From my little understanding of SSO and vast amount of googling,
then why does the vCenter Appliance still have you set AD in the Admin Settings?
SSO provides a secured channel like for authenticating the APIs it is registered for. Still for management purpose or assigning roles in VC or web based client, we need to have authentication from a database like or in this case the AD.
I don't put AD enabled then when I look in vCenter under roles no Domain is listed.
This is because, SSO by default has a limited set of users permissions and roles which deal only with the login priveleges/access to other components. There will be no roles in the VC since there is no AD integrated here.