Core vIDM Components

Core vIDM Components

This post was originally published on this site ---

VMware Identity Manager’s framework enables it to cover several different authentication and authorization use cases simultaneously. This framework consists of three core vIDM components that allow VMware Identity Manager to:

Core vIDM Components

This flexibility stems from the relationship between the core vIDM components:Core vIDM Components

Directories

Users populate into a directory in four main ways:

vIDM Connector vIDM SAML REST-API SCIM
Syncs users from Active Directory or another LDAP directory Manually create a local directory

 

Uses Just-In Time provisioning

 

Syncs users from VMware AirWatch Enterprise Mobility Management

Identity Provider

There are three main types of Identity Providers:

Workspace IDP Built-In IDP Third-Party IDP
Credential Validation vIDM Connector

 

vIDM Console

 

3rd-party identity provider (ADFS, OKTA, PING, etc).
Authentication

 

 

 

 

Users redirect to vIDM connector for authentication.

Post-authentication users redirect to the vIDM console for authorization.

Users redirect to an authenticated endpoint, hosted in the same location as the vIDM console.

 

 

Users redirect to a third-party IDP for authentication. Post-authentication, users redirect back to the vIDM console for authorization.

 

Establishment

 

Created when a connector registers with the vIDM tenant. Available by default with each tenant.

 

Creates SAML trust between vIDM and the third-party IDP to securely delegate authentication.

Authentication Policy

An authentication policy evaluates an authentication request’s set of conditions, and provides one or more supported authentication methods based on the evaluated conditions. This is often referred to as conditional access.

Authentication Methods

Support for authentication methods differs between identity providers. For example:

Required IDP Other Requirements
Mobile SSO Built-In vIDM portal hosts the KDC authentication endpoint
Kerberos Authentication vIDM Connector Network connection with on-premise Active Directory

Authentication Workflow

This authentication workflow demonstrates the role each core vIDM component plays during authentication.

1. Discover the user’s directory. The vIDM tenet’s directory configuration determines the discovery process:

  • In a Single-Directory configuration the authentication request defaults to the configured directory.
  • In a Multiple-Directory configuration the end user selects the directory from a drop-down menu.

2. Discover the Identity Provider. vIDM uses the selected directory and the request’s source network to:

  • Evaluate which identity providers can confirm the incoming request’s credentials.
  • Evaluate the authentication methods supported for this request.

3. Select Authentication Policy. vIDM evaluates request conditions:

  • Evaluate the request’s target application, source network, client type, etc..
  • Selects the first authentication policy that meets these conditions.

4. Select Authentication Method. vIDM evaluates the policy against the request:

  • Evaluates the authentication policy’s available authentication methods.
  • Evaluates the authentication methods the incoming request supports.
  • Selects the first authentication method that meets these conditions. If the policy does not contain any authentication methods the incoming request supports, the request fails.

5. vIDM evaluates user permissions against the request.

  • Evaluates if the authenticating user can access the requested application.
  • Grants or denies access.

The post Core vIDM Components appeared first on VMware End-User Computing Blog.

Leave a Reply

Your email address will not be published. Required fields are marked *