Let’s be real for a second, nobody wakes up excited to tackle an identity management upgrade. Juggling directory syncs, configuring SSO, and migrating users without accidentally locking your whole team out is practically a rite of passage in IT. It’s usually the kind of project you try to push to the bottom of the backlog.
But lately, I’ve been diving into how VCF 9.1 handles the shift from the deprecated VMware Identity Manager (VIDM) to the new VCF Identity Broker, and I have to say, it’s an absolute game-changer for our administrative overhead.
If you haven’t looked into how VMware is handling identity management these days, you are missing out. Here is a breakdown of what’s new and why it’s making my life a whole lot easier.
It’s Built-In Out of the Box The first thing you’ll notice is that starting with VCF 9.1, the Identity Broker is installed right at the time VCF is deployed or upgraded. It acts as the essential intermediary between your VCF components and your external Identity Provider (IdP), natively supporting industry-standard protocols like AD/LDAP, SAML 2.0, and OIDC. Having it just be there out of the box saves so much time.
True Fleet-Wide Control
One of the biggest architectural shifts here is that VCF SSO is now managed at the fleet-level rather than instance-by-instance, giving us way better operational granularity.
When you fire up the new “Get Started” workflow, you just pick a VCF instance from a dropdown to kick off the SSO config. Hooking up your IdP is straightforward with built-in support for modern providers like Okta, Ping Identity, Microsoft Entra ID, ADFS, and Symantec IDSP. Still rocking standard AD/LDAP or OpenLDAP? That works too, along with generic SAML 2.0 or OIDC options.
Architecture That Actually Scales
For those of you running mission-critical environments, deploying the Identity Broker as a resilient, multi-node appliance is the recommended way to go.
You can easily scale each node up (S, M, L, or XL) whenever you need more juice, and these nodes can actually be deployed outside of the management cluster. Just spinning up a PoC or lab? You can use the embedded mode right on the management vCenter. If you ever need to promote that lab to production, there is a built-in workflow to seamlessly migrate your embedded broker over to the full 3-node appliance later.
No More Manual IAM Configurations
Here is where the 9.1 workflow really saves us time compared to 9.0. Once you provision your users and groups from your IdP into the Identity Broker, you can perform a quick SSO test login to VCF Operations.
From there, the workflow automatically connects vCenter and NSX to the Identity Broker to activate SSO access. If you remember configuring IAM in VCF 9.0, you know that hooking up vCenter and NSX used to be a tedious set of manual steps. Having the workflow handle this automatically is a massive quality-of-life improvement. Finally, you can assign the newly introduced VCF-level roles to your users and groups for accessing components.
The VIDM Migration Script is a Lifesaver
Let’s talk about the elephant in the room: moving off the old VIDM sounded like a nightmare. But if you’re coming from VCF 5.x, VMware actually included a dedicated scripted workflow that handles the migration for you.
The upgrade process deploys the Identity Broker, and the migration script simply runs after the upgrade is completed. It non-disruptively moves your users and groups over, and your existing users won’t even notice.
Just a heads up: the migration script only scopes to your users and groups, so you still have to hook up your external IdP config yourself
Final Thoughts
Overall, I am thrilled with where VCF identity management is heading. Dropping the old VIDM baggage and moving to a scalable, built-in Identity Broker with a streamlined “Get Started” workflow means fewer headaches, happier admins, and a much cleaner security architecture.
End of this post.
Disclaimer: Please note that the views expressed in this blog are solely my own and should be treated as personal opinions. This content does not hold any legal or authoritative standing.