The dynamic (connectorless) type of federation setup involves configuring your third-party identity provider for dynamic user and group provisioning.

Depending on your enterprise IdP, there are two different configurations you can choose from:
  • SAML-based for dynamic JIT-based user and group provisioning;
  • SAML-based for dynamic SCIM-based user and group provisioning;
  • OIDC-based for dynamic SCIM-based user and group provisioning.
The following list presents the high-level overview of the steps in the federation setup with dynamic user and group provisioning workflow. Some of the steps are common for all IdP configurations. To see an example scenario of each step for federating a corporate domain, click a step link.
Step 1: Verify domains

In this step, you verify the ownership of the domains that you want to federate. The verification process involves adding DNS TXT records for your domains. Before you begin, verify that you can modify the DNS records for your corporate domains.

The domains you add in this step are the top-level public domains that your enterprise employees use to access VMware Cloud services. These domains are not your internal Active Directory domains.

Note: The verification does not happen automatically. It might take up to 72 hours after submitting the TXT records for the changes to take effect.
Step 2: Configure the identity provider: SAML-based with JIT-based dynamic provisioning OR Step 2: Configure the identity provider: OIDC-based with SCIM-based dynamic provisioning

In this step, you configure the identity provider. You can enable federation for your enterprise with any SAML 2.0-based third-party identity provider. The self-service federation setup process provides guided configuration support for the following SAML-based IdPs: Okta, PingIdentity, Microsoft Active Directory Federation Services, OneLogin, and Azure Active Directory.

For OIDC-based federation setup, VMware Cloud Services currently supports AWS Cognito and Azure Active Directory.

To configure your third-party IdP for an enterprise federation, you must have access to the identity provider console and the IdP's metadata URL.
Caution: You cannot change the identity provider that you configure in this step, after the federation is set up is enabled. If you must change your identity provider later, file a support ticket.
Step 3: Complete Setup
In this final step of the federation setup, you must perform a list of actions.
  • Validate that the users from your enterprise can log in to VMware Cloud services by using your corporate IdP.
  • Notify the enterprise users of the domains that you specified in Step 1 that they have to log in to VMware Cloud services by using their corporate credentials.
  • Acknowledge the changes and activate the federation for your enterprise.

After you complete the federation setup, the self-service workflow is no longer available for changes. Enterprise Administrators can modify the initial setup from the Enterprise Federation dashboard.

Important: After enterprise federation is activated, users with federated domains can only access VMware Cloud services using their corporate accounts. They can no longer use their My VMware accounts to log in to VMware Cloud services.
Step 4: Link Your VMware Account
In the last step of the workflow, you link your federated account to your VMware ID account. This step is necessary to complete for the following roles:
  • Enterprise Administrators, Organization Owner users who participated in the self-service federation setup.
  • Organization Owner and Organization Member users who need access to billing information.
  • Organization Owner and Organization Member users who want to be able to file support requests.