VMware Cloud services users with a federated domain use their corporate credentials to log in to the Cloud Services Console across Organizations.

Note: Enterprise Federation setup is currently unavailable. We are in the process of migrating to Broadcom’s Identity system. If you have any questions, please contact VMware support.

Setting up enterprise federation for your corporate domain is a self-service process that involves multiple steps, users, and roles.

As an Organization Owner user, you kick off the self-service federation workflow on behalf of your Organization and invite an Enterprise Administrator to complete the setup. The Enterprise Administrator must determine the type of federation setup that is most suitable for your enterprise. The following table explains the differences between the two setup options.

Federation setup Authentication method User and group provisioning
Dynamic (connectorless) authentication setup SAML 2.0 Identity Provider or OpenID Connect (OIDC) Dynamic provisioning:
  • SAML JIT for user and group provisioning
  • Automated user management with SCIM provisioning
Connector-based authentication setup SAML 2.0 Identity Provider OR Workspace ONE Access connector authentication methods Pre-provisioning: syncing users and groups from the customer's Active Directory

Dynamic (connectorless) authentication setup

When enterprise federation for your enterprise domain is set up to use your third-party identity provider, users accessing VMware Cloud services from the federated domain are redirected to the log in screen of the identity provider for your enterprise.

Users authenticate directly with your identity provider through SAML or OIDC . User and groups can be provisioned with either SAML JIT or SCIM-based dynamic provisioning.

Diagram visualization of the dynamic (connectorless) authentication setup.

Connector-based authentication setup

In this federation setup, an on-premises instance of Workspace ONE Access connector syncs users and groups from your Active Directory to a dedicated instance of a Workspace ONE Access tenant. Only synced groups and users can log in to VMware Cloud services with their corporate credentials. User authentication can be set up to use either a SAML 2.0 based IdP or the Workspace ONE Access connector authentication methods.

Diagram visualization of the connector-based authentication setup.

After setup completes successfully, enterprise federation becomes available to all users from your corporate domain and applies to all services across all Organizations.