VCF Operations

VCF 9.1 - Configuring vSphere Supervisor to use VCF Identity Broker (IDB) for External Identity Federation

06.08.2026 by William Lam // Leave a Comment

The majority of VMware Cloud Foundation 9.1 components can automatically be configured when enabling VCF Single Sign-On (SSO), with the exception of VCF Operations HCX, Log Management (formally VCF Operations for Logs) and VCF Operations for Networks.

These additional VCF components can still be configured to use VCF SSO, however users must first create a new OIDC Client Application from the VCF Identity Broker before completing the VCF SSO configuration for those respective components.

This ability to create custom OIDC Client Application from the VCF Identity Broker brings up an interesting capability for those using vSphere Supervisor and have not deployed VCF Automation (VCFA). vSphere Supervisor can support external identity federation and you would typically create an OIDC Client from your identity provider (e.g. Keycloak). For simplicity purposes, especially for lab or PoC purposes, you could take advantage of the VCF Identity Broker to simply use it as the IdP for vSphere Supervisor and get the benefit of having a single OIDC Client from your IdP.

Note: When VCFA is deployed and configured to use your vSphere Supervisor, it actually becomes the IdP interface where you would then configure your external IdP within VCFA Tenant Portals and VCF Identity Broker is not involved at all to cleanly separate infrastructure configuration from tenant configurations.

[Read more...]

VCF 9.1 - Automating VCF Single Sign-On (SSO) with OIDC-based Identity Provider

05.19.2026 by William Lam // 2 Comments

There are a number of exciting enhancements to VMware Cloud Foundation (VCF) Single Sign-On (SSO) with the release of VCF 9.1 from Generic OIDC/SAML2 Identity Provider (IdP) support, streamline way to manage component level priviledges using VCF Roles and API Client and Token support for non-interactive logins to just name a few.

The process of connecting to an external IdP is mostly the same from earlier VCF releases, I typically use Keycloak for my lab environment for VCF SSO, which you can follow this blog post for the detailed step by step.

What has changed are some of the underlying VCF Operations and Identity Broker APIs used to configure VCF SSO in 9.1. With the introduction of VCF Roles, I also thought it would be a good to refresh the PowerShell script I had originally written for configuring VCF 9.0 SSO with an OIDC-based IdP for VCF 9.1.

[Read more...]

VCF 9.1 - Automating New License Entitlement Workflow between VCF Operations & VCF Business Service Console (BSC)

05.18.2026 by William Lam // Leave a Comment

VMware Cloud Foundation (VCF) 9.1 introduces a few new updates with the license entitlement workflow between VCF Operations and VCF Business Service Console (BSC) for users operating in an air-gapped or disconnected environment.

Below is a visual that outlines the workflow between VCF BSC (red) and VCF Operations (orange), along with the new changes in 9.1:

Whether your organization will have a single or multiple VCF Fleets, automation is essential for consistency and operating at scale.

Last year, I had created a PowerShell Module called Broadcom.Community.VCFLicensing that can help users fully automate the end-to-end licensing entitlement process and I am please to share that it has now been refreshed to support VCF 9.1!

[Read more...]