The remote plug-in server operates outside the vCenter Server instance, and must authenticate with the Web Services API to identify and authorize its access to vSphere resources. The process of authentication requires several steps.

The plug-in user interface communicates with the vsphere-ui service through a plug-in sandbox in the browser. The plug-in sandbox uses the vSphere Client session token to authenticate with the vsphere-ui service in vCenter Server. The plug-in server needs a SOAP client session token to authenticate its operations with the Web Services API. The following diagram shows the communication paths involved in converting the vSphere Client session token to a plug-in server SOAP session token.

Plug-in Server Communication Paths for Authentication
Plug-in server communication paths for authentication

Cloning a session consists of three interactions involving the plug-in server:

1

The plug-in user interface sends its session ID and the vCenter Server endpoint to the plug-in server.

2

The plug-in server sends a REST request to vCenter Server to acquire a ticket that allows it to clone the user session.

3

The plug-in server sends a SOAP request to vCenter Server to clone the user session and acquire a new session ID.