Welcome to this Blog Article, which explains the configuration of Single Sign On to the VMware IDM 3.0 portal with the use of ADFS (version 3.0).
Why should I use ADFS for SSO integration to VMware IDM? Well, there is one scenario which will force you to do so, SSO to IDM is a standard functionality and this works great, but there is only one caveat : multi-domain configuration.
In the current project we encountered this problem, because in a single-domain configuration, SSO works great! But when we enable more domains, then every time you go to the portal, you get the question “Hey, who are you? Please identify yourself!” And then you need to supply you’re credentials (only Username / User Principal Name) password is being passed through then.
The “lack” of functionality in multi-domain will be implemented in the future for VMware IDM. But at this moment, there is no possible way to get it done…is it? Well, there is one (working) solution to get it working though! Here comes AD FS (Active Directory Federation Services) in place, with AD FS as a third party identity provider it is possible to use SSO (through ADFS) with VMware IDM, also in a multi-domain configuration!
Well, I will explain this configuration in this blog. There is documentation from VMware which helps you through the installation/configuration, but you really need to check things and there is some description about certificates what is not very clear which causes the problems, so I hope this blog helps you through the whole proces without pain.
This article is based on a already configured – up-and-running- ADFS 3.0 and VIDM 3.0 Installation.
This article only described the way of creating an Identity Provider in VMware IDM and creating a Relying Party within ADFS 3.0
Unfortunately, this does not work for Horizon 6.x, you need to have Horizon 7.x at minimum! You need to use True SSO for this to work and that only works with vIDM 2.6 or higher and Horizon 7.x
Part One – Directory Configuration
VMware Identity Manager 3.0 Configuration.
We assume that Identity Manager is installed already, and this blog assumes / requires you to have version 2.6 at minimum is installed. (Identity Manager 2.6 is the minimum, in this guide I used IDM 3.0)
First, go to the Identity Manager portal <https://<idm-portal>/SAAS/login/0
Go to Identity&Access Management -> Directories:
Click “Add Directory”
Click “Add Directory over LDAP/IWA”
Give the Directory a logical name. I called it like my top-level domain : top.local
Select the appropriate Active Directory (in my case IWA)
I use UserPrincipalName for Directory Search Attribute
Fill in the Join Domain Details and click Save & Next
Select the domains which need to be added and click Next
Select the User Attributes which need to be mapped (I leave them default) and click Next:
Select the Groups (if needed) and click Next:
Select the Users to sync and Click Next:
I use the DNs from all domains, click Save&Sync
Part Two – Identity Provider
The Next item is to add the third-party-identity Provider : AD FS. In order to do this, go to Manage -> Identity Providers:
Click “Add Provider” -> “Create Third Party IDP”:
In the Create Third Party IDP Screen, give the Identity Provider a name, for example : ADFS and fill in the SAML Metadata URL from ADFS, example : https://<ADFS-FQDN>/FederationMetadata/2007-06/FederationMetadata.xml and click Process IdP Metadata:
After Clicking on Process IdP Metadata, the SAML information is retrieved from AD FS:
The only thing is, this information above is not needed, so we alter the first entry and change it to : urn:oasis:names:tc:SAML:1.1:name-id-format:unspecified and with Name ID Value : userPrincipalName
The other two values, we just remove.
This will result in the following:
Name ID Policy in SAML Request (Optional) is not needed to be altered.
Just in Time User Provisioning we do not use at this point, so I did not enable it.
Users must be selected ofcourse and the Network Range(s) from which this IdP can be accessed from:
In the Authentication Methods section, we need to define authentication Methods to be used by IdM to authenticate the user with. Give the Authentication Methods logical names as these are needed in the Policy Section from IdM. In the Policy Settings you define which of these settings are being used to authenticate the user with.
