Acquiring a SAML Token from a vCenter Single Sign-On Server
Last Updated December 16, 2024

To obtain a security token from a vCenter Single Sign-On server, the vCenter Single Sign-On client calls the
Issue
method, which sends a SOAP message that contains a token request and authentication data. This section describes a token request that uses a certificate to obtain a holder-of-key token. When the client creates the token request, it also inserts timestamp, signature, and certificate data into the SOAP security header.
The following figure represents the content of an
Issue
request and the response containing a SAML token.
Issue - vCenter Single Sign-On Token Request and Response
Diagram shows processes and message traffic for a sign-on request.
The vCenter Single Sign-On SDK provides Java packages that support SOAP header manipulation.
When the vCenter Single Sign-On server receives the issue request, it performs the following operations to generate a token:
  • Uses the timestamp to validate the request.
  • Validates the certificate.
  • Uses the certificate to validate the digital signature.
  • Uses the certificate subject to authenticate the request. Authentication is obtained from the identity store that is registered with the vCenter Single Sign-On server.
  • Generates a token that specifies the principal – the vCenter Single Sign-On client – as the token subject.