In VMware Cloud Foundation (VCF) 9.0, providing secure, centralized access to Kubernetes clusters is a critical requirement for enterprise compliance. The vSphere Kubernetes Service (VKS) utilizes OpenID Connect (OIDC) as the primary supported protocol for integrating with external identity providers (IdPs). While vCenter Server itself supports SAML 2.0 for administrative access to the vSphere Client, the workload clusters (VKS) specifically leverage OIDC to provide a modern, token-based authentication flow for developers and automated systems.

Through the integration of the Pinniped authentication service within the vSphere Supervisor, administrators can configure VKS clusters to delegate authentication to external providers like Okta, Microsoft Entra ID (formerly Azure AD), or PingFederate. When a developer uses the kubectl vsphere login command, the system facilitates an OIDC flow that issues short-lived identity tokens. This ensures that user identities are managed in a single source of truth rather than locally on each cluster. Although Active Directory (Option D) is a common identity source, it is typically reached via an OIDC provider or integrated into vCenter ' s SSO, which then presents an OIDC interface to the Kubernetes API. VCF 9.0 documentation emphasizes OIDC because of its native compatibility with Kubernetes authentication headers and its ability to handle complex claims and group memberships efficiently within a cloud-native SDDC environment.