Thank you Joerg. I will have to give that a try as I don't really want to update all my training documentation to reflect the change, requiring the users to login as administrator@vsphere.local

Previously, users would use administrator@vsphere.local for managing SSO. Everything else was root. I know this isn't a good security practice, but this is a small, isolated training environment.