VMware Identity Manager support integration with a wide range of third party Identity Providers such as ADFS, Ping Federate and many, many more. The integration is based on SAML.
This blog post will explain how to use Azure AD as a trusted Identity Provider (IdP) in VMware Identity Manager.
Step 1: Create SAML app in Azure AD
First you need to create a SAML integrated application in Azure AD. When creating the application, you must have access to your VMware Identity Manager’s sp.xml file.
You can access the sp.xml file and signing certificate in the administrator console – Catalog – Settings – SAML Metadata.
During the last step of creating the application in Azure AD you can download the AADIDPFederationMetadata.xml. This identifies Azure AD from an idP point of view and the information in this file needs to be imported into VMware Identity Manager in order to establish trust.
The problem is that we cannot simply reference this file directly within VMware Identity Manager. We need to build our own idp.xml file. That brings us to step 2..
Step 2: Generate idp.xml
We will use an excellent online tool found here: https://www.samltool.com/idp_metadata.php to build our idp.xml file.
The properties can easily be found within the AADIDPFederationMetadata.xml file.
<SingleLogoutService Binding=”urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect” Location=”https://login.windows.net/your_unique_identifier/saml2“/>
<SingleSignOnService Binding=”urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect” Location=” https://login.windows.net/your_unique_identifier/saml2“/>
Step 3: Create Identity Provider in VMware Identity Manager
Once you have generated the idp.xml, copy the output generated. We can now go back into VMware Identity Manager’s admin console and add a third-party idP.
- Click on Identity & Access Management
- Click on Identity Providers
- Click on Add Identity Provider and then Create a Third Party IDP
- Give the Identity Provider a name
- Paste the idp.xml data from samltool.com and click on Process IdP Metadata
- Specify emails as the Name ID Value
- Enable the directory with which this Identity Provider will be able to provide authentication
- Chose for which networks this Identity Provider will be allowed
Scroll down to see more..
Now we come to the tricky part/secret sauce.. I will try to explain why I enter three different authentication (AuthN) methods here..
When using a SP-Init flow VMware Identity Manager will pass a requested SAML context to Azure AD (AAD). If you want to support more than one AuthN on AAD you must add the unspecified. Why? Well if using SP-Init and vIDM would pass Kerberos (or Windows integrated) to AAD clients trying to use password would fail. They wouldn’t fulfill the requested AuthN method. So instead we´ll pass unspecified to AAD. This way either Kerberos or Password is allowed..
- Create the Authentication Methods:
- AAD-Unspecified: urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified
- AAD-Password: urn:oasis:names:tc:SAML:2.0:ac:classes:Password
- AAD-Kerberos: urn:federation:authentication:windows
- Click Add
Now you should have your new Azure AD Identity Provider listed.
Step 4: Adjust your policies
Next we need to configure the access policies in VMware Identity Manager to make use of these newly created Identity Manager and it’s AuthN Methods..
You can use the authentication methods both as default_access_policy_set, i.e. in order to get acces to VMware Identity Manger.. or you can make use of it for a subset of applications only. In the second option Azure AD authentication will only be forced when trying to access an application (step up authentication).
In this example, I’ll add the authentication methods to the default access policy.
- Click on Polices
- Click on default_access_policy_set
Now you have to specify for which Network range and for which clients this policy should apply. I’ve chosen All Network ranges but only for my Windows 10 clients.
And here comes the second part of the tricky part/secret sauce.. As your first authentication method, choose the AAD-Unspecified method. (This is only used for SP-Init flow to not limit the methods used on AAD side).
As the second authentication method pick AAD-Password and last add the AAD-Kerberos.
By default your newly created rule will end up in the end of the Policy Rules list. Therefore it might not get hit (evaluation of policies happen top down).
So grab on the right hand icon and drag your rule to the appropriate location in the list..
I put mine on top and then it should look something like this.. Now click Save.
Finally this is how my policies looks like.. Now it is time for you to give it a try.