Each organisation has its own security infrastructure and will want a VRE they set up to integrate into that. The VRE allows this to happen and does not dictate how you handle matters like authentication and authorisation.

The key aspect of this is the use of Keycloak to handle single sign on for applications that are deployed to a VRE. Keycloak is the basis of Red Hat's commercially supported product Red Hat SSO.  Once signed in with Keycloak you have access to all applications you are allowed to use, without needing to sign in again to each app. Keycloak allows the administrator to define how authentication happens. In the OpenRiskNet reference site we use federation using LinkedIn or GitHub accounts as we do not want to actively mange user accounts, but an organisation that has a mechanism for this (such as Active Directory, LDAP or a relational database) can configure Keycloak to use that instead. Keycloak is very flexible in how it can handle multiple mechanisms. General documentation on Keycloak can be found here and there is specific information on identity brokering and user storage federation.