Hello everyone. We’re back together after a long break. Today I will talk about VMWare Identity Manager, which is very important for Workspace ONE.
I will explain the installation and configuration in an on-premise environment.
What is VMware Identity Manager?
VMware Identity Manager is the name of the appliance that runs Workspace ONE.
It is also a software layer that resides in the appliance that provides identity-related components, including authentication for users who single sign-on to resources in VMware Workspace ONE. You can create a set of policies that relate to networking and authentication to control access to these resources.
Deployment Options for On-Premise VMware Identity Manager
vIDM can be deployed on both Windows and Linux.
The Windows version can be installed on Windows Server 2008 R2, 2012 R2, or 2016.
The Linux based virtual appliance runs SUSE Linux Enterprise 11 and comes as a virtual appliance. (Linux based appliance will be using in this article.)
Deploy VMware Identity Manager Appliance
The vIDM appliance requires both forward (A-record) and reverse (PTR-record) DNS records.
vIDM is sensitive to time differences between systems it integrates with. Therefore, you should confirm Time Configuration is set up and running on the ESXi host(s) in which vIDM will reside. When integrating vIDM with Active Directory ESXi servers and domain controllers must have time synced to the same source.
Deploy the Virtual Appliance
Once all prerequisites are in place and you have downloaded the vIDM Storage Virtual Appliance (SVA) from my.vmware.com, you are ready to begin the deployment process. Click here to view system and network configuration requirements.
To start the deployment process, click “Deploy from OVF Template” in the corresponding ESXi.
- Deploy the Virtual Appliance:
- Select Template:
- Select Datacenter to Place Appliance:
- Select Cluster to Place Appliance:
- Accept License Agreements:
- Select Storage Placement:
NOTE: In production environment, it is recommended to use shared storage.
- Select Network:
- Customize Template:
- Click on Finish and complete deployment:
VMware Identity Manager Appliance Setup Wizard
Once the OVA file has been deployed, the remainder of the initial setup takes place in the GUI based Identity Manager Appliance Setup Wizard.
Once the installation is complete, we launch the administration console. Our appliance is vDIM02. So, the address to which we connect is vidm-02.corp.local.
- To start the VMware Identity Manager Appliance Setup wizard, click on Continue.
- In the first step, passwords are set for different administrative accounts. Then click on Continue.
NOTE: The root account is not granted SSH access to the appliance.
- vIDM comes with embedded PostgreSQL. vIDM also support different versions of SQL. Embedded databases are not recommended in production environments due to High Availability. (We will be using embedded database in this article.
- Setting up the database take a few minutes.
- Confirm the Setup is complete and click on the Log into the administration console link.
Configuration of VMware Identity Manager
Now we will learn how to complete the configuration process using the Administration Console.
When we go to the address given above and log in with the admin password, we will see a screen like this:
The dashboard section provides us an overview of utilization, health, and wellness of environment.
vIDM uses User Attributes which defined in your identity source, to filter which users and groups should be synchronized with vIDM.
Identity & Access Management tab -> Setup -> User Attributes
In certain cases, a specific User Attribute will be required to integrate with another solution. For example;
distinguishedName: It is needs to be set fort he vIDM directory that is mapped to Active Directory.
userPrincipalName: It is required to Horizon integration.
We mark these two attributes in the User Attributes list and click Save. Then we click on Manage button in the upper right corner.
Now we will add directory. vIDM supports Active Directory, LDAP, and Local Users directories.
Note that if LDAP is selected as the identity source, there will be some restrictions. For example, you cannot join vIDM to an LDAP domain. Click here for more information.
Add Directory -> Add Active Directory over LDAP/IWA
When we choose this, we will see two options.
– Active Directory over LDAP: Connects the vIDM connector to Active Directory using simple BIND authentication.
– Active Directory (Integrated Windows Authentication): Connects the vIDM connector to Active Directory using Integrated Windows Authentication.
Write a name for Directory and choose Active Directory (Integrated Windows Authentication) then scroll down for other settings.
vIDM does not have the ability to write or modify objects within Active Directory. So the Bind user accounts only requires read access to the User and Group accounts you wish to sync. If the BIND user account expires, it must be reset in Active Directory.
VMware recommends using a BIND password that does not expire in order to avoid affecting the health of the vIDM environment.
- Select the domain.
Add the DN of the groups you would like vIDM to query.
Confirm “Sync nested group members” is checked. Then click “+” symbol and enter your query. Click on Find Groups.
The list of groups that meet the DN criteria is 29. Now you need to specify out of the 29 groups, which one(s) would you like to sync to vIDM.
- Click on Select.
- Enter the group name and select the group then save.
- Repeat the process for users.
Review the numbers for the group and users. If there is a mistake, you can edit it with “Edit User DNs & Edit Group DNs”.
After the checking, click Sync Directory.
So we have completed the vIDM configuration. It’s been quite a long article but I hope that will be useful. Thanks for reading! 😊