vCenter federation enables Single Sign On (SSO) so that users can securely authenticate to their SDDC vCenter without having to re-enter their credentials.

Note:

Enablement of enterprise federation has been temporarily suspended. Customers who have already configured federated login for vCenter can continue to use it.

When you enable the vCenter federation feature in your SDDC, VMware Cloud on AWS replaces all external identity providers (using source type AD over LDAP and native LDAP) with the IDPs federated with your VMware Cloud Services organization (with source type SSO). Changing identity providers modifies the means of authentication, but does not alter authorization in any way. No additional users or groups are granted access to your vCenter server.

After you enable federated login in your SDDC, you might see a couple of behavioral changes in your SDDC vCenter:
  • "This vCenter is being managed by VMware Cloud Services" message when viewing Identity Provider in the Single Sign On > Configuration section of vCenter administration. This is because after federated login has been enabled, vCenter single sign on is managed exclusively by VMware Cloud Services.
  • Authentication failures for automations and third-party integrations. If your identity provider does not support fallback to password authentication, or requires multi-factor authentication, programmatic integration with vCenter will fail at the authentication step.
Enabling federation changes the identity source (authentication), but does not impact users and permissions (authorization). The workflow deletes your LDAP identity source and adds a SSO identity source.

vCenter Federation relies on VMware Cloud Services to enable SSO. Any maintenance or outages on VMware Cloud Services could impact the availability of SSO to vCenter. See Emergency Access to vCenter When Federated Login Fails for the emergency access URL and instructions.

If you have not configured this SDDC to use an external identity source (AD over LDAP and native LDAP), you'll need to assign permissions to your external users after you enable federated login. If you don't, users won't be able to use the Federated Login feature. To assign these users roles and permissions, log in to vCenter using the emergency URL as cloudadmin@vmc.local. For more information, see Roles and Permissions in the SDDC.

For more information about Federated Login, see the VMware Cloud Tech Zone article Feature Brief: vCenter Federated Login for VMware Cloud on AWS.

Prerequisites

  • Important:

    vCenter Federation does not support simultaneous use of SSO and AD/LDAP identity sources. If you have multiple LDAP identity sources configured in vCenter and will need to authenticate users from those domains after you enable Federated Login for vCenter, then all the domains must meet these prerequisites.

    You must not enable Federated Login for vCenter in an SDDC that has been configured for compliance hardening. See Configure SDDC Compliance Hardening for more about this configuration and what it requires.

    vCenter Federation is not currently compatible with multiple domains that utilize dynamic (connectorless) authentication setup for Enterprise Federation with VMware Cloud Services

  • Save your current LDAP identity source configuration. You will need to manually restore this configuration if you decide to disable Federated Login to vCenter.
  • Enable Enterprise Federation for all Domains that require vCenter Access. See What is Enterprise Federation and How Does it Work.
  • Link your Identity Provider (IDP) to your VMware Cloud Services organization. See Why do I Need to Link my IDP.

Procedure

  1. Log in to VMware Cloud Services at https://vmc.vmware.com.
    You must have the VMware Cloud on AWS Administrator role to enable federated login for vCenter.
  2. Click Inventory > SDDCs, then pick an SDDC card and click VIEW DETAILS.
  3. Open the SDDC Settings tab.
  4. Navigate to Federated Login in the vCenter Information section and click ENABLE.
    Review the prerequisites and click ENABLE when you're ready to proceed. Enablement requires VMware Cloud on AWS to import data from your federated identity provider. The length of time it takes to complete enablement depends on the amount of data being imported and the network bandwidth available.

Results

After enablement completes, the vSphere Client login screen directs users to sign in with VMware Cloud Services.

What to do next

If you had not configured this SDDC to use an external identity source (AD over LDAP and native LDAP) before you enabled federated login for vCenter, you must assign permissions to your external users before they can use the Federated Login feature. To assign these users roles and permissions, log in to vCenter using the emergency URL as cloudadmin@vmc.local. For more information , see Roles and Permissions in the SDDC.

If you have enabled Federated Login and need to change your SSO identity source or add a new one, you must configure enterprise federation for the new SSO identity source, then disable and re-enable Federated Login so that your SDDC vCenter recognizes the new identity source, then configure permissions for the new identity source.