vCenter Single Sign-On Token Delegation

Holder-of-key tokens can be delegated to services in the vSphere environment. A service that uses a delegated token performs the service on behalf of the principle that provided the token. A token request specifies a
DelegateTo
identity. The
DelegateTo
value can either be a solution token or a reference to a solution token.
Components in the vSphere environment can use delegated tokens. vSphere clients that use the
LoginByToken
method to connect to a vCenter server do not use delegated tokens. The vCenter server will use a vSphere client’s token to obtain a delegated token. The vCenter server will use the delegated token to perform operations on behalf of the user after the user’s vCenter session has ended. For example, a user may schedule operations to occur over an extended period of time. The vCenter server will use a delegated token to support these operations.