I have created two authentication Methods, one is still a password :
ADFS-Test-Password : urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
ADFS-Test-UPN : urn:federation:authentication:windows
Single Sign Out Configuration I did not configure. This will be done in a later post, so I leave it as is : Not enabled :
The last part is for the AD FS Configuration, you can click the SAML Metadata link in order to use in the AD FS Configuration
You can open the link, copy the content and use it in AD FS, or you can copy the URL of the Metadata from IdP and use the URL in AD FS
And the last step in the configuration of the Connector is to save the information, click Add to (save) add the connector to the IDM configuration:
Part Three : AD FS Configuration
AD FS Configuration.
We begin with the configuration of AD FS. We assume you have AD FS Configured already.
First, open AD FS and go to Trust Relationships -> Relying Party Trusts:
Right-Click and select “Add Relying Party Trust…”:
In the Welcome to the Add Relying Party Trust Wizard, click Start to begin
In the Select Data Source, select the preferable way to add IDM to AD FS, in my Lab I used the previously downloaded sp.xml file from IDM. Click Next to continue.
In the Specify Display Name screen, give a Display Name for IDM, in my lab I used “IDM 3.0”:
In the Configure Multi-factor Authentication Now screen, leave the default and click Next to continue:
In the Choose Issuance Authorization Rules screen, Leave the Permit all users to access this relying party selected and click Next to continue:
In the Ready to Add Trust screen, nothing has to be changed, so click Next to Continue:
In the Finish Screen, untag the Open the Edit Claim Rules dialog for this relying party trust when the wizard closes… we do the Claim Rules later. Click Close to continue:
In the AD FS Main screen, right click the relying party trust IDM 3.0 and click “Properties” :
In the Properties screen, go to “Encryption” Tab and click “Remove”
The Certificate needs to be removed in order to function correctly with IDM, without doing this step, IDM cannot communicate with AD FS, because the data is encrypted from AD FS to IDM.
When requested to remove the certificate, choose “Yes”
After removing the Certificate, the screen should look like this:
When this setting is applied (certificate removed) click OK to close this dialog
The next step is to create the Claim Rules for passing the User Principal Name to IDM.
Right Click the Relying Party Trust “IDM 3.0” and click Edit Claim Rules…
There should be no claim rules defined. To start, click Add Rule:
Select Send LDAP Attributes as Claims and click Next
Give the Claim Rule a name, for instance UPN (in this case, we specifically use UPN)
Select Attribute Store : Active Directory
Choose for Mapping of LDAP Attribute : User-Principal Name
Choose for Mapping Outgoing Claim Type : UPN
Click Finish to create the rule
In the Edit Claim Rules screen, the just created rule is visble, at this point, we need to create a custom transform rule to translate the information from Active Directory to SAML for use in the IDM Portal. Click Add Rule…
Select in the Choose Rule Type screen : Send Claims Using a Custom Rule.
Give the Claim rule a logic name, in my Lab I called this Rule : UPN Transform Rule.
In the Custom Rule Text Box, you need to enter the rule which translates from Active Directory to SAML language
c:[Type == “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn”]
=> issue(Type = “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier”, Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties[“http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format”] = “urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified”, Properties[“http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier”] = “<IDM-Portal-URL>“);
Replace <IDM-Portal-URL> for the URL used for IDM , in my lab it is : idmtest.top.local
And click Finish to save the information.
We should have a screen like this:
We are finished now for configuring AD FS!
Part Four – IdM Policies
Now the Directory, Identity Provider, AD FS have been configured, it is time to configure the policies in order to let the user logon with AD FS Single Sign On.
In the VMware IDM Portal, go to Identity & Access Management -> Policies.
The is the default_access_policy_set, click on that to edit the default policy:
For your own administration give the policy a description.
To edit the policy, click the first rule (Web Browser) The Authentication Method : Password (Local Directory) (in blue)
Edit the Policy rule according to the needs …
…and select the corresponding Authentication Methods, created earlier in the Identity Provider ADFS
I have selected the First Authentication Method : ADFS-Test-UPS
The Backup Authentication Method : ADFS-Test-Password:
Click OK when Done
And Click Save to Save the new Policy:
Now everything is set from an ADFS / vIDM perspective to enable Single Sign On for use with VMware Horizon 7.x, don’t forget to check that True SSO is Enabled in Horizon (!)
Thanks for reading and till the next Blog!