Group Mapping and User Search Issues in VCF Operations with Identity Broker
search cancel

Group Mapping and User Search Issues in VCF Operations with Identity Broker

book

Article ID: 424497

calendar_today

Updated On:

Products

VCF Operations

Issue/Introduction

In a VMware Cloud Foundation (VCF) 9.0 environment using VCF Identity Broker in Embedded mode (configured with Microsoft Entra ID via SAML), synchronization within the VCF Control Panel does not populate authentication source information.
 
While Just-in-Time (JIT) provisioning and redirection to Entra ID function correctly, the following symptoms occur:
  • VCF Operations fails to automatically identify or map the memberof groups for users.
  • Pre-provisioned groups cannot be saved or applied within VCF Operations.
  • Users are only searchable in the VCF Operations interface after they have performed an initial login attempt.

Environment

VMware Cloud Foundation Operations 9.0 
Component: VCF Identity Broker (Embedded) 
External Authentication Provider: Microsoft Entra ID via SAML

Cause

This is a configuration and procedural limitation regarding how VMware VCF Operations interacts with the VCF Identity Broker (vIDB). When importing users or groups, VCF Operations queries the vIDB directly rather than the external Entra ID source. If Entra ID users have not been fully synchronized with vIDB, the authentication source data remains unpopulated in the VCF Control Panel, preventing VCF Operations from identifying group memberships automatically.

Resolution

To resolve this issue and ensure users/groups are available in VMware VCF Operations, you must manually synchronize and import them from the Identity Broker.

1. Synchronize Entra ID with vIDB: Ensure that Entra ID users are successfully synchronized with the VCF Identity Broker first.
2. Manually Import users of groups into VCF Operations: Log into the VMware VCF Operations and navigate to Administration > Control Panel > Access Control section and perform a manual import for the specific users or groups required.
Note: VCF Operations will query the vIDB to locate these entries.
3. Assign Roles and Scopes: Once the users and groups are manually imported, you can then assign them to the appropriate VCF Operations roles and scopes to grant necessary permissions.

Additional Information

Powered by Wolken Software