Skip to main content

 

Support Multiple Authentication Use Cases with VMware Identity Manager (vIDM)


VMware Identity Manager‘s framework enables it to simultaneously cover several different authorization and authentication use cases. vIDM’s flexibility stems from the relationship between its core components. Its directories, identity providers, and authentication policies can support a wide range of authentication methods.

Review the role of each component below:


Directories

A vIDM tenant can contain several user directories, each with different schemas and sync sources.

  • Schema – Attributes that populate to each user profile. Includes the subset of attributes required to create a user within that directory.
  • Source of Truth – Location users sync from.

Take a more detailed look at the primary ways to populate a directories:


Identity Providers

There are three main types of identity providers (IDPs). A vIDM tenant can create and maintain multiple identity providers of each type.


Authentication Policies

An authentication policy evaluates an authentication request’s set of conditions, and provides one or more supported authentication methods based on the evaluated conditions. This is often referred to as conditional access.

Authentication Methods

Support for authentication methods differs between identity providers. For example:


vIDM Authentication Workflow

This authentication workflow demonstrates the role each core vIDM component plays during authentication. 



[learn_more caption=”Take a closer look at how vIDM’s components interact during authentication.”]

1. Discover the user’s directory. [box]The vIDM tenet’s directory configuration determines the discovery process:

  • In a Single-Directory configuration the authentication request defaults to the configured directory.
  • In a Multiple-Directory configuration the end user selects the directory from a drop-down menu.[/box]

2. Discover the Identity Provider. [box]vIDM uses the selected directory and the request’s source network to:

  • Evaluate which identity providers can confirm the incoming request’s credentials.
  • Evaluate the authentication methods supported for this request.[/box]

3. Select Authentication Policy. [box]vIDM evaluates request conditions:

  • Evaluates the request’s target application, source network, client type, etc.
  • Selects the first authentication policy that meets these conditions.[/box]

4. Select Authentication Method. [box]vIDM evaluates the policy against the request:

  • Evaluates the authentication policy’s available authentication methods.
  • Evaluates the authentication methods the incoming request supports.
  • Selects the first authentication method that meets these conditions. If the policy does not contain any authentication methods the incoming request supports, the request fails.[/box]

5. Authorization. [box]vIDM evaluates user permissions against the request.

  • Evaluates if the authenticating user can access the requested application.
  • Grants or denies access.[/box]

[/learn_more]

vIDM Authentication FAQ

[learn_more caption=”How do I enable multi-factor authentication?”]

Associate a user directory with multiple identity providers to enable multi-factor authentication. This requires users to supply credentials to more than one identity provider to access resources.


[/learn_more] [learn_more caption=”Can I assign multiple directories to a single IDP?”]

A single identity provider could validate user credentials from multiple directories. For example, you can use vIDM Connector to sync with multiple Active Directories. [/learn_more][learn_more caption=”Should I limit my IDP’s availability?”]

Configure your identity provider’s availability to remain open to all networks, or only accept requests from defined networks. Consider limiting availability to incoming requests in the following scenarios:

  • The identity provider can only accept requests from within the internal networks
  • There are different identity providers located across regions.

[/learn_more][learn_more caption=”How do I support authentication for users from different directories and networks?”]

Configure authentication policies with multiple authentication methods to handle credentials for a given application’s different users. That way, if one authentication method fails for a user, the policy can use the next available method.[/learn_more]



Comments

Post a Comment

Popular posts from this blog

Quick Guide to VCF Automation for VCD Administrators

  Quick Guide to VCF Automation for VCD Administrators VMware Cloud Foundation 9 (VCF 9) has been  released  and with it comes brand new Cloud Management Platform –  VCF Automation (VCFA)  which supercedes both Aria Automation and VMware Cloud Director (VCD). This blog post is intended for those people that know VCD quite well and want to understand how is VCFA similar or different to help them quickly orient in the new direction. It should be emphasized that VCFA is a new solution and not just rebranding of an old one. However it reuses a lot of components from its predecessors. The provider part of VCFA called Tenenat Manager is based on VCD code and the UI and APIs will be familiar to VCD admins, while the tenant part inherist a lot from Aria Automation and especially for VCD end-users will look brand new. Deployment and Architecture VCFA is generaly deployed from VCF Operations Fleet Management (former Aria Suite LCM embeded in VCF Ops. Fleet Management...
Post a Comment
Read more
  Issue with Aria Automation Custom form Multi Value Picker and Data Grid https://knowledge.broadcom.com/external/article?articleNumber=345960 Products VMware Aria Suite Issue/Introduction Symptoms: Getting  error " Expected Type String but was Object ", w hen trying to use Complex Types in MultiValue Picker on the Aria for Automation Custom Form. Environment VMware vRealize Automation 8.x Cause This issue has been identified where the problem appears when a single column Multi Value Picker or Data Grid is used. Resolution This is a known issue. There is a workaround.  Workaround: As a workaround, try adding one empty column in the Multivalue picker without filling the options. So we can add one more column without filling the value which will be hidden(there is a button in the designer page that will hide the column). This way the end user will receive the same view.  
Post a Comment
Read more
  "Cloud zone insights not available yet, please check after some time" message on Aria Automation https://knowledge.broadcom.com/external/article?articleNumber=314894 Products VMware Aria Suite Issue/Introduction Symptoms: The certificate for Aria operations has been replaced since it was initially added to Aria Automation as an integration. When accessing the Insights pane under  Cloud Assembly  ->  Infrastructure  ->  Cloud Zone  ->  Insights  the following message is displayed:   "Cloud zone insights not available yet, please check after some time." The  /var/log/services-logs/prelude/hcmp-service-app/file-logs/hcmp-service-app.log  file contains ssl errors similar to:   2022-08-25T20:06:43.989Z ERROR hcmp-service [host='hcmp-service-app-xxxxxxx-xxxx' thread='Thread-56' user='' org='<org_id>' trace='<trace_id>' parent='<parent_id>' span='<span_id>'] c.v.a.h.a.common.AlertEnu...
Post a Comment
Read more