This overview of new technology represents no commitment from VMware to deliver these features in any other generally available product or service.
As we enter 2016, we are excited to announce the following features in our cloud version of VMware Identity Manager for the January release:
- Improved one-touch SSO from iOS devices using embedded Kerberos Key Distribution Center (KDC)
- Device-compliance check at login time
- SSO to Horizon Air applications and desktops
- SSO to Citrix 6.x XenApp
Improved One-Touch SSO from iOS Devices Using Embedded KDC
One of the key features of VMware Identity Manager is to provide one-touch mobile SSO that allows users to sign in to applications from mobile devices without entering passwords. Organizations are using this feature in the following scenarios:
- When VMware Identity Manager is the only Identity Provider (IdP)
- When the organization is already using a third-party IdP, such as ADFS, PingFederate, or another, but wants to provide one-touch SSO to users from mobile devices
To support this feature on iOS devices, VMware Identity Manager uses Kerberos authentication with a certificate. This requires the mobile device to reach the on-premises Kerberos Key Distribution Center (KDC), which is accomplished using per-application VPN initiated by VMware AirWatch.
With the January 2016 update, VMware Identity Manager for the cloud now runs an embedded KDC, which eliminates the need for a mobile device to be set up for per-application VPN for reaching an on-premises KDC. (Per-application VPN is when AirWatch automatically establishes a VPN tunnel, hidden from the user, when a given application is launched.) No per-application VPN means less setup for the administrator (no more VPN setup), and more battery life for the user’s device.
How Do I Configure This Feature?
Log in to the administrator’s console, and navigate to Identity & Access Management, then Identity Providers, then Built-in, as you can see in Figure 1. The Built-in Identity Provider is new, and always available in all tenants. It services authentication methods that do not require use of an on-premises Connector.
Figure 1: Configuring the Built-In Identity Provider
Next, click the gear icon next to Built-In Kerberos to configure the settings.
Figure 2: Configuring the Built-In Kerberos Settings
Refer to the VMware Identity Manager Connector Installation and Configuration Guide for step-by-step instructions.
Device-Compliance Check at Login Time
When users enroll their iOS devices with AirWatch, the AirWatch agent is installed on the device and continuously monitors if the device meets compliance rules set by the administrator in the AirWatch console. Examples of compliance rules include that the device cannot be “jailbroken” (removing software restrictions imposed by iOS), and the device PIN cannot be disabled. Whenever the device is out of compliance, the AirWatch agent reports compliance status immediately to the AirWatch server.
Now, VMware Identity Manager includes a new policy rule that checks the AirWatch server for device-compliance status at login time. This ensures that users are blocked from logging in to an application or VMware Identity Manager SSO portal if the device is out of compliance. The user can restore the login after they remediate to make the device compliant again.
Figure 3: Confirming the Policy Rule for Device Compliance
SSO to Horizon Air Applications and Desktops
A main feature of VMware Identity Manager and a differentiator from other identity management systems is the ability to support multiple types of applications, such as Web and mobile applications, virtual applications, and virtual desktops. VMware Horizon Air Desktops is a Desktop as a Service (DaaS) that delivers desktops and applications to any device, anywhere.
If you use VMware Horizon Air Desktops, now your users can access the VMware Identity Manager My Apps portal to launch their entitled Horizon Air applications and desktops.
Figure 4: Configuring Horizon Air Applications
Figure 5: Configuring the Horizon Air Resources Settings
Refer to the VMware Identity Manager Connector Installation and Configuration Guide for detailed instructions.
SSO to Citrix 6.x XenApp
VMware Identity Manager has supported Citrix 5.x XenApp published applications and desktops for a while. (Citrix XenDesktop is not supported at this time.)
With this update, if you use Citrix 6.x XenApp, your users can access the VMware Identity Manager My Apps portal to launch Citrix published applications and desktops.
Figure 6: Using the VMware Identity Manager My Apps Portal to Launch Citrix Published Applications
Figure 7: Configuring the Citrix Published Applications Settings
Refer to the VMware Identity Manager Connector Installation and Configuration Guide for detailed instructions.
To learn more, explore the VMware Identity Manager solution, or sign up for a free trial of VMware Identity Manager. And, explore the What’s New blogs for VMware Identity Manager.
