As an enterprise using VMware Cloud services, you can set up federation with multiple corporate domains. By federating your corporate domains, you enable single sign-on for users in your enterprise. Enterprise federation with VMware Cloud services is set up through a self-service workflow and supports integration with SAML 2.0 based identity providers.

Previous versions of Carbon Black Cloud supported SAML federation with Okta, Ping Identity, and OneLogin. The integration with VMware Cloud Services enables you to set up federation with an expanded list of SAML 2.0 identity providers, including Microsoft Azure Active Directory.

Important: Setting up Enterprise Federation is optional; however, it is recommended.
By adopting a federated identity access for VMware Cloud services users and organizations in your enterprise, you enable the following:
  • All users in your enterprise access VMware Cloud services using their corporate account.
  • Organization owners can control authentication to organizations and services by assigning organization and service roles to the groups synced from your corporate directory.
  • Your security team can set up and enforce enterprise-level security and access policies for VMware Cloud services, including multi-factor authentication.
As an organization owner of an unfederated domain, you initiate the self-service federation workflow for your entire enterprise domain. After completing the setup, enterprise federation becomes available to all users from your corporate domain and applies to all services across all organizations.
Attention: Your enterprise must own the domains you want to federate for access with VMware Cloud services and you must verify the ownership during the first step of the self-service workflow. You cannot federate domains that belong to a service provider.
For detailed instructions on setting up enterprise federation through the self-service federation workflow, refer to the separate document: Setting Up Enterprise Federation with VMware Cloud Services Guide.

What is the difference between federated and unfederated authentication?

If your corporate domain is not federated, your access to VMware Cloud services is authenticated through your VMware ID account. If you are new to VMware Cloud services, visit to create a VMware ID.

If your corporate domain is federated, your access to VMware Cloud services is authenticated through your corporate account. A hosted Workspace ONE Access tenant is used as an identity broker to set up federation with your identity provider. The hosted tenant is configured for validation with your corporate identity provider and active directory. You manage user and group access to VMware Cloud services by configuring the Workspace ONE Access connector to sync users and groups from your corporate active directory. Only a subset of required user profile attributes, such as username, firstname, lastname, and email address, is configured to be synced. You can add more attributes later.
Note: User passwords are never synced, nor cached.


Can I undo the federation for my corporate domain?

If you decide to undo the federation setup or undo federation for any of the federated corporate domains you initially configured, you must file a support ticket.