← Back to articles

Configuring VCF Single Sign-On (SSO) in VMware Cloud Foundation 9.0

18 Jun 2026 • VMware Cloud Foundation • 13 min read

One of the most welcome capabilities introduced in VMware Cloud Foundation 9.0 is VCF Single Sign-On (SSO). It gives administrators seamless, federated access to every VCF management interface — vCenter Server, NSX Manager, VCF Operations, VCF Automation, and more — from a single corporate identity. No more juggling separate local accounts on every component.

This is a hands-on guide: what VCF SSO is, the design choices you must make, and the full step-by-step configuration from the VCF Operations console.

Think of VCF SSO like a hotel key card. Instead of carrying a different physical key for every door (vCenter, NSX, Operations, Automation), you check in once at the front desk — the VCF Identity Broker — and your single card opens every door you are entitled to.

How VCF SSO Works: the Identity Broker

At the heart of VCF SSO is the VCF Identity Broker. It sits between your enterprise identity provider (IdP) — such as Microsoft Entra ID, Okta, or Ping Identity — and your VCF components. The broker authenticates users against the IdP, then provides trusted access tokens to vCenter, NSX, VCF Operations and VCF Automation.

You configure it centrally from VCF Operations → Fleet Management → Identity & Access, per VCF Instance. The "Enable Single Sign-On" screen drives the whole flow through three tasks: choose deployment mode, configure the identity provider, and configure components.

VCF SSO is part of fleet management in VCF Operations. Because it controls access to the entire fleet, treat its configuration as a security-critical, Tier-0 task.

Decision 1: Deployment Mode

Before anything else, you choose how the Identity Broker is deployed.

Mode What it is Use when
Embedded The Identity Broker is integrated into the management domain vCenter — nothing extra to deploy A single VCF Instance; simplicity over resilience
Appliance (VIDB) A stand-alone 3-node cluster deployed via VCF Operations fleet management You need HA, or to connect more than one VCF Instance (up to 5 per broker)

Embedded mode ties the Identity Broker to the management domain vCenter — if that vCenter is unavailable, SSO is affected. For production fleets that span multiple instances or need fault tolerance, choose the appliance mode.

Decision 2: Identity Provider & Protocol

VCF 9.0 supports a broad set of providers through the Identity Broker. They fall into two families.

Family Providers Protocols
Modern VMID, Ping Identity, Microsoft Entra ID, Microsoft ADFS, Okta, Generic SAML 2.0 OIDC (OpenID Connect, on OAuth 2.0) or SAML 2.0
Directory-based Active Directory (AD over LDAP), OpenLDAP LDAP

For user and group provisioning, the broker supports Just-in-Time (JIT), SCIM 2.0, and direct AD/LDAP. Groups can be created dynamically on first login (JIT), or you can pre-provision groups when you already know which IdP groups need entitlements.

Before You Start: Prerequisites

  • You have registered VCF as an application/client at your identity provider, and you have the Client Identifier, Shared Secret, OpenID Address (issuer/discovery URL), and the IdP signing certificate.
  • You know the Redirect URL to register at the IdP (provided by VCF during configuration).
  • The components you want to federate are at version 9.0 or later — only VCF 9.0+ components support SSO.
  • You have reviewed the official prerequisites and "important points to consider" before enabling SSO.

Step-by-Step Configuration

Step 1 — Select the VCF Instance & Deployment Mode

  1. In VCF Operations, go to Fleet Management → Identity & Access and select the VCF Instance to enable (e.g. Prod).
  2. On Enable Single Sign-On, start task 1, Choose deployment mode.
  3. Select Identity broker (embedded) or Identity broker appliance, then continue.

Step 2 — Configure the Identity Provider

This is the core of the setup. The wizard walks you through:

  1. Choose the identity provider — e.g. Ping Identity (or Entra ID, Okta, ADFS, Generic SAML 2.0, AD/LDAP, OpenLDAP).
  2. Authentication method — choose OIDC or SAML. OIDC is the modern OAuth 2.0-based option.
  3. Identity Provider Configuration — enter the authentication details:
    • IdP Display Name — a friendly name shown in VCF (e.g. Internal OIDC)
    • Client Identifier and Shared Secret — the OAuth client credentials from your IdP
    • OpenID Address — the IdP's OpenID discovery / issuer URL
    • Redirect URL — the VCF callback URL to register at the IdP
    • SSL Certificate — browse for and upload the IdP signing certificate
  4. User/Group Provisioning Method — choose Just-in-Time Provisioning (or SCIM, or AD/LDAP).
  5. Group Provisioning — choose Groups pre-provisioning or Just-in-Time group provisioning.
  6. Domain(s) — add the domain users will log in with (e.g. vcf.sddc.lab).
  7. Pre-provisioning Domains and Groups — add the group(s) that need access, e.g. vcf-admins.

