Support Multiple Authentication Use Cases with VMware Identity Manager (vIDM)
VMware Identity Manager‘s framework enables it to simultaneously cover several different authorization and authentication use cases. vIDM’s flexibility stems from the relationship between its core components. Its directories, identity providers, and authentication policies can support a wide range of authentication methods.
Review the role of each component below:
A vIDM tenant can contain several user directories, each with different schemas and sync sources.
- Schema – Attributes that populate to each user profile. Includes the subset of attributes required to create a user within that directory.
- Source of Truth – Location users sync from.
Take a more detailed look at the primary ways to populate a directories:
There are three main types of identity providers (IDPs). A vIDM tenant can create and maintain multiple identity providers of each type.
An authentication policy evaluates an authentication request’s set of conditions, and provides one or more supported authentication methods based on the evaluated conditions. This is often referred to as conditional access.
Support for authentication methods differs between identity providers. For example:
Take a closer look at how vIDM's components interact during authentication.
1. Discover the user’s directory.
- In a Single-Directory configuration the authentication request defaults to the configured directory.
- In a Multiple-Directory configuration the end user selects the directory from a drop-down menu.
2. Discover the Identity Provider.
- Evaluate which identity providers can confirm the incoming request’s credentials.
- Evaluate the authentication methods supported for this request.
3. Select Authentication Policy.
- Evaluates the request’s target application, source network, client type, etc.
- Selects the first authentication policy that meets these conditions.
4. Select Authentication Method.
- Evaluates the authentication policy’s available authentication methods.
- Evaluates the authentication methods the incoming request supports.
- Selects the first authentication method that meets these conditions. If the policy does not contain any authentication methods the incoming request supports, the request fails.
- Evaluates if the authenticating user can access the requested application.
- Grants or denies access.
vIDM Authentication FAQ
How do I enable multi-factor authentication?
Can I assign multiple directories to a single IDP?
A single identity provider could validate user credentials from multiple directories. For example, you can use vIDM Connector to sync with multiple Active Directories.
Should I limit my IDP's availability?
Configure your identity provider’s availability to remain open to all networks, or only accept requests from defined networks. Consider limiting availability to incoming requests in the following scenarios:
- The identity provider can only accept requests from within the internal networks
- There are different identity providers located across regions.
How do I support authentication for users from different directories and networks?
Configure authentication policies with multiple authentication methods to handle credentials for a given application’s different users. That way, if one authentication method fails for a user, the policy can use the next available method.