As an enterprise using VMware Cloud services, you can set up federation with multiple corporate domains. By federating your corporate domains, you activate single sign-on for users in your enterprise. Enterprise federation with VMware Cloud services supports integration with SAML 2.0 based identity providers.
Note: Due to the migration of identity systems, no new federations are allowed starting on March 15th, 2024, until further notice.
By adopting a federated identity access for
VMware Cloud services users and Organizations in your enterprise, you activate the following:
- All users in your enterprise access VMware Cloud services using their corporate account.
- Organization Owners can control authentication to Organizations and services by assigning Organization and service roles to the groups synced from your corporate directory.
- Your security team can set up and enforce enterprise-level security and access policies for VMware Cloud services, including multi-factor authentication.
Attention: Your enterprise must own the domains you want to federate for access with
VMware Cloud services and you must verify the ownership during the first step. You cannot federate domains that belong to a service provider.
For detailed instructions on setting up enterprise federation, refer to the
Setting Up Enterprise Federation with VMware Cloud Services Guide.
What is the difference between federated and unfederated authentication?
If your corporate domain is not federated, your access to VMware Cloud services is authenticated through your VMware ID account. If you are new to VMware Cloud services, visit my.vmware.com to create a VMware ID.
If your corporate domain is federated, your access to
VMware Cloud services is authenticated through your corporate account. A hosted
Workspace ONE Access tenant is used as an identity broker to set up federation with your identity provider. The hosted tenant is configured for validation with your corporate identity provider and active directory. You manage user and group access to
VMware Cloud services by configuring the
Workspace ONE Access connector to sync users and groups from your corporate active directory. Only a subset of required user profile attributes, such as
username,
firstname,
lastname, and email address, is configured to be synced. You can add more attributes later.
Note: User passwords are never synced, nor cached.
.
Can I undo the federation for my corporate domain?
If you decide to undo the federation setup or undo federation for any of the federated corporate domains you initially configured, you must file a support ticket.