If you want to import users and groups from an OpenID Connect (OIDC) identity provider to your system organization, you must configure your system organization with this OIDC identity provider. Imported users can log in to the system organization with the credentials established in the OIDC identity provider.

OAuth is an open federation standard that delegates user access. OpenID Connect is an authentication layer on top of the OAuth 2.0 protocol. By using OpenID Connect, clients can receive information about authenticated sessions and end-users. The OAuth authentication endpoint must be reachable from the VMware Cloud Director cells which makes it more suitable when you use public identity providers or provider managed ones.


  1. From the top navigation bar, select Administration.
  2. In the left panel, under Identity Providers, click OIDC.
  3. If you are configuring OIDC for the first time, copy the client configuration redirect URI and use it to create a client application registration with an identity provider that complies with the OpenID Connect standard, for example, VMware Workspace ONE Access.
    You need this registration to obtain a client ID and a client secret that you must use during the OIDC identity provider configuration.
  4. Click Configure.
  5. Verify that OpenID Connect is enabled and enter the client ID and client secret information from the OIDC server registration.
  6. (Optional) To use the information from a well-known endpoint to automatically fill in the configuration information, turn on the Configuration Discovery toggle and enter a URL at the site of the provider that VMware Cloud Director can use to sent authentication requests to.
  7. Click Next.
  8. If you did not use Configuration Discovery in Step 6, enter the information in the Endpoints section.
    1. Enter the endpoint and issuer ID information.
    2. If you are using VMware Workspace ONE Access as an identity provider, select SCIM as access type.
      For other identity providers, you can leave the default User Info selection.
    3. Enter the maximum acceptable clock skew.
      The maximum clock skew is the maximum allowable time difference between the client and server. This time compensates for any small time differences in the timestamps when verifying tokens. The default value is 60 seconds.
    4. Click Next.
  9. If you did not use Configuration Discovery in Step 6, enter the scope information.
    VMware Cloud Director uses the scopes to authorize access to user details. When a client requests an access token, the scopes define the permissions that this token has to access user information.
  10. If you are using User Info as an access type, map the claims and click Next.
    You can use this section to map the information VMware Cloud Director gets from the user info endpoint to specific claims. The claims are strings for the field names in the VMware Cloud Director response.
  11. If you did not use Configuration Discovery in Step 6, upload the private key that the identity provider uses to sign its tokens.
  12. Click Save.