, select an identity source and click the Set as Default Domain icon. In the domain display, the default domain shows (default) in the Domain column.


  1. VMware vSphere 6.0 Installation and Setup Guide
  2. VMware vSphere 6.0 Security Guide

One thought on “Configuring vCenter 6 SSO Identity Sources

  1. vCenter Server upgrade to 5.5 may failWhen uipdargng from vSphere 5.1 to 5.5, the vCenter Single Sign-On upgrade may fail. This issue affects some vCenter Server 5.1 systems running with default certificates that are uipdargng to vCenter Server 5.5 under certain specific conditions. To resolve this issue, before uipdargng, reviewKB 2060511

Leave a Reply

Your email address will not be published. Required fields are marked *