Featured Post

Cloud Options For Accelerating Workspace One Adoption In Traditional Horizon Environments

Cloud options for VMware Identity Manager and Workspace One UEM (AirWatch) make it really easy to extend the benefits of Workspace One to on...

Saturday, October 6, 2018

Integrating A Cloud Instance Of VMware Identity Manager With Active Directory

In a previous post I detailed how to integrate a local AD environment with a SaaS based instance of  AirWatch using Systems Enterprise Connector.   For this post, I'm going to leverage the very same install of Systems Enterprise Connector to deploy the vIDM Connector component.  Getting vIDM Connector deployed and integrated with the local AD environment is a prerequisite for getting vIDM integrated with on premise Horizon.  For the following instructions, I'm going to assume you already have Systems Enterprise Connector stood up in your trusted network based on the process detailed in my previous post, Integrating A Cloud Instance Of Workspace One UEM (AirWatch) With Active Directory.

Above is an excellent graphic detailing the capabilities of the VMware Identity Manager Connector component that's part of Enterprise System Connector.  As with the AirWatch Cloud Connector component, it allows for a successful integration between your on premise environment and SaaS environment without having to poke holes in any firewalls.   All that's required for the integration between the vIDM SaaS instance and the vIDM Connector is out bound 443 connectivity from the vIDM Connector to the SaaS instance of vIDM.

Installing The vIDM Component 

Hopping back on the Windows server that has Enterprise Systems Connector installed, rerun the installer. 

Click next on the welcome screen.

Since we want to add a feature to what's already installed, go with with the modify option.

Select to add VMware Identity Manager Connector to the current install.

Select the default destination folder.

Allow for the JRE install if you're prompted for it.

Skip the outbound proxy configuration unless it's relevant for you.

Stick with the default port of 443 for the sake of simplicity.  Leave unchecked the option for, "Would you like to use your own SSL certificate?"

At the next screen, you'll get prompted for an activation code.  You need to grab the code from the cloud based vIDM instance.

Log into your vIDM environment. Navigate to to Identity & Access Management --> Setup --> Connectors.  Click Add connector.

Add a descriptive name for the Connector.  Then click on the generate activation code option.

You're going to cut and paste this activation code back into the installer.  Also, provide an admin password that may be required in the future for manually configuring the vIDM connector from a browser.  

Choose to run the service using a local AD account.  Specify the username and password for the service account.

Now go ahead and kick off the installation.

Upon successful completion you'll see the Connector show up within the vIDM tenant.

Next, we have to associate this connector with a directory.

Binding To Your Local Active Directory Environment 

Before creating your AD directory, ensure you have the following attributes enabled under your users settings.  If you don't set this properly ahead of time, you wont be able to change it after creating the directory.  (To make changes to enabled attributes, you'd have to blow the directory away and recreate it.  So just take care of it properly ahead of time.)

After confirming your attributes are straight, proceed to Identity & Access Management --> Manage --> Directories.  

Click Add Directory. 

Select the option for, "Add Active Directory over LDAP/IWA."

Add the name of your directory.  Ensure your vIDM Connector is selected as the Sync Connector.  Choose Yes for, "Do you want this Connector to also perform authentication."  Then,  scroll down a bit and you'll get prompted for an account to bind with.    Enter the bind account name in a user principal name format.   So something like, username@your_domain.com.  

Hit Save & Next. 

Next, select the relevant domain. 

Confirm proper attributes are selected. 

Enter the group DNs to sync.

Enter the user DNs to sync. 

Click on Sync Directory.

Confirm the sync operation completed. 

By default, after creating a directory and and associating it with our vIDM Connector, you're connector can authenticate AD  user in inbound mode, which involves users directly connecting against the vIDM connector located on the trusted network.    Here's what a login looks like in environment when the connector is setup in outbound mode.   After selecting I want to authenticate to the LAB.LOCAL domain, I'm redirected to a url for the enterprise connector.  So here's the initial login to my SaaS instance. 

After selecting to login to my AD domain, my browser is redirected to the vIDM Connector I've just setup, entconnect.lab.local.  In my environment, I haven't setup a certificate yet, so I initially get this error regarding the SSL cert on my vIDM Connector.  

After clicking to continue to the website, I get a login screen for my local AD environment. 

After entering in my domain credentials properly, I'm successfully logged into my Workspace One portal.

If you want folks to authenticate directly against vIDM in cloud, rather than directly against the vIDM connector, you can enable outbound mode.

Setting Up Outbound Mode 

We can enable outbound mode by associating our new Connector with the Built-In identity provider.   Navigate to Identity And Access Management --> Manage --> Identity Providers. 

Click on the hyperlink for Built-in.  Select the relevant directory and network ranges.  Then scroll down. 

Under Connectors, select your new vIDM Connector.   Then click on the, "Add Connector," button. 

You'll now have the option to select Connector Authentication Methods.  Select the option for, "Password (cloud deployment)." 

After changing your access policy rules to use the Password (cloud deployment) authentication option, you'll have the ability to authenticate against the AD environment directly from your SaaS instances, without having your browser redirected to the vIDM Connector.  Your transition to outbound mode is complete. 

With your vIDM Connector integration with your local AD environment complete, you can now proceed to integrate vIDM with your on premise Horizon environment according to these instructions, Integrating A Cloud Instance Of VMware Identity Manager With On Premise Horizon.

No comments:

Post a Comment