Federated identity management enables electronic identities and attributes from one domain to be accepted and used to access resources in other domains. You can enable federated identity management between vRealize Automation, vRealize Operations Manager,and vSphere Web Client using vCenter Single Sign-On and VMware Identity Manager.

Federated identity environments divide users into categories called personas based on how they interact with federated identity systems. Users use the systems to receive services. Administrators configure and manage federation among systems. Developers create and extend services consumed by users. The following table describes the benefits of federated identity management enjoyed by these persona.

Table 1. Benefits to Persona

User Types

Federated Identity Benefit


  • Convenient single sign on to multiple applications

  • Fewer passwords to manage

  • Improved security


  • More control over applications entitlements and access

  • Context and policy-based authentication


  • Simple integration

  • Benefits of multitenancy, user and group management, extensible authentication, and delegated authorization with little effort

You can set up federation between VMware Identity Manager and vCenter Single Sign-On by creating a SAML connection between the two parties. vCenter Single Sign-On acts as the identity Provider and VMware Identity Manager as the service provider. An identity provider provides an electronic identity. A service provider grants access to resources after evaluating and accepting the electronic identity.

For users to be authenticated by vCenter Single Sign-On, the same account must exist in VMware Identity Manager and vCenter Single Sign-On. Minimally, the userPrinicpalName of the user must match on both ends. Other attributes can differ because they are not used to identify the SAML subject.

For local users in vCenter Single Sign-On such as admin@vsphere.local, corresponding accounts must be created in VMware Identity Manager where at least the userPrinicpalName of the user matches. The corresponding accounts must be created manually or by a script using the VMware Identity Manager local user creation APIs.

Setting up SAML between SSO2 and vIDM involves the following tasks.

  1. Import the SAML token from vCenter Single Sign-On to VMware Identity Manager before updating the VMware Identity Manager default authentication.

  2. In VMware Identity Manager, configure vCenter Single Sign-On as a third-party identity provider on VMware Identity Manager and update VMware Identity Manager default authentication.

  3. On vCenter Single Sign-On, configure VMware Identity Manager as a service provider by importing the VMware Identity Manager sp.xml file.

See the following product documentation: