Multiple VCF SSO Identity Providers for VMware Cloud Foundation (VCF) Fleet?

Most organizations rely on a single Identity Provider (IdP) such as Symantec VIP AuthHub, Okta, Microsoft Entra ID, or PingFederate to provide common identity and access management. However, for some organizations, managing multiple IdPs is just the reality, often due to organizational structure or mergers and acquisitions (M&A).

The new VCF 9.0 Single Sign-On (SSO) has a flexible architecture that can benefit organizations with either a single IdP or multiple IdPs, while still providing the SSO capability. The component that is responsible for providing VCF SSO is called the VCF Identity Broker (vIDB) and it has two deployment models, one of which can aide in the multi-IdP requirement.

VCF SSO is configured on a per-VCF Instance and by leveraging the built-in Embedded vIDB from within the vCenter Server Appliance (VCSA), we can configure VCF SSO using the VCSA within the VCF Management Domain to enable the different IdPs within each VCF Instance as illustrated in the diagram below:

While this may not be a common scenario for most customers, the good news is this just works out of the box without requiring any additional resources to be deployed.

For those with a single IdP and would like VCF SSO across multiple VCF Instances, you can streamline the configuration by deploying a single External vIDB instance which can then be used by multiple VCF Instances as illustrated in the diagram below:

Whether you have organizational requirements that mandate multiple IdPs or you would like to streamline a single IdP deployment, VCF 9.0 can support either or both!

Lastly, for those interested in playing with VCF SSO in a lab environment, but do not have access to an Enterprise IdP, you can check out this blog post using a self-hosted IdP called Keycloak.