VMware vSphere SDKs and Tools 6.5

8.0 7.0 6.7 6.5

vCenter Single Sign-On Challenge (SSPI)

The vCenter Single Sign-On server supports the use of SSPI (Security Support Provider Interface) for client authentication. SSPI authentication requires that both the client and server use security providers to perform authentication.
At the beginning of a vCenter Single Sign-On server session, the vCenter Single Sign-On client and vCenter Single Sign-On server exchange data. Each participant will use its security provider to authenticate the data it receives. The authentication exchange continues until both security providers authenticate the data.
The vCenter Single Sign-On client API provides a
challenge
 request for client participation in SSPI authentication. The following sequence describes the challenge protocol.
  1. vCenter Single Sign-On client sends an
    issue
     request to the vCenter Single Sign-On server. The request contains the client credentials.
  2. vCenter Single Sign-On server uses its security provider to authenticate the client. The server returns a
    RequestSecurityTokenResponseType
     object in response to the
    issue
     request. The response contains a challenge.
  3. vCenter Single Sign-On client uses its security provider to authenticate the vCenter Single Sign-On server response. To continue the authentication exchange, the client sends a
    challenge
     request to the vCenter Single Sign-On server. The request contains the resolution to the server’s challenge and it can also contain a challenge from the vCenter Single Sign-On client.
  4. vCenter Single Sign-On server uses its security provider to authenticate the client’s response. If there are still problems, the server can continue the authentication exchange by returning a response with an embedded challenge. If authentication is successful, the vCenter Single Sign-On server returns a SAML token to complete the original
    issue
     request.
To exchange challenge data, the vCenter single Sign-On client and vCenter Single Sign-On server use the following elements defined for both
RequestSecurityTokenType
 and
RequestSecurityTokenResponseType
 objects.
  • Context attribute
  • BinaryExchange element

Content feedback and comments