Summary and recommendation
VMware Tanzu Platform does not offer native SCIM provisioning across its unified platform. While VMware's legacy products like vCenter Server 8.0 U2+ and individual UAA components support SCIM 2.0 endpoints, the consolidated Tanzu Platform relies on JIT (Just-In-Time) provisioning for its console interface. Under Broadcom's ownership, Tanzu is now exclusively bundled with VMware Cloud Foundation at approximately $350 per core annually (minimum 72 cores required), making it a $25,200+ annual commitment before considering provisioning challenges. The platform's complex multi-product architecture means SSO configuration varies significantly across components, creating inconsistent user management experiences.
This fragmented approach creates significant operational overhead for IT teams managing developer and platform engineer access. Without centralized SCIM provisioning, administrators must manually manage user lifecycle across multiple Tanzu components, track access permissions separately, and rely on JIT provisioning that only works when users successfully authenticate. For enterprise environments running cloud-native workloads, this manual process introduces security gaps and compliance risks, particularly when team members change roles or leave the organization.
The strategic alternative
VMware Tanzu gates SCIM behind Enterprise. That can unlock provisioning, but it still does not complete the offboarding, access review, or license workflow across the rest of your stack. Stitchflow builds and maintains the IT workflows your team still runs manually, across every app, including the ones without APIs.
Quick SCIM facts
| SCIM available? | Yes |
| SCIM tier required | Enterprise |
| SSO required first? | Yes |
| SSO available? | Yes |
| SSO protocol | SAML 2.0 |
| Documentation | Not available |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | ✓ | ✓ | OIN app with full provisioning |
| Microsoft Entra ID | ✓ | ✓ | Gallery app with SCIM |
| Google Workspace | ✓ | JIT only | SAML SSO with just-in-time provisioning |
| OneLogin | ✓ | ✓ | Supported |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages VMware Tanzu accounts manually. Here's what that costs:
The VMware Tanzu pricing problem
VMware Tanzu gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Tier comparison
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Enterprise | Custom (bundled with VMware Cloud Foundation) |
Pricing structure
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Enterprise | Custom (bundled with VMware Cloud Foundation) |
Market data on VMware costs
What this means in practice
No standalone option: Tanzu Platform is now bundled exclusively with VMware Cloud Foundation or vSphere Foundation. You cannot purchase Tanzu separately, forcing organizations to license entire infrastructure stacks even if they only need the platform services.
Forced minimum spend: The 72-core minimum licensing requirement means even small Tanzu deployments carry a $25,200+ annual infrastructure cost before adding platform or support fees.
Complex provisioning landscape: Different Tanzu components handle identity differently:
Additional constraints
Summary of challenges
- VMware Tanzu supports SCIM but only at Enterprise tier (Custom (bundled with VMware Cloud Foundation))
- Google Workspace users get JIT provisioning only, not full SCIM
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What VMware Tanzu actually offers for identity
SAML/OIDC SSO (Platform-dependent)
VMware Tanzu's identity management varies significantly across its complex product suite:
| Component | SSO Support | Provisioning Method |
|---|---|---|
| Tanzu Platform Console | SAML 2.0, OIDC | JIT provisioning only |
| Cloud Foundry (UAA) | SAML, LDAP, OIDC | SCIM 2.0 via UAA server |
| vSphere 8.0 U2+ | SAML 2.0 | SCIM 2.0 (limited) |
| Workspace ONE | SAML 2.0, OIDC | SCIM 2.0 |
Critical limitation: There's no unified SCIM provisioning across the Tanzu platform. Each component requires separate identity configuration and has different capabilities.
The Broadcom Reality Check
Under Broadcom ownership, VMware Tanzu now comes with significant constraints:
What You Actually Get
The "Enterprise" tier includes:
The problem: You're paying enterprise platform prices for fragmented identity capabilities that require significant integration work across multiple Tanzu components.
What IT admins are saying
Community sentiment on VMware Tanzu under Broadcom ownership is overwhelmingly negative, with IT teams facing dramatic cost increases and forced bundling:
- Massive price hikes: Reports of 150-1000%+ price increases since Broadcom acquisition
- Forced bundling: Can no longer purchase Tanzu standalone - must buy entire VMware Cloud Foundation bundle
- Minimum licensing requirements: 72 core minimum license requirement hits smaller deployments hard
- Identity migration deadlines: Forced migration from identity brokers by June 30, 2025
VCF pricing went from ~$700/core/year to ~$350/core/year, but now everything is bundled together whether you need it or not. The minimum 72 core requirement means small teams are paying for capacity they'll never use.
We're looking at a 400% cost increase just to keep our Kubernetes platform running. Broadcom is forcing us to evaluate alternatives.
The recurring theme
Broadcom's acquisition has transformed VMware Tanzu from a targeted Kubernetes platform into an expensive, bundled enterprise suite that many organizations can no longer justify, driving mass migration to alternatives like Amazon EKS and Azure AKS.
The decision
| Your Situation | Recommendation |
|---|---|
| Small dev team (<10 users) exploring Kubernetes | Manual management acceptable if you can afford the enterprise licensing |
| Mid-size organization with existing VMware investment | Use Stitchflow: avoid the forced bundling and price increases |
| Enterprise platform team managing multi-tenant Tanzu | Use Stitchflow: essential for automated access control across complex environments |
| Organizations evaluating Kubernetes platforms | Consider alternatives like EKS/GKE with Stitchflow for better cost efficiency |
| Existing Tanzu customers facing license renewal | Use Stitchflow with alternative platforms: escape the Broadcom pricing trap |
The bottom line
VMware Tanzu gates SCIM behind Enterprise. The upgrade may unlock provisioning, but the workflow still has to complete across the rest of your stack.
Close the VMware Tanzu workflow gap
VMware Tanzu gates SCIM behind Enterprise, but the bigger issue is the workflow around it. Stitchflow builds and maintains the offboarding, access review, or license workflow underneath.
Technical specifications
SCIM Version
2.0
Supported Operations
Create, Update, Deactivate, Groups
Supported Attributes
Not specifiedPlan requirement
Enterprise
Prerequisites
SSO must be configured first
Key limitations
- Identity broker migration required by June 30, 2025
- JIT provisioning for Tanzu Platform Console
- vSphere SCIM support requires 8.0 U2+
- Complex multi-product platform with varying SSO support
- Now bundled only - not available standalone
Documentation not available.
Close the workflow gap in
VMware Tanzu
VMware Tanzu gates SCIM behind Enterprise plan. That can unlock provisioning, but it still does not complete the offboarding, access review, or license workflow across your stack.
Start with the free gap diagnostic
