After you deploy vCenter Server initially, you can configure an external identity provider for federated authentication.

vSphere 7.0 and later supports Active Directory Federation Services (AD FS). vSphere 8.0 Update 1 and later supports Okta. vSphere 8.0 Update 2 and later supports Microsoft Entra ID (formerly called Azure AD). Starting in vSphere 8.0 Update 3, vSphere supports PingFederate.

You configure vCenter Server Identity Provider Federation from the vSphere Client or the API. You also must perform some configuration on your external identity provider. To configure vCenter Server Identity Provider Federation, you must have vCenter Single Sign-On administrator privileges. Having vCenter Single Sign-On administrator privileges is different from having the Administrator role on vCenter Server or ESXi. In a new installation, only the vCenter Single Sign-On administrator ([email protected] by default) can authenticate to vCenter Single Sign-On.