What is enterprise federation and how does it work with Tanzu Platform cloud services

Important

Due to ongoing migration to Broadcom’s identity systems, Tanzu Platform cloud services console is unable to support new requests to set up identity federation until further notice.

As an enterprise using Tanzu Platform cloud services, you can set up federation with multiple corporate domains. By federating your corporate domains, you activate single sign-on for users in your enterprise. Enterprise federation with Tanzu Platform cloud services supports integration with SAML 2.0 based identity providers.

By adopting a federated identity access for Tanzu Platform cloud services users and Organizations in your enterprise, you activate the following:

• All users in your enterprise access Tanzu Platform cloud services using their corporate account.
• Organization Owners can control authentication to Organizations and services by assigning Organization and service roles to the groups synced from your corporate directory.
• Your security team can set up and enforce enterprise-level security and access policies for Tanzu Platform cloud services, including multi-factor authentication.

As an Organization Owner of an unfederated domain, you initiate your entire enterprise domain setup. After completing the setup, enterprise federation becomes available to all users from your corporate domain and applies to all services across all Organizations.

Attention: Your enterprise must own the domains you want to federate for access with Tanzu Platform cloud services and you must verify the ownership during the first step. You cannot federate domains that belong to a service provider.

What is the difference between federated and unfederated authentication?

If your corporate domain is not federated, your access to Tanzu Platform cloud services is authenticated through your VMware ID account. If you are new to Tanzu Platform cloud services, visit my.vmware.com to create a VMware ID.

If your corporate domain is federated, your access to Tanzu Platform cloud services is authenticated through your corporate account. A hosted Workspace ONE Access tenant is used as an identity broker to set up federation with your identity provider. The hosted tenant is configured for validation with your corporate identity provider and active directory. You manage user and group access to Tanzu Platform cloud services by configuring the Workspace ONE Access connector to sync users and groups from your corporate active directory. Only a subset of required user profile attributes, such as username, firstname, lastname, and email address, is configured to be synced. You can add more attributes later.

Note

User passwords are never synced, nor cached.

.

Can I undo the federation for my corporate domain?

If you decide to undo the federation setup or undo federation for any of the federated corporate domains you initially configured, you must file a support ticket.

• What’s involved in setting up enterprise federation
  Setting up enterprise federation for your corporate domain is a self-service process that involves multiple steps, users, and roles.
• Why do I need to link my corporate identity provider
  If your domain is federated, you can use the advanced Identity and Governance Administration (IGA) features to easily onboard non-Organization users to Tanzu Platform cloud services.

Parent topic:Identity & Access Management