In my previous post, we walked through deploying the External Identity Broker cluster. Today, we’ll take the next step: configuring Single Sign-On (SSO) across VMware Cloud Foundation (VCF) components and integrating with Active Directory (AD).
This process ensures centralized identity management, seamless authentication, and consistent role assignments across vCenter, NSX, and VCF Operations.
Step 1: Access Identity & Access Management
Log in to the VCF Operations interface.
Navigate to Fleet Management → Identity & Access Management and under the SSO overview – Select your VCF instance (in my case: mgmt-vcf-01).
On the deployment mode screen, choose the Identity Broker Appliance. If not already deployed, you’ll be prompted to set it up.
Step 2: Configure the Identity Provider
Now it’s time to Configure the identity provider, click Configure
From the Directory-Based Identity Provider section, select AD/LDAP
Bind using the built-in AD administrator account.
In the configuration window, provide
- Primary Domain Controller
- Base DN
- Bind Username
- Bind Password
Review the details and click Finish.
Step 3: Configure User & Group Provisioning
Click Configure Provisioning.
In the Setup Provisioning wizard, verify connection details and then
- Map attributes
- Select users/groups to synchronize
- (For lab purposes, I disabled LDAPS)
Review attribute mappings.
Select the vSphere_Admins OU and enable nested groups. Best practice: sync groups rather than individual users.
Enter the User Base DN if you want to demonstrate user provisioning.
Review and click Finish, then Done.
Click Done
Step 4: Finalize SSO Configuration
To Finalize SSO Configuration click finish setup.
Acknowledge the backup and role assignment notes → click Continue.
In the window with important notes about backup and role assignment, click CONTINUE.
The Identity Source is now configured.
Step 5: Component Configuration
We now need to make the VCF Identity Broker the identity source for our VCF components. vCenter for the Management Domain is configured automatically during installation.
Connect additional components (e.g., vCenter, NSX) to SSO.
Assign roles to each component → click Continue.
Verify all components show as Configured.
Step 6: Configure VCF SSO for Operations
Navigate to: Fleet Management → Identity & Access → VCF Management and then Select the Operations Appliance → click Continue.
Choose the appropriate Identity Broker → click Configure.
Acknowledge role assignment requirements → click Continue.
Step 7: Assign Roles to Synchronized Users
Go to the Access Control section of the configured component.
- Click Add > Import synchronized users from Souce
Pick all the users
Verify users under Access Control → User Accounts.
If we drop down into the vSphere, first we will want to set the identity provider as the default authentication source so you don’t need to set the Identity Provider as the default authentication source but in embedded deployment you will need to change it.
Our auth source can be viewed here
Assign permissions to vCenter endpoints.
Assign permissions to NSX endpoints.
Step 8: Validate SSO Login
Log in to vCenter using an AD account → SSO provider is visible.
Login with AD user
Finally logged in to the vCenter
Log in to NSX with the same AD credentials. It will automatically log you in once a SSO connection is established to any endpoints
Check Sync Logs under Identity & Access to confirm all users are synchronized.
All synced users appear here.
