[Deep Dive] What’s New in VMware Identity Manager 3.0
VMware Workspace ONE integrates VMware Identity Manager access control and application management with VMware AirWatch unified endpoint management (UEM) technology into a single platform. Available as a cloud service or for on-premises deployments, the Workspace ONE platform enables IT to deliver and manage any app on any device. Now, with the release of Identity Manager 3.0, it’s easier than ever to support advanced deployment options!
What’s New in VMware Identity Manager 3.0
Today’s deep dive provides technical details and video demos of the key features released in VMware Identity Manager 3.0. This section also briefly covers the other features introduced in the release. After the deep dive, there’s a section about key compatibility, upgrade and installation considerations. The post concludes with links to additional resources.
New! VMware Identity Manager 3.0 Features
VMware Identity Manager 3.0 Deep Dive
Watch this video to learn about some of the important features in VMware Identity Manager 3.0. The video provides a verbal description and a configuration demo of each feature. Afterwards, use the arrows below the video to flip additional details about the features covered in the deep dive.
First, define the external access management system as an application source type. Then, add multiple apps of this type to the catalog. The application source definition contains the SAML contract details between Identity Manager and these external access management systems.
Support for Multiple Apps from the Identity Manager Catalog
Identity Manager now supports adding apps from the catalog multiple times. Admins can add multiple copies using the templates in the global catalog. This simplifies the adoption of multiple instances of web applications, such as Salesforce that might be used by different lines of business or for different purposes within the organization.
Refresh Token Timeout
Create a more intuitive authentication experience for the Workspace ONE app with the Idle Token Time-to Live (TTL) setting. This setting adapts the app’s authentication behavior based on how often individuals use Workspace ONE.
Previously, end users re-authenticated when their refresh token expired, which occurred at a static interval. For users expecting recognition and trust from frequently used technologies, this was a clunky experience. Now, Identity Manager recognizes consistent users, and prompts them to re-authenticate less often. Identity Manager also recognizes inconsistent users, and triggers re-authentication by revoking their refresh.
In addition to the Workspace ONE app, this feature applies to any other OAuth client of Identity Manager. However, only the Workspace ONE app enables the settings by default. Applying the idle token TTL setting to custom apps requires manual enablement.
Idle TTL Token Use Case
This setting is appropriate for organizations that want to minimize hassle and increase employee productivity (i.e. everyone). However, for the purposes of examining the feature’s usefulness, let’s examine how it would work in a specific scenario: World-Wide Enterprises.
A large number of employees travel for work at World-Wide Enterprises, and require remote access to corporate resources. While generally pretty happy with the Workspace ONE app, employees in the field do find the re-authentication requests inconvenient. To address this usability concern, World-Wide Enterprises decides to take advantage of the new token refresh setting.
First, they increase the refresh token’s time value to three months. Then, they configure the refresh token’s idle time value. They want this value to accommodate the weekend inactivity of the typical 9-to-5 schedule while maximizing security. Ultimately, they set the timeout at four days. Now, after a weekend or a short holiday, employees can access Workspace ONE for up to three months without re-authenticating.
App Reordering (Desktop Browser Only)
Now, users can rearrange bookmarked applications on their Workspace ONE app portal Bookmarks page. Users start with an alphabetized app view but can move app tiles around to create a custom, personalized view. The new user-curated view is saved for future sessions.
What Else is New in Identity Manager 3.0?
Use the arrows to flip through the remaining features in the Identity Manager 3.0 release. (The features and descriptions provided below were pulled from the the 3.0 Release Notes.)
Support VMware Horizon HTML Access on Android Devices
Users can now launch VMware Horizon apps in a browser on Android devices from the Workspace ONE app (available for Android 7 and later).
Improved Sign-in Screens User Experience
Mobile device sign-in screens feature added animations, enhanced displays and improved error messages.
Enhanced In-App Search
Search applications by description, in addition to name and category.
Secure Certificate Authentication in the DMZ
Performing certificate authentication in the DMZ maintains the Identity Manager Connector in outbound-only mode. This prevents outside traffic from entering the internal network.
Support for Multiple Office 365 Tenants from Identity Manager Catalog
Manage multiple Microsoft Office 365 tenets with a single Identity Manager instance, simplifying adoption and management.
Improved VMware ThinApp Experience
View and launch individual VMware ThinApp package applications from the Catalog page. Additionally, bookmark and search for individual apps in the ThinApp package.
Encrypted SAML Assertions
Choose whether to encrypt the SAML assertions sent by the service. Encryption decreases the risk of user data being discovered through a compromised SAML assertion and increases security.
Support for Forced Authentication in SAML
Allow service providers and applications to force end users, even those holding a valid token, to re-authenticate. Forced authentication uses the SAML
Identity Manager Upgrade Considerations
To upgrade to Identity Manager 3.0, see “Upgrading to VMware Identity Manager.” During the upgrade, all services are stopped, so plan the upgrade with the expected downtime in mind.
On the Windows-based version of Identity Manager, updating Java also removes some security certificates.
For this reason, Identity Manager on Windows does not support automatic updates of Java.
To update Java, run the updates manually or through the Identity Manager Installer. Once the update completes, reinstall the Java Unlimited Strength (JCE) policy files (if necessary), and restore the security certificates.
Restoring Security Certificates Post-Java Update
The way you restore the certificates depends on which update method you used.
Java Updated through Identity Manager Installer
Java Updated Manually
Transport Layer Security (TLS) 1.0 Disabled by Default
Beginning with Identity Manager 2.6, TLS 1.0 is disabled. We recommend that you update products configurations to use TLS 1.1 or 1.2.
External product issues are known to occur when TLS 1.0 is disabled. If your implementation of Horizon, Horizon Air, Citrix or the load balancer in Identity Manager has a dependency on TLS 1.0, or if you are using Office 365 active flow, follow the instructions in KB 2144805 to enable TLS 1.0.