Solved: vIDM SaaS - External and Internal names

wongcc · ‎02-15-2019

Hi,

We set up TrueSSO successfully with an on-prem deployment of vIDM, but one issue is that we had to use an external DNS name that matches the vIDM internal name.

For example, our external organisation name is mydomain.com. The internal domain name is int.mydomain.com, but because vIDM must be configured with the same external name as the appliance name, our external name for vIDM had to be vidm.int.mydomain.com rather than vidm.mydomain.com.

With vIDM SaaS, can we use the internet name vidm.mydomain.com? (We'll have multiple connectors with an internal name in the int.mydomain.com domain)? or do we still face the same issue and the internet name should be vidm.int.mydomain.com?

thanks,

CC

pbjork · ‎02-15-2019

Hi..

Your statement regarding vIDM only supporting one namespace is correct. But the appliance's FQDN does not have to match the external FQDN. In vIDM you can perform a change FQDN operation that will tell vIDM all users will use a different FQDN to access the Service. This is a hard requirement when deploying vIDM in a cluster. In a cluster, obviously, all nodes must have unique FQDNs.

When using vIDM SaaS the domain is one of VMware's domains, e.g. vmwareidentity.com. You cannot use a custom FQDN. You can have a custom FQDN that points to something you host performing HTTP 301 permanent redirect. So an example could be http://login.mycompany.com redirects users to https://mycompany.vmwareidentity.com.

I do not follow regarding the connectors.. Using vIDM SaaS still uses local connectors for sync and some authN methods. Connectors are typically deployed using internal FQDNs. But configuring the authN methods to use outbound only mode, users do not need to communicate with the connectors at all.. All is handled by vIDM Service.

View solution in original post

pbjork · ‎02-15-2019

Hi..

Your statement regarding vIDM only supporting one namespace is correct. But the appliance's FQDN does not have to match the external FQDN. In vIDM you can perform a change FQDN operation that will tell vIDM all users will use a different FQDN to access the Service. This is a hard requirement when deploying vIDM in a cluster. In a cluster, obviously, all nodes must have unique FQDNs.

When using vIDM SaaS the domain is one of VMware's domains, e.g. vmwareidentity.com. You cannot use a custom FQDN. You can have a custom FQDN that points to something you host performing HTTP 301 permanent redirect. So an example could be http://login.mycompany.com redirects users to https://mycompany.vmwareidentity.com.

I do not follow regarding the connectors.. Using vIDM SaaS still uses local connectors for sync and some authN methods. Connectors are typically deployed using internal FQDNs. But configuring the authN methods to use outbound only mode, users do not need to communicate with the connectors at all.. All is handled by vIDM Service.