vCenter federation enables Single Sign On (SSO) so that users can securely authenticate to their SDDC vCenter Server without having to re-enter their credentials.

When you enable the vCenter federation feature in your SDDC, VMware Cloud on AWS replaces all external identity providers (using source type AD over LDAP and native LDAP) with the Identity Providers (IDPs) federated with your VMware Cloud Services organization (with source type SSO). Changing identity providers modifies the means of authentication, but does not alter authorization in any way. No additional users or groups are granted access to your vCenter server.

After you enable federated login in your SDDC, you might see a couple of behavioral changes in your SDDC vCenter Server:
  • "This vCenter is being managed by VMware Cloud Services" message when viewing Identity Provider in the Single Sign On > Configuration section of vCenter administration. This is because after federated login has been enabled, vCenter single sign on is managed exclusively by VMware Cloud Services.
  • Authentication failures for automations and third-party integrations. If your identity provider does not support fallback to password authentication, or requires multi-factor authentication, programmatic integration with vCenter will fail at the authentication step.
Enabling federation changes the identity source (authentication), but does not impact users and permissions (authorization). The workflow deletes your LDAP identity source and adds a SSO identity source.

vCenter Federation relies on VMware Cloud Services to enable SSO. Any maintenance or outages on VMware Cloud Services could impact the availability of SSO to vCenter. See Emergency Access to vCenter When Federated Login Fails for the emergency access URL and instructions.

If you have enabled Federated Login and need to change your SSO identity source or add a new one, you must configure enterprise federation for the new SSO identity source, then disable and re-enable Federated Login so that your SDDC vCenter Server recognizes the new identity source, then configure permissions for the new identity source.

For more information about Federated Login, see the VMware Cloud Tech Zone article Feature Brief: vCenter Federated Login for VMware Cloud on AWS.

Prerequisites

  • Important:

    vCenter Federation does not support simultaneous use of SSO and AD/LDAP identity sources. If you have multiple LDAP identity sources configured in vCenter and will need to authenticate users from those domains after you enable Federated Login for vCenter, then all the domains must meet these prerequisites.

    You must not enable Federated Login for vCenter in an SDDC that has been configured for compliance hardening. See Configure SDDC Compliance Hardening for more about this configuration and what it requires.

  • Save your current LDAP identity source configuration. You will need to manually restore this configuration if you decide to disable Federated Login to vCenter.
  • Enable Enterprise Federation for all Domains that require vCenter Access. See What is Enterprise Federation and How Does it Work.
  • Link your IDP to your VMware Cloud Services organization. See Why do I Need to Link my IDP.

Procedure

  1. Log in to VMware Cloud Services at https://vmc.vmware.com.
    You must have the VMware Cloud on AWS Administrator role to enable federated login for vCenter.
  2. Click Inventory > SDDCs, then pick an SDDC card and click VIEW DETAILS.
  3. Open the SDDC Settings tab.
  4. Navigate to Federated Login in the vCenter Information section and click ENABLE.
    Review the prerequisites and click ENABLE when you're ready to proceed. Enablement requires VMware Cloud on AWS to import data from your federated identity provider. The length of time it takes to complete enablement depends on the amount of data being imported and the network bandwidth available.

Results

After enablement completes, the vSphere Client login screen directs users to sign in with VMware Cloud Services.

What to do next

If this is a new SDDC and has never had Federated Login enabled, log in to the SDDC vCenter Server at the emergency access URL using cloudadmin@vmc.local and set up permissions for the SSO domain. If you don’t do this, the emergency access URL will not provide emergency access.