To provide information regarding vCenter Federated Login issues when Enterprise Federation is configured to use dynamic authentication.

Symptoms:
Enterprise Federation has been configured to utilize dynamic (connectorless) authentication.
vCenter Federated login on VMware Cloud on AWS (VMC on AWS) has been enabled. 
The necessary roles have been assigned to the users. 
Users are unable to login to vCenter due to a permissions error. 

This is caused by utilizing dynamic authentication with Enterprise Federation.

This is a known issue affecting dynamic authentication with Enterprise Federation and the enablement of vCenter Federated Login. 
There is currently no resolution for this issue. 
The fix is planned for 1.22v8 and 1.24v2 SDDC versions. 
There is no ETA for the SDDC version releases. Please subscribe to this KB to stay updated. 

Note: As with all planned fix implementations, the fix may not be included in these versions as other priorities may take precedence.

Workaround:
The workaround is to configure Enterprise Federation to utilize connector-based authentication or to configure an Identity Source for the SDDC vCenter.

Dynamic and Connector-based authentication: What is Enterprise Federation and how does it work
Adding Identity Sources in VMC on AWS: Add an Identity Source to the SDDC LDAP domain

Impact/Risks:
This configuration will prevent users from logging in to vCenter using vCenter Federated Login.