| To add groups from an identity provider to the local SSO Administrators group, as an example, do the following: |
From the vSphere Client, go to Administration >> Single Sign On >> Groups.
Select the Administrators group and click "Edit".
In the "Add Members" section, select the identity source and type the name of the target user/group in the search bar.
Select the target user/group to add them and click "Save".
Note: A new SSO group or groups can be created as needed and used to provide authorization to vCenter.
To remove identity provider users/groups from a role, do the following:
From the vSphere Client, go to Administration >> Access Control >> Global Permissions.
Select the offending user/group and click "Delete".
Note: If permissions are assigned on a specific object, then the role must be updated where it is assigned (for example, at the cluster level).