VMware Identity Manager’s framework enables it to cover several different authentication and authorization use cases simultaneously. This framework consists of three core vIDM components that allow VMware Identity Manager to:
Core vIDM Components
This flexibility stems from the relationship between the core vIDM components:
Directories
Users populate into a directory in four main ways:
| vIDM Connector | vIDM | SAML | REST-API SCIM |
| Syncs users from Active Directory or another LDAP directory | Manually create a local directory
|
Uses Just-In Time provisioning
|
Syncs users from VMware AirWatch Enterprise Mobility Management |
Identity Provider
There are three main types of Identity Providers:
| Workspace IDP | Built-In IDP | Third-Party IDP | |
| Credential Validation | vIDM Connector
|
vIDM Console
|
3rd-party identity provider (ADFS, OKTA, PING, etc). |
| Authentication
|
Users redirect to vIDM connector for authentication.
Post-authentication users redirect to the vIDM console for authorization. |
Users redirect to an authenticated endpoint, hosted in the same location as the vIDM console.
|
Users redirect to a third-party IDP for authentication. Post-authentication, users redirect back to the vIDM console for authorization.
|
| Establishment
|
Created when a connector registers with the vIDM tenant. | Available by default with each tenant.
|
Creates SAML trust between vIDM and the third-party IDP to securely delegate authentication. |
Authentication Policy
An authentication policy evaluates an authentication request’s set of conditions, and provides one or more supported authentication methods based on the evaluated conditions. This is often referred to as conditional access.
Authentication Methods
Support for authentication methods differs between identity providers. For example:
| Required IDP | Other Requirements | |
| Mobile SSO | Built-In | vIDM portal hosts the KDC authentication endpoint |
| Kerberos Authentication | vIDM Connector | Network connection with on-premise Active Directory |
Authentication Workflow
This authentication workflow demonstrates the role each core vIDM component plays during authentication.
1. Discover the user’s directory. The vIDM tenet’s directory configuration determines the discovery process:
- In a Single-Directory configuration the authentication request defaults to the configured directory.
- In a Multiple-Directory configuration the end user selects the directory from a drop-down menu.
2. Discover the Identity Provider. vIDM uses the selected directory and the request’s source network to:
- Evaluate which identity providers can confirm the incoming request’s credentials.
- Evaluate the authentication methods supported for this request.
3. Select Authentication Policy. vIDM evaluates request conditions:
- Evaluate the request’s target application, source network, client type, etc..
- Selects the first authentication policy that meets these conditions.
4. Select Authentication Method. vIDM evaluates the policy against the request:
- Evaluates the authentication policy’s available authentication methods.
- Evaluates the authentication methods the incoming request supports.
- Selects the first authentication method that meets these conditions. If the policy does not contain any authentication methods the incoming request supports, the request fails.
5. vIDM evaluates user permissions against the request.
- Evaluates if the authenticating user can access the requested application.
- Grants or denies access.
The post Core vIDM Components appeared first on VMware End-User Computing Blog.