Learn about the authentication model in Tanzu Observability by Wavefront.

Tanzu Observability by Wavefront supports these authentication options:

  • Direct authentication: Users authenticate with user names and passwords. Service accounts authenticate with tokens.
  • Authentication through an SSO identity provider: Users authenticate with their corporate accounts. Not applicable to service accounts.

Starting with the 2022-xy release Tanzu Observability by Wavefront is a service in the VMware Cloud services suite. If your Wavefront instance is onboarded to VMware Cloud services, VMware Cloud services provides a centralized authentication for all service instances that run in your organization.

Direct Authentication

Tanzu Observability supports direct authentication for user accounts and service accounts.

  • User accounts must authenticate with a user name and password.

    • If your Wavefront instance isn’t onboarded to VMware Cloud services, users with the Accounts permission can invite new users and then manage the user accounts by adding them to groups with specific roles, for example. Super Admin users can invite new Super Admin users. Users authenticate with Wavefront accounts.
    • If your Wavefront instance is onboarded to VMware Cloud services, organization owners can invite new users by assigning them Tanzu Observability service roles and then users with the Accounts permission can manage the user accounts by adding them to groups with specific roles, for example. Users authenticate with VMware accounts.
  • Service accounts must authenticate with a token.

    A service account usually is used to perform management tasks. Service accounts can’t perform the UI operations that all user accounts can perform by default. There’s no limit on the number of service accounts that you can create in your organization.

Self-Service SAML SSO

If your company uses a supported SAML SSO provider, you can integrate it with your Wavefront instance.

For Non-VMware Cloud Services Customers

You can choose from supported self-service SAML SSO provider or request and multi-tenant SSO support.

You can use the authentication provided by Tanzu Observability or use one of the supported authentication integrations. Tanzu Observability supports several authentication solutions including:

We also support self-service SAML SSO setup. After the administrator sets up self-service SAML SSO, users will log in to the Wavefront instance by using the identity provider that the administrator has set up instead of using a password. New users who did not exist in the Wavefront instance are auto-created when they authenticate for the first time.

If a customer’s chosen authentication solution supports two-factor authentication, Tanzu Observability requires two-factor authentication for login.

For VMware Clou Services Customers

If your Wavefront instance is onboarded to VMware Cloud services, you can federate your organization with your enterprise domain for dynamic (connectionless) or connector-based authentication.

Multi-Tenant SSO

Large customers can request multi-tenant SSO. Multi-tenancy is set up jointly by the administrator at the customer site and the Tanzu Observability Technical Support team.

Users in different teams inside the company can authenticate to different tenants and cannot access the other tenant’s data.

Learn More