You can stop and start VMware Identity Services, regenerate a SCIM token, and restore deleted SCIM users and groups.

Depending on the task, you use either the vSphere Client or the external identity provider's administration console.

Stop and Start the VMware Identity Services

To configure and run Okta, Microsoft Entra ID (formerly called Azure AD), or PingFederate as an external identity provider, VMware Identity Services must be started on vCenter Server. By default, when you either install or upgrade to vSphere 8.0 Update 1 or later, VMware Identity Services are started. You use the vCenter Server Management Interface to manage VMware Identity Services.

Starting in version 8.0 Update 1, vSphere includes the VMware Identity Services to support authenticating to Okta. Starting in version 8.0 Update 2, VMware Identity Services support authenticating to Microsoft Entra ID. Starting in version 8.0 Update 3, VMware Identity Services support authenticating to PingFederate.

Prerequisites

When you install or upgrade to vSphere 8.0 Update 1 or later, VMware Identity Services are automatically started. When you configure Okta, Microsoft Entra ID, or PingFederate as an external identity provider, you do not need to start VMware Identity Services, as they are already running. To start or stop VMware Identity Services, you must be root.

You configure the external identity provider on a single vCenter Server only. That vCenter Server, through its instance of VMware Identity Services, communicates to the identity provider. The other vCenter Server systems in the Enhanced Linked Mode configuration also have VMware Identity Services running, however, they do not communicate directly to the identity provider.

Procedure

  1. In a Web browser, go to the vCenter Server Management Interface at https://vcenter-IP-address-or-FQDN:5480.
  2. Log in as root.
    The default root password is the password that you set while deploying the vCenter Server.
  3. Select Services.
  4. View the status of VMware Identity Services.
  5. To stop or start the service, select VMware Identity Services, then click either Stop or Start.
    After starting VMware Identity Services, no vCenter Server reboot is necessary.

Regenerate the SCIM Token in vCenter Server

In vCenter Server, you can regenerate a System for Cross-Domain Identity Management (SCIM) token for an external identity provider.

If you generate another token, it becomes active immediately, and the previous token is revoked.

Prerequisites

You must have created an external identity provider in vCenter Server.

Procedure

  1. Log in as an administrator with the vSphere Client to the vCenter Server.
  2. Navigate to the Configuration UI.
    1. From the Home menu, select Administration.
    2. Under Single Sign On, click Configuration.
  3. On the Configuration page, under User Provisioning/Secret Token, click Regenerate to regenerate the secret token, select the token lifespan from the drop-down, then click Copy to Clipboard. Save the token to a secure location.
  4. The copied token is available for you to update your external identity provider configuration.

Restore Deleted SCIM Users and Groups

If the SCIM-pushed users and groups on your vCenter Server become out-of-sync with your external identity provider, you can take steps to fix the problem.

When you want to restore an SCIM-pushed user or group that you deleted from your vCenter Server, you cannot simply push the user or group from your identity provider. Because of the way vCenter Server uses System for Cross-domain Identity Management (SCIM) for user and group management, you must update the SCIM 2.0 application itself with the missing user or group.

Procedure

  1. Log in to the external IDP Admin console.
  2. Navigate to the SCIM 2.0 application.
  3. Assign the deleted or missing user or group.
  4. Select the appropriate action to delete the pushed group or user to unlink the pushed group or user.
  5. Select the appropriate action to push the group.
  6. Verify on your vCenter Server that external IDP synchronized the group or user.