The remote plug-in server operates outside the vCenter Server instance, and must authenticate with the Web Services API to identify and authorize its access to vSphere resources. The process of authentication requires several steps.
The plug-in user interface communicates with the vsphere-ui service through a plug-in sandbox in the browser. The plug-in sandbox uses the vSphere Client session token to authenticate with the vsphere-ui service in vCenter Server. The plug-in server needs a SOAP client session token to authenticate its operations with the Web Services API. The following diagram shows the communication paths involved in converting the vSphere Client session token to a plug-in server SOAP session token.
Cloning a session consists of three interactions involving the plug-in server: