Acquiring a SAML Token from a vCenter Single Sign-On ServerLast Updated December 16, 2024
To obtain a security token from a vCenter Single Sign-On server, the vCenter Single Sign-On client calls the
Issue
method, which sends a SOAP message that contains a token request and authentication data. This section describes a token request that uses a certificate to obtain a holder-of-key token. When the client creates the token request, it also inserts timestamp, signature, and certificate data into the SOAP security header.The following figure represents the content of an
Issue
request and the response containing a SAML token.Issue - vCenter Single Sign-On Token Request and Response

The vCenter Single Sign-On SDK provides Java packages that support
SOAP header manipulation.
When the vCenter Single Sign-On server receives the issue request, it performs the following operations to generate a token:
- Uses the timestamp to validate the request.
- Validates the certificate.
- Uses the certificate to validate the digital signature.
- Uses the certificate subject to authenticate the request. Authentication is obtained from the identity store that is registered with the vCenter Single Sign-On server.
- Generates a token that specifies the principal – the vCenter Single Sign-On client – as the token subject.