Hi all,
We have a little challenge in the following situation.
We have a Top level Domain and 6 Child Domains:
top.local
- Domain1.top.local
- Domain2.top.local
- Domain3.top.local
- Domain4.top.local
- Domain5.top.local
- Domain6.top.local
In one Datacenter, and all the domains in the same network.
What we try to accomplish is that users on location of Domain 3, log into their thin clients with their UPN to the Thin Client and then log into VMware IDM 3.0 portal.
They now need to login twice (one time to the thin client, the second time to IDM). They really want to have SSO implemted in their environment.
So we configured Kerberos Authentication.
The situation is also in IDM that we have 1 connector for all the domains
When we have, as above have 2 domains enabled, like domain3.top.local & top.local.
And we login to a thin client / vdi :
We log in:
Then we open a browser (chrome)
We need to fill in username / user principal name in order to login
And we press "Volgende" or "Next"
We get into the portal (without entering Password! so Single Sign On works, except for the username part)
When we go back to the configuration of the Connector and we configure it for only 1 domain:
only for top.local in this case:
We go back to the vdi/thin client:
We log in again with the same credentials:
We open the browser again and fill in the URL:
And when we press enter:
It works as we expect and how we want it to work!
So only if there is one domain, then this is possible. With multiple domains not... We are not able to create a connector per domain (strangly enough)
Any suggestions are welcome!
Thanks in advance
Hi..
This is by design as of today.. We are investigating if we can change the behaviour in the future. I do not have any commitments nor time table today.
Hi Peter,
Thanks for you're response, we are now trying with ADFS, but now we encounter the following :
Any tips?
When we want to use ADFS instead of username / password...
We are one step further... but when we authenticate (we still need to fill in username/password) then we get:
So what is happening here? Is ADFS configured as a 3rd Party idP in vIDM?
What is your 3rd Party idP settings look like? How does your access policies look like?
Any difference if you are doing idP-init or SP-init?
Hi Peter,
Yes, we have ADFS configured as 3rd Party iDP in vIDM
In basic we have done as stated in the VMware documentation : https://www.vmware.com/pdf/vidm-adfs-integration.pdf
We also started full over again with implementing the ADFS step by step throughout the document.
when we do the saml metadata : process IdP Metadata, it succesfully retrieves the information from ADFS.
We have the following Authentication Methods:
And we use Windows Authentication for the policy:
At this moment, we are unable to authenticate anymore...
Please reconfigure the integration according to my blog post here: VMware Identity Manager using Azure AD as 3rd party Identity Provider - Horizon Tech Blog - VMware B...
It says AAD but everyting can be done the same with ADFS. Just how ADFS is configured is different.. The most important thing is how the authN methods are setup..
Thanks! We will try and I will let you know as soon as possible
No luck so far
received error in saml response....
tried several ways in configuring adfs
I'm pretty booked the remaining of the year but please reach out to me privately and we'll try to find a free time to do a remote session to have a look..
Thanks to Peter we solved the issue!
The problem occurred due to an certificate which is being implemented during the ADFS configuration to VMware IDM.
In the Installation Manual is stated that you should not install this certificate, but this certificate is installed without notice.
So the solution is after the installation/configuration of ADFS relying party to IDM to afterwards remove the installed certificate from the ADFS relying party
I will write an updated blog installing VMware IDM with ADFS SSO configuration with all these steps.
When ready I will post the link here.
Peter, thanks for all you're help & effort in this case!
We are still strugling to get it working in total.
Now it works from endpoint to IDM (SSO), but now SSO to the application does not work anymore...
I have my idea about that, because from ADFS -> IDM we use e-mail address, and from endpoint -> IDM Perspective this works perfectly i.e. you can authenticate with e-mail... but, e-mail is also being used within IDM to authenticate to the applications, and that does not work as it tries to authenticate with e-mail address...
Now, thinking of that, I have used within the portal e-mail -> UPN, that seems to work, for portal authentication, but we don't know if that also works for starting applications (not being able to test it, because we need to do it outside office hours).
I think it is wise from ADFS -> IDM perspective, to have more attributes in the first place... is that something what you should use in general? (we did't succeed in getting this to work....)
Are there other ways to have IDM authenticate to the application?
Any thoughts about this?
Thanks
It looks like that AD FS (3.0) -> vIDM (3.0) only works with just one Claim Rule.
We have it working with UPN Now (we need to test applications), but we can now authenticate to the portal through UPN.
But whenever we add another Claim Rule, IDM stops and say's Unable to Authenticate...
Going step-by-step through the ADFS-IDM Manual does not give a working result unfortunately...
I assume this is by design...but don't know, anyone used this with multiple claim rules?
I have created a blog article about this subject: