Workspace ONE Access By Product Technical Guides VMware Workspace ONE

[Deep Dive] What’s New in VMware Identity Manager 3.0

VMware Workspace ONE integrates VMware Identity Manager access control and application management with VMware AirWatch unified endpoint management (UEM) technology into a single platform. Available as a cloud service or for on-premises deployments, the Workspace ONE platform enables IT to deliver and manage any app on any device. Now, with the release of Identity Manager 3.0, it’s easier than ever to support advanced deployment options!

Workspace ONE
Together, Identity Manager functionality and AirWatch UEM technology power the integrated Workspace ONE platform.

What’s New in VMware Identity Manager 3.0

[tabs slidertype=”simple”] [tab]

Today’s deep dive provides technical details and video demos of the key features released in VMware Identity Manager 3.0. This section also briefly covers the other features introduced in the release. After the deep dive, there’s a section about key compatibility, upgrade and installation considerations. The post concludes with links to additional resources.[box]

Identity Manager 3.0Key Features in Identity Manager 3.0

  • Application Sources
  • Support Multiple Applications
  • Refresh Token Timeout
  • Application Reordering



New! VMware Identity Manager 3.0 Features

[tabs slidertype=”simple”] [tab]

VMware Identity Manager 3.0 Deep Dive

Watch this video to learn about some of the important features in VMware Identity Manager 3.0. The video provides a verbal description and a configuration demo of each feature. Afterwards, use the arrows below the video to flip additional details about the features covered in the deep dive.


Application Sources

Use Application Sources to bring federated applications using an access management system, such as ADFS, PingFederate or Okta, into the Workspace ONE catalog.

First, define the external access management system as an application source type. Then, add multiple apps of this type to the catalog. The application source definition contains the SAML contract details between Identity Manager and these external access management systems.[/tab][tab]

Support for Multiple Apps from the Identity Manager Catalog

Identity Manager now supports adding apps from the catalog multiple times. Admins can add multiple copies using the templates in the global catalog. This simplifies the adoption of multiple instances of web applications, such as Salesforce that might be used by different lines of business or for different purposes within the organization.

This new feature can:IDM

  • Add and configure the same app multiple times in Global Catalog
  • Copy an app from the Apps page to the Global Catalog
  • Determine which app to launch by checking user entitlements


Refresh Token Timeout

Create a more intuitive authentication experience for the Workspace ONE app with the Idle Token Time-to Live (TTL) setting. This setting adapts the app’s authentication behavior based on how often individuals use Workspace ONE.

Previously, end users re-authenticated when their refresh token expired, which occurred at a static interval. For users expecting recognition and trust from frequently used technologies, this was a clunky experience. Now, Identity Manager recognizes consistent users, and prompts them to re-authenticate less often. Identity Manager also recognizes inconsistent users, and triggers re-authentication by revoking their refresh.

In addition to the Workspace ONE app, this feature applies to any other OAuth client of Identity Manager. However, only the Workspace ONE app enables the settings by default. Applying the idle token TTL setting to custom apps requires manual enablement.[/tab][tab]

Idle TTL Token Use Case

This setting is appropriate for organizations that want to minimize hassle and increase employee productivity (i.e. everyone). However, for the purposes of examining the feature’s usefulness, let’s examine how it would work in a specific scenario: World-Wide Enterprises.

A large number of employees travel for work at World-Wide Enterprises, and require remote access to corporate resources. While generally pretty happy with the Workspace ONE app, employees in the field do find the re-authentication requests inconvenient. To address this usability concern, World-Wide Enterprises decides to take advantage of the new token refresh setting.

First, they increase the refresh token’s time value to three months. Then, they configure the refresh token’s idle time value. They want this value to accommodate the weekend inactivity of the typical 9-to-5 schedule while maximizing security. Ultimately, they set the timeout at four days. Now, after a weekend or a short holiday, employees can access Workspace ONE for up to three months without re-authenticating.[/tab][tab]

App Reordering (Desktop Browser Only)

Now, users can rearrange bookmarked applications on their Workspace ONE app portal Bookmarks page. Users start with an alphabetized app view but can move app tiles around to create a custom, personalized view. The new user-curated view is saved for future sessions.[/tab] [/tabs]

[tabs slidertype=”simple”] [tab]

What Else is New in Identity Manager 3.0?

