Hi all,
We have a little challenge in the following situation.
We have a Top level Domain and 6 Child Domains:
top.local
- Domain1.top.local
- Domain2.top.local
- Domain3.top.local
- Domain4.top.local
- Domain5.top.local
- Domain6.top.local
In one Datacenter, and all the domains in the same network.
What we try to accomplish is that users on location of Domain 3, log into their thin clients with their UPN to the Thin Client and then log into VMware IDM 3.0 portal.
They now need to login twice (one time to the thin client, the second time to IDM). They really want to have SSO implemted in their environment.
So we configured Kerberos Authentication.
The situation is also in IDM that we have 1 connector for all the domains
When we have, as above have 2 domains enabled, like domain3.top.local & top.local.
And we login to a thin client / vdi :
We log in:
Then we open a browser (chrome)
We need to fill in username / user principal name in order to login
And we press "Volgende" or "Next"
We get into the portal (without entering Password! so Single Sign On works, except for the username part)
When we go back to the configuration of the Connector and we configure it for only 1 domain:
only for top.local in this case:
We go back to the vdi/thin client:
We log in again with the same credentials:
We open the browser again and fill in the URL:
And when we press enter:
It works as we expect and how we want it to work!
So only if there is one domain, then this is possible. With multiple domains not... We are not able to create a connector per domain (strangly enough)
Any suggestions are welcome!
Thanks in advance
Hi Peter,
Thanks for you're response, we are now trying with ADFS, but now we encounter the following :
Any tips?
When we want to use ADFS instead of username / password...
We are one step further... but when we authenticate (we still need to fill in username/password) then we get:
Hi Peter,
Yes, we have ADFS configured as 3rd Party iDP in vIDM
In basic we have done as stated in the VMware documentation : https://www.vmware.com/pdf/vidm-adfs-integration.pdf
We also started full over again with implementing the ADFS step by step throughout the document.
when we do the saml metadata : process IdP Metadata, it succesfully retrieves the information from ADFS.
We have the following Authentication Methods:
And we use Windows Authentication for the policy:
At this moment, we are unable to authenticate anymore...
No luck so far 
received error in saml response....
tried several ways in configuring adfs
We are still strugling to get it working in total.
Now it works from endpoint to IDM (SSO), but now SSO to the application does not work anymore...
I have my idea about that, because from ADFS -> IDM we use e-mail address, and from endpoint -> IDM Perspective this works perfectly i.e. you can authenticate with e-mail... but, e-mail is also being used within IDM to authenticate to the applications, and that does not work as it tries to authenticate with e-mail address...
Now, thinking of that, I have used within the portal e-mail -> UPN, that seems to work, for portal authentication, but we don't know if that also works for starting applications (not being able to test it, because we need to do it outside office hours).
I think it is wise from ADFS -> IDM perspective, to have more attributes in the first place... is that something what you should use in general? (we did't succeed in getting this to work....)
Are there other ways to have IDM authenticate to the application?
Any thoughts about this?
Thanks 