One of the major new enhancements in vRealize Automation 7 involves the replacement of the underlying identity management system. vRA 7 will now leverage vIDM, and it’s integrated directly into the vRA appliance.
Reduced Footprint and Ability to Scale
In vRA 6, identity management was handled via functionality that lived on a separate appliance within the vRA 6 architecture, also known as the Identity Appliance. The Identity Appliance leveraged technology that actually came from vCenter – vCenter SSO. Having an extra appliance not only added to the application footprint, it also created challenges when it came to architecting environments for HA. With vRA 7 and vIDM, this challenge is not only removed, architecting for HA becomes extremely easy – it’s simply a matter of adding additional vRA Appliances:
One of the major reasons for the change to vIDM is not only the reduced footprint and ability to easily scale, it’s also the added functionality. vIDM now brings a slew of new features, including:
- OTB 3rd party SAML Token Support
- OTB Smart Card Support
- Multi-factor authentication
- Login Auditing
- Major Scalability Improvements
- HA support (configured by wizard)
In addition, the vIDM identity stack supports many authentication protocols and methods (some of which were previously not supported):
- SAML Authentication
- Smart Card / Certificate
- RSA SecurID
- RSA Adaptive Authentication
Furthermore, Kerberos authentication, aka “Integrated Windows Authentication” is supported by vIDM, which means that vIDM is so configured, by virtue of being logged into the Windows domain on a Windows laptop/server or Mac OS/X desktop/laptop, that the user is automatically logged into vRA. There is no need to check on any box labeled ‘Use Windows Session Authentication’ on the vIDM login page. Once the user’s browser is configured, the login becomes seamless.
The vIDM authentication methods are built using an extensible framework, so if a newer authentication method or a custom authentication method is required by a customer, these can be developed and plugged into vIDM
Faster Logins, Smarter User Handling
Like most modern cloud/web products that integrate with AD, the interesting users and groups are synced/copied from AD to the cloud/web service. Authentication always still takes place against AD – but with user and groups search, attaching rights to those users in the cloud/web service is against the synced users and groups.
Because searches are against a local copy of the AD users and groups, they are much faster. Because logins are just an AD authentication – and not an attempt to obtain all group membership – they are much faster.
The AD user or group attributes (such as samAccountName, userPrincipalName firstName, lastName, telephoneNumber, …) that are synced from AD are selected by the administrator at install/config time. Therefore we now have the capability to:
- Sync on a user’s manager attribute
- Define an approval based on a user’s manager
Tenants in vRA leverage the Identity stack’s tenanting capabilities. vIDM is built from the ground up to be a multi-tenanted service, and because of that, vRA 7 now has extensive tenant branding capabilities that it did not previously have.
We can now have a unique UI and login experience for each individual tenant in vRA. And plus, branding is super easy. See the video below for a quick review on how it’s done.
Overview & Demo
For more info, and to see a demo of some of these new vIDM features that now exist in vRA, see the following video: