Summary and recommendation
VMware Tanzu Platform does not offer native SCIM provisioning across its unified platform. While VMware's legacy products like vCenter Server 8.0 U2+ and individual UAA components support SCIM 2.0 endpoints, the consolidated Tanzu Platform relies on JIT (Just-In-Time) provisioning for its console interface. Under Broadcom's ownership, Tanzu is now exclusively bundled with VMware Cloud Foundation at approximately $350 per core annually (minimum 72 cores required), making it a $25,200+ annual commitment before considering provisioning challenges. The platform's complex multi-product architecture means SSO configuration varies significantly across components, creating inconsistent user management experiences.
This fragmented approach creates significant operational overhead for IT teams managing developer and platform engineer access. Without centralized SCIM provisioning, administrators must manually manage user lifecycle across multiple Tanzu components, track access permissions separately, and rely on JIT provisioning that only works when users successfully authenticate. For enterprise environments running cloud-native workloads, this manual process introduces security gaps and compliance risks, particularly when team members change roles or leave the organization.
The strategic alternative
VMware Tanzu gates SCIM behind Enterprise. Skip the Enterprise plan upgrade and automate complete outcomes across your stack. We maintain the integration layer underneath. You focus on judgment, not plumbing.
Quick SCIM facts
| SCIM available? | Yes |
| SCIM tier required | Enterprise |
| SSO required first? | Yes |
| SSO available? | Yes |
| SSO protocol | SAML 2.0 |
| Documentation | Not available |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | ✓ | ✓ | OIN app with full provisioning |
| Microsoft Entra ID | ✓ | ✓ | Gallery app with SCIM |
| Google Workspace | ✓ | JIT only | SAML SSO with just-in-time provisioning |
| OneLogin | ✓ | ✓ | Supported |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages VMware Tanzu accounts manually. Here's what that costs:
The VMware Tanzu pricing problem
VMware Tanzu gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Tier comparison
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Enterprise | Custom (bundled with VMware Cloud Foundation) |
Pricing structure
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Enterprise | Custom (bundled with VMware Cloud Foundation) |
Market data on VMware costs
What this means in practice
No standalone option: Tanzu Platform is now bundled exclusively with VMware Cloud Foundation or vSphere Foundation. You cannot purchase Tanzu separately, forcing organizations to license entire infrastructure stacks even if they only need the platform services.
Forced minimum spend: The 72-core minimum licensing requirement means even small Tanzu deployments carry a $25,200+ annual infrastructure cost before adding platform or support fees.
Complex provisioning landscape: Different Tanzu components handle identity differently:
Additional constraints
Summary of challenges
- VMware Tanzu supports SCIM but only at Enterprise tier (Custom (bundled with VMware Cloud Foundation))
- Google Workspace users get JIT provisioning only, not full SCIM
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What VMware Tanzu actually offers for identity
SAML/OIDC SSO (Platform-dependent)
VMware Tanzu's identity management varies significantly across its complex product suite:
| Component | SSO Support | Provisioning Method |
|---|---|---|
| Tanzu Platform Console | SAML 2.0, OIDC | JIT provisioning only |
| Cloud Foundry (UAA) | SAML, LDAP, OIDC | SCIM 2.0 via UAA server |
| vSphere 8.0 U2+ | SAML 2.0 | SCIM 2.0 (limited) |
| Workspace ONE | SAML 2.0, OIDC | SCIM 2.0 |
Critical limitation: There's no unified SCIM provisioning across the Tanzu platform. Each component requires separate identity configuration and has different capabilities.
The Broadcom Reality Check
Under Broadcom ownership, VMware Tanzu now comes with significant constraints:
What You Actually Get
The "Enterprise" tier includes:
The problem: You're paying enterprise platform prices for fragmented identity capabilities that require significant integration work across multiple Tanzu components.
What IT admins are saying
Community sentiment on VMware Tanzu under Broadcom ownership is overwhelmingly negative, with IT teams facing dramatic cost increases and forced bundling:
- Massive price hikes: Reports of 150-1000%+ price increases since Broadcom acquisition
- Forced bundling: Can no longer purchase Tanzu standalone - must buy entire VMware Cloud Foundation bundle
- Minimum licensing requirements: 72 core minimum license requirement hits smaller deployments hard
- Identity migration deadlines: Forced migration from identity brokers by June 30, 2025
VCF pricing went from ~$700/core/year to ~$350/core/year, but now everything is bundled together whether you need it or not. The minimum 72 core requirement means small teams are paying for capacity they'll never use.
We're looking at a 400% cost increase just to keep our Kubernetes platform running. Broadcom is forcing us to evaluate alternatives.
The recurring theme
Broadcom's acquisition has transformed VMware Tanzu from a targeted Kubernetes platform into an expensive, bundled enterprise suite that many organizations can no longer justify, driving mass migration to alternatives like Amazon EKS and Azure AKS.
The decision
| Your Situation | Recommendation |
|---|---|
| Small dev team (<10 users) exploring Kubernetes | Manual management acceptable if you can afford the enterprise licensing |
| Mid-size organization with existing VMware investment | Use Stitchflow: avoid the forced bundling and price increases |
| Enterprise platform team managing multi-tenant Tanzu | Use Stitchflow: essential for automated access control across complex environments |
| Organizations evaluating Kubernetes platforms | Consider alternatives like EKS/GKE with Stitchflow for better cost efficiency |
| Existing Tanzu customers facing license renewal | Use Stitchflow with alternative platforms: escape the Broadcom pricing trap |
The bottom line
VMware Tanzu under Broadcom ownership has become prohibitively expensive with forced bundling and 150-1000%+ price increases. While the platform offers enterprise-grade Kubernetes capabilities, the lack of native SCIM support and astronomical licensing costs make it a poor choice for most organizations. Stitchflow enables you to get automated provisioning with modern alternatives at a fraction of the cost.
Make VMware Tanzu workflows AI-native
VMware Tanzu gates SCIM behind Enterprise. We build complete offboarding, user access reviews, and license workflows without that SCIM Tax upgrade.
Technical specifications
SCIM Version
2.0
Supported Operations
Create, Update, Deactivate, Groups
Supported Attributes
Not specifiedPlan requirement
Enterprise
Prerequisites
SSO must be configured first
Key limitations
- Identity broker migration required by June 30, 2025
- JIT provisioning for Tanzu Platform Console
- vSphere SCIM support requires 8.0 U2+
- Complex multi-product platform with varying SSO support
- Now bundled only - not available standalone
Documentation not available.
Unlock SCIM for
VMware Tanzu
VMware Tanzu gates SCIM behind Enterprise plan. We automate complete offboarding and access reviews across your stack without that SCIM Tax upgrade.
See how it works