Use the arrows to flip through the remaining features in the Identity Manager 3.0 release. (The features and descriptions provided below were pulled from the the 3.0 Release Notes.) [/tab] [tab]

Support VMware Horizon HTML Access on Android Devices

Users can now launch VMware Horizon apps in a browser on Android devices from the Workspace ONE app (available for Android 7 and later).[/tab] [tab]

Improved Sign-in Screens User Experience

Mobile device sign-in screens feature added animations, enhanced displays and improved error messages.[/tab] [tab]

Enhanced In-App Search

Search applications by description, in addition to name and category.[/tab][tab]

Secure Certificate Authentication in the DMZ

Performing certificate authentication in the DMZ maintains the Identity Manager Connector in outbound-only mode. This prevents outside traffic from entering the internal network.


Support for Multiple Office 365 Tenants from Identity Manager Catalog

Manage multiple Microsoft Office 365 tenets with a single Identity Manager instance, simplifying adoption and management.

[/tab] [tab]

Improved VMware ThinApp Experience

View and launch individual VMware ThinApp package applications from the Catalog page. Additionally, bookmark and search for individual apps in the ThinApp package.[/tab] [tab]

Encrypted SAML Assertions

Choose whether to encrypt the SAML assertions sent by the service. Encryption decreases the risk of user data being discovered through a compromised SAML assertion and increases security.[/tab] [tab]

Support for Forced Authentication in SAML

Allow service providers and applications to force end users, even those holding a valid token, to re-authenticate. Forced authentication uses the SAML ForceAuthn attribute, or the OpenID Connect prompt=login parameter. [/tab][/tabs]

 Key Considerations

[tabs slidertype=”simple”] [tab]

Compatibility Considerations

[/tab][/tabs][tabs slidertype=”simple”] [tab]

Identity Manager Upgrade Considerations

To upgrade to Identity Manager 3.0, see “Upgrading to VMware Identity Manager.” During the upgrade, all services are stopped, so plan the upgrade with the expected downtime in mind.

  • Upgrading when integrated with Citrix Published Resources: Upgrade to Integration Broker 3.0.
  • Upgrading an Identity Manager cluster with Horizon 7 configured: Reconfigure Horizon as follows:[box]
    1. In the primary Identity Manager Connector, remove all the Horizon pods and add them back.
    2. Save and Sync.
    3. In the replica connectors, remove all the Horizon pods and add them back.
    4. Save.


  • Upgrading from the 2016.11.1 Connector: Before upgrading, see KB article 2149179.
  • Upgrading from Identity Manager 2.7.1 to 3.0: First, upgrade to 2.9.2.x. See KB article 2151825.


[tabs slidertype=”simple”] [tab]

Java Update Considerations for Identity Manager on Windows

On the Windows-based version of Identity Manager, updating Java also removes some security certificates.

For this reason, Identity Manager on Windows does not support automatic updates of Java.

To update Java, run the updates manually or through the Identity Manager Installer. Once the update completes, reinstall the Java Unlimited Strength (JCE) policy files (if necessary), and restore the security certificates.[/tab] [tab]

Restoring Security Certificates Post-Java Update

The way you restore the certificates depends on which update method you used.

Java Updated through Identity Manager Installer

  1. Restore the CA certificate through the Installer at:
    opt\vmware\horizon\workspace\install\cacerts.sav to JAVA_HOME\lib\security\cacerts
  2. Restart the Windows machine.

Java Updated Manually

  1. Back up the CA certificates in JAVA_HOME/lib/security/cacerts
  2. After the update is complete, restore the CA certificates to the newer Java directory JAVA_home/lib/security/cacerts
  3. Update the JAVA_HOME environment variable to the new Java path.


[tabs slidertype=”simple”] [tab]

Transport Layer Security (TLS) 1.0 Disabled by Default

Beginning with Identity Manager 2.6, TLS 1.0 is disabled. We recommend that you update products configurations to use TLS 1.1 or 1.2.

External product issues are known to occur when TLS 1.0 is disabled. If your implementation of Horizon, Horizon Air, Citrix or the load balancer in Identity Manager has a dependency on TLS 1.0, or if you are using Office 365 active flow, follow the instructions in KB 2144805 to enable TLS 1.0.

Additional Resources

[tabs slidertype=”simple”] [tab]


Read the Identity Manager 3.0 release notes and technical documentation.[/tab][/tabs]

[author] [author_image timthumb=’on’][/author_image] [author_info]Ben Siler, a Product Marketing Manager at VMware, reviewed this post.[/author_info] [/author]