Communication Paths for
Authentication in the Remote Plug-in Server
The remote plug-in server operates
outside the vCenter Server instance, and must authenticate with the Web Services API to
identify and authorize its access to vSphere resources. The authentication procedure
requires several steps, summarized below.
The plug-in user interface communicates with the
vsphere-ui
service through a plug-in sandbox in the browser. The
plug-in sandbox uses the vSphere Client session token to authenticate with the
vsphere-ui
service in vCenter Server. The plug-in server needs to
get a SOAP client session token to authenticate its operations with the Web Services
API. The following diagram shows the basic communication paths involved in converting
the vSphere Client session token to a plug-in server SOAP session token. Plug-in Server Communication
Paths for Authentication

Cloning a session consists of three stages of
interactions involving the plug-in server:
- The plug-in user interface retrieves its session ID and the GUID of the context object, then sends them to the plug-in server.
- The plug-in server sends a REST request to vCenter Server to acquire a ticket that allows it to clone the user session.
- The plug-in server sends a SOAP request to vCenter Server to clone the user session and acquire a new session ID.