The vCenter Single Sign On Server treats Orchestrator as a solution, and every solution is registered with a unique user name with the vCenter Single Sign On Server. To be able to request a delegate holder-of-key token for Orchestrator from the vCenter Single Sign On Server, you need the solution user name of Orchestrator.
Verify that you have a valid principal holder-of-key token that the vCenter Single Sign On Server issued.
The <user solution-user="vCOSolutionUserName"/> element of the response contains the solution user name of Orchestrator. The following is an example of a solution user name of Orchestrator.
<user xmlns="http://www.vmware.com/vco" solution-user="vCO-133acc26ff78e5695b102146326" admin-rights="true"/>