In vCenter, the root user by default has no permissions to vCenter the application. It obviously does to the OS/appliance but not to login to the web client. There's nothing more you need to do if you're ok with that arrangement.
It has nothing to do with SSO configuration.
Someone have modify the "permissions" (check the tab when at the upper vCenter level) and add manually the user "root" from the identity source "localOS" and give it Administrative rights. But as already told and this is the true its not a default.
Normaly a vCenter use 3 identity ressources:
The first 2 are defaults but IIRC only the firstname.lastname@example.org is the one and only "user" which is added. Yeah there are some other system accounts added as well.
So you have to remove the account from the permission or lower the level to "readonly".