OK thanks.  Just to clarify though - I know this account is required to exist within the SSO application, so that within SSO I can use it to conifigure things.  But does administrator@vsphere.local have to be assigned privileges in vCenter Server itself, or just in the SSO application?  When I log into vCenter Server with vSphere Client, should I see that this account is assigned to a role within vCenter Server itself? If so, what are the max privileges it should have?

Hello,

I believe it needs admin privileges. However, I use the VCSA where SSO/vCenter is integrated. You may want to open a support call to get a definitive answer.

Best regards,
Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009, 2010, 2011,2012,2013,2014

Author of the books 'VMWare ESX and ESXi in the Enterprise: Planning Deployment Virtualization Servers', Copyright 2011 Pearson Education. 'VMware vSphere and Virtual Infrastructure Security: Securing the Virtual Environment', Copyright 2009 Pearson Education.

Virtualization and Cloud Security Analyst: The Virtualization Practice, LLC -- vSphere Upgrade Saga -- Virtualization Security Round Table Podcast

Ok thanks.  Outside of that one account, if I am in general using AD as my source for SSO, is there any reason to assign permissions to any non-AD accounts in vCenter - should all monitoring and third party systems authenticate through SSO, or not necessarily?

I confirmed that adminstrator@vsphere.local does not have to have permissions in vCenter.  The only caveat is that if AD goes down and all permissions are through AD then it will cause a total lockout in vCenter, unless you modify the vCenter database and add permissions there.