CSP leverages a different authentication flow. The CSP default identity source is the My VMware accounts. Administrators who require access to the VMware Cloud Services Console need to hold a My VMware account and be invited to the Organization. The IAM is managed from the CSP portal under Identity & Access Management, under the Active Users section. We can add new users and assign them their corresponding roles and permissions. In the following example, we add a new user to the VMware Cloud service with the Administrator and NSX Cloud Admin roles:

Figure 4.45 – CSP adding new users to the VMware Cloud service

Once we click on ADD, the administrator will receive an invite email to the service. Our example will be visible in the Pending Invitations tab because the administrators does not have an active My VMware account and will need to create one to use the invite, as seen in the screenshot:

Figure 4.46 – CSP adding new users to VMware Cloud pending invitations

Another authentication flow is to federate CSP with an external IDP identity provider such as Azure AD or Okta and leverage the existing corporate domain authentication infrastructure.

To start the federation process, administrators need to go to their CSP Organization and click on SET UP to start the process, as seen in the following screenshot:

Figure 4.47 – Initiate enterprise federation from CSP

Information

The federation provisioning process creates a new federated Organization. Starting with version 1.22 of SDDC, you can federate CSP and vCenter and leverage accounts from the federated domains to authenticate to vCenter.

You can access VMware Cloud resources through their corporate credentials without storing them on CSP and leveraging MFA authentication procedures. The full configuration of the IDP federation is beyond the scope of this chapter.