Core vIDM Components

Core vIDM Components

This post was originally published on this site ---

VMware Identity Manager’s framework enables it to cover several different authentication and authorization use cases simultaneously. This framework consists of three core vIDM components that allow VMware Identity Manager to:

Core vIDM Components

This flexibility stems from the relationship between the core vIDM components:Core vIDM Components


Users populate into a directory in four main ways:

Syncs users from Active Directory or another LDAP directory Manually create a local directory


Uses Just-In Time provisioning


Syncs users from VMware AirWatch Enterprise Mobility Management

Identity Provider

There are three main types of Identity Providers:

Workspace IDP Built-In IDP Third-Party IDP
Credential Validation vIDM Connector


vIDM Console


3rd-party identity provider (ADFS, OKTA, PING, etc).





Users redirect to vIDM connector for authentication.

Post-authentication users redirect to the vIDM console for authorization.

Users redirect to an authenticated endpoint, hosted in the same location as the vIDM console.



Users redirect to a third-party IDP for authentication. Post-authentication, users redirect back to the vIDM console for authorization.




Created when a connector registers with the vIDM tenant. Available by default with each tenant.


Creates SAML trust between vIDM and the third-party IDP to securely delegate authentication.

Authentication Policy

An authentication policy evaluates an authentication request’s set of conditions, and provides one or more supported authentication methods based on the evaluated conditions. This is often referred to as conditional access.

Authentication Methods

Support for authentication methods differs between identity providers. For example:

Required IDP Other Requirements
Mobile SSO Built-In vIDM portal hosts the KDC authentication endpoint
Kerberos Authentication vIDM Connector Network connection with on-premise Active Directory

Authentication Workflow

This authentication workflow demonstrates the role each core vIDM component plays during authentication.

1. Discover the user’s directory. The vIDM tenet’s directory configuration determines the discovery process:

  • In a Single-Directory configuration the authentication request defaults to the configured directory.
  • In a Multiple-Directory configuration the end user selects the directory from a drop-down menu.

2. Discover the Identity Provider. vIDM uses the selected directory and the request’s source network to:

  • Evaluate which identity providers can confirm the incoming request’s credentials.
  • Evaluate the authentication methods supported for this request.

3. Select Authentication Policy. vIDM evaluates request conditions:

  • Evaluate the request’s target application, source network, client type, etc..
  • Selects the first authentication policy that meets these conditions.

4. Select Authentication Method. vIDM evaluates the policy against the request:

  • Evaluates the authentication policy’s available authentication methods.
  • Evaluates the authentication methods the incoming request supports.
  • Selects the first authentication method that meets these conditions. If the policy does not contain any authentication methods the incoming request supports, the request fails.

5. vIDM evaluates user permissions against the request.

  • Evaluates if the authenticating user can access the requested application.
  • Grants or denies access.

The post Core vIDM Components appeared first on VMware End-User Computing Blog.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.