What’s New in VMware Identity Manager, Cloud – October 2015 Release
This overview of new technology represents no commitment from VMware to deliver these features in any other generally available product or service.
Welcome to the first of our “What’s New in Identity Manager” blog series. In this blog, we will provide an update about new features in VMware Identity Manager and address some of the most commonly asked questions.
Before we begin, we encourage you to watch the VMware Identity Manager video for an overview of the VMware Identity Manager solution.
In October, we were excited to announce the release of the following features in our cloud version:
- Inbound SAML just-in-time (JIT) provisioning
- Authentication-method chaining
- Single sign-out from third-party identity providers
- New data centers in the Europe and Asia Pacific regions
Now, we will go into more detail about the new features introduced in October.
Inbound SAML Just-In-Time Provisioning
With JIT provisioning, you can use a SAML assertion to create users on demand the first time they try to log in to VMware Identity Manager. This eliminates the need to create user accounts in advance. For example, if you recently added a partner user or an employee, you do not need to manually create the user in VMware Identity Manager. When they log in with single sign-on using a third-party SAML identity provider, their user account is automatically created for them, eliminating the time and effort with on-boarding the user. You can both create and modify user accounts this way. Because JIT provisioning uses SAML to communicate, your tenant must be configured with a third-party SAML identity provider such as ADFS, Ping Federate, or Google Apps.
Q. When using the SAML JIT provisioning feature, do you need to also deploy the VMware Identity Manager connector to connect to Active Directory?
A. No. The JIT provisioning feature can be used with or without the VMware Identity Manager connector.
Q. When should you use the VMware Identity Manager connector versus the SAML JIT provisioning feature?
A. The VMware Identity Manager connector synchronizes user information from the Active Directory into the VMware Identity Manager service at regular intervals.
Use VMware Identity Manager connector when you want to
- Set up a user in VMware Identity Manager before the user logs in the first time
- Disable or delete the user in VMware Identity Manager when the user is disabled or deleted in Active Directory
Use SAML JIT provisioning when you
- Already use a third-party identity provider (IdP) connected to Active Directory, and do not want to deploy another connector for Active Directory
- Want to integrate with user repositories other than Active Directory, such as Google Apps
- Do not want users to have to wait to log in until the connector synchronization job is complete; the job runs every 24 hours
Q. Can the JIT provisioning feature be used with other cloud directories?
A. The JIT provisioning feature can be used to connect to other cloud directories that act as a SAML IdP, such as Google for Work or Azure AD. If you are using 100% cloud deployment of these directories (not synchronized from on-premises AD), you can use this feature to log users in to VMware Identity Manager using Google or Azure AD credentials, and create or update users on demand at login time.
Q. How do you configure the JIT provisioning feature of VMware Identity Manager?
A. The SAML JIT provisioning feature is accessible through the Identity Providers tab in the VMware Identity Manager administration console. When creating or editing a third-party IdP, an administrator can enable JIT provisioning in VMware Identity Manager and define the user directory and domains where users will be provisioned and authenticated. For more details, refer to the VMware Identity Manager Administration Guide.
Authentication-method chaining allows you to mix and match authentication methods to create your own authentication chain. For example, you can set up an authentication policy to first authenticate using an AD username and password, and then pass the authenticated username to a second authentication method, such as RADIUS. You can even apply the second authentication method from another IdP. For example, you can use the VMware Identity Manager connector to authenticate using AD, and then use the SafeNet IdP to authenticate, for two-factor authentication (2FA). The authentication fallback feature continues to work with authentication chaining.
Previously in Identity Manager, you could use only one primary authentication method (such as username and password, Kerberos, Certificate, RADIUS, RSA SecurID, or others). If one authentication method failed, you could revert (or fall back) to a secondary authentication method to complete the login. But, you could not apply two authentication methods in sequence. For two-factor authentication, it was required that the primary authentication method perform the two-factor authentication.
Single Sign-Out from Third-Party Identity Providers
When using a third-party IdP to authenticate users into VMware Identity Manager, now you can sign out users from the third-party IdP upon user sign-out (logout) from VMware Identity Manager. This can be configured in two ways:
- If the third-party IdP supports the SAML single sign-out profile, then VMware Identity Manager can send the SAML message to sign out the user from the IdP.
- If the third-party IdP does not support SAML single sign-out, then you can redirect the user to the IdP’s sign-out endpoint or page, and if that endpoint supports redirect, you can redirect the user to the VMware Identity Manager login page.
To configure this feature, navigate to Identity Provider configuration, and enable the single sign-out check box, as shown in the following figure.
New Data Centers in Europe and Asia Pacific Regions
The VMware Identity Manager service is now available in the European Union (EU) and Asia Pacific regions. For the European region, the primary data center is in Germany, with a failover site in the United Kingdom. For Asia Pacific, the primary data center is in Australia, with a failover site in Japan.