• When attempting to configure VCF SSO (Single Sign-On) for a vCenter component that is part of a Workload Domain managed by SDDC Manager (or Fleet Manager), the configuration may fail.
  
  
• This issue typically occurs in the VCF Operations interface under the following path: Fleet Management → Identity & Access → VCF Instances → [domain name] → Component Configuration
  
  
• The following error message appears in the user interface (UI):

  Error occurred while configuring the component for SSO. Check Support Logs under Control Panel for more details.

• Upon reviewing the vCenter Server configuration, the setting Allow Broker Configuration is shown as false, which prevents the Identity Provider from being configured outside of SDDC Manager.

VMware Cloud Foundation

This issue occurs due to a design change introduced in vCenter Server when managed by SDDC Manager.

SDDC Manager enforces a control setting (config.SDDC.Deployed.AllowBrokerConfiguration) that prevents the manual addition of an external Identity Provider (IdP) directly to any Workload Domain vCenter.

In this configuration, only SDDC Manager is allowed to manage Identity Provider integrations for those vCenter Servers.

If a configuration drift is detected or if this control setting is set to false, attempts to configure SSO through the VCF Operations interface will fail.

1. Log in to your SDDC Manager portal.
   
   
2. To check for Configuration Updates, Navigate to: Workload Domains → [Affected Domain] → Configuration Updates
   
   
3. Look for any drift item named: AllowBrokerConfigurationConfigDrift
   
   
4. If it exists then remediate the Drift by following steps:
   • Select the drift item.
   • Choose Remediate to apply the configuration update.
5. Wait for the remediation task to complete successfully.
   
   
6. Once remediation is complete, return to: VCF Operations → Fleet Management → Identity & Access → VCF Instances → [domain name] → Component Configuration
   
   
7. Retry SSO Configuration and attempt to configure the Identity Provider for the vCenter component again
   
   
8. The configuration should now complete successfully.

Note: Do not manually change the config.SDDC.Deployed.AllowBrokerConfiguration advanced setting in the vCenter Server, this setting is managed exclusively by SDDC Manager, and manual modification may cause configuration drift or future update failures. Always use the Configuration Updates section in SDDC Manager to remediate any drift.

If the issue persists after remediation, check whether the vCenter Server still has a previously configured Identity Provider. Multiple or stale Identity Provider entries can also prevent successful SSO configuration.
For detailed steps to verify and remove an old Identity Provider, refer to the following article: Unable to configure VCF SSO vCenter component for workload domain