    Group attribute values are case sensitive — they must match the IdP exactly.

  8. Attributes — map the IdP claims to VCF identity attributes (see the table below).
  9. Review the configuration and finish the wizard.

OIDC Attribute Mapping

VCF Identity Broker Attribute OpenID Claim
ExternalID (Unique id)sub
userNamepreferred_username
firstNamegiven_name
lastNamefamily_name
emailemail
Group Attribute: groupsgroups

Step 3 — Configure Components (vCenter & NSX)

On the Component Configuration tab, the components list shows the vCenter Servers and NSX Managers across your management and workload domains. The management domain vCenter is already the broker host, so connect the rest:

  1. Select the management-domain NSX Manager.
  2. Select the workload-domain vCenter Server (e.g. wld01).
  3. Select the workload-domain NSX Manager.
  4. Click Configure Component.

Only VCF components at version 9.0 or later can be enabled for SSO; older components are not supported and will not appear as eligible.

Step 4 — Configure VCF Operations & VCF Automation

The management appliances must be registered as clients of the Identity Broker:

  1. Under VCF Management, open the Operations Appliance and click Configure client — set the Identity Broker (e.g. mgmt-vcenter-vcf.sddc.lab), the VCF Instance, and the Deployment Mode, then Configure.
  2. Repeat for the Automation Appliance.

Optionally, you can also enable SSO for other components such as VCF Operations for Logs, for Networks, HCX, and Orchestrator.

Step 5 — (Optional) Set Up vCenter Linking

To get a single inventory view across vCenters, use Infrastructure Operations → Configurations → vCenter Linking:

  1. Create Group and give it a name (e.g. Prod Group).
  2. Add the compatible vCenter Instances (must be version 9.0+, not already in another vCenter group, and not part of an Enhanced Linked Mode group) — e.g. mgmt-vcenter and wld01-vcenter.
  3. Review and Finish.

Step 6 — Assign Roles & Scope

Authentication alone is not enough — a group must be granted a role and a scope before it can do anything:

  1. Go to Administration → Control Panel → Access Control → User Groups.
  2. Choose Import from Source, select VCF SSO, search the prefix (e.g. vcf), select vcf-admins, and finish.
  3. Edit the imported group → Assign Roles and Scope: pick a role (e.g. Administrator) and a scope (e.g. All Objects), then Save.

Until a user or group is assigned both a role and a scope, it can authenticate but cannot log in to view the inventory. This is the single most common "SSO works but I see nothing" mistake.

Step 7 — Verify

Log in to a federated component (for example the vSphere Client) using your enterprise identity and confirm you land with the expected permissions. Repeat for NSX Manager, VCF Operations and VCF Automation — one identity, every console.

Common Gotchas

Symptom Likely cause
Login succeeds but inventory is emptyNo role/scope assigned to the group
Group not recognizedCase mismatch in the pre-provisioned group name
Component cannot be enabledComponent is below version 9.0
Redirect/login loop at the IdPWrong Redirect URL or Client Identifier/Secret

Best Practices

  • Use the appliance mode (3-node VIDB) for production and multi-instance fleets; reserve embedded for single-instance or lab use.
  • Prefer OIDC for modern providers — it is the OAuth 2.0-based, token-driven path.
  • Pre-provision a dedicated admin group (e.g. vcf-admins) and grant it Administrator / All Objects, instead of relying on individual accounts.
  • Keep a break-glass local account in case the IdP is unreachable.
  • Federate every component (vCenter, NSX, Operations, Automation) so there are no local-auth back doors left open.

Summary

  • VCF SSO uses the VCF Identity Broker to federate access across vCenter, NSX, VCF Operations and VCF Automation.
  • Choose embedded (in the management vCenter) or appliance (3-node, multi-instance) mode.
  • Connect a provider over OIDC or SAML, define provisioning and attribute mapping, then configure components.
  • Always assign a role and scope — authentication without authorization shows an empty console.

Sources: VMware Cloud Foundation 9.0 official documentation (techdocs.broadcom.com — Fleet Management / VCF Single Sign-On) and the VMware Cloud Foundation blog (blogs.vmware.com/cloud-foundation).