posted

3 Comments

VMware Identity Manager (vIDM) is free with Log Insight, but it is a separate virtual appliance (VA) that needs to be deployed (unless you have vRealize Automation which comes with vIDM integrated and Log Insight could then integrate with the vIDM in vRealize Automation.) As Log Insight customers, you are entitled to use vIDM for Single Sign-On and authentication. vIDM is available to all versions of Log Insight, including Log Insight for vCenter and Log Insight for NSX.

 

VMware Identity Manager (vIDM) is available for limited use with vRealize Log Insight. For complete vIDM functionality, please purchase Workspace ONE licenses.

The limited use of vIDM for Log Insight includes the following features:

  1. Directory Integration to authenticate users against customer’s user directory such as Active Directory or LDAP.
  2. Access policy including conditional access.
  3. Single Sign-On (SSO) integration with 3rdparty Identity Providers such as ADFS, Ping Federate, and others to allow users logged in to these systems to SSO into Log Insight.
  4. 2-factor authentication through integration with 3rdparty systems such as RSA SecurID, Entrust, and others.
    • Note: Built-in 2-factor authentication using VMware Verify is not included. To use VMware Verify, please acquire Workspace ONE license.
  5. SSO to other VMware products where those products support the SSO capability.

 

vIDM is a service that extends on-premises directory infrastructure to provide a seamless Single Sign-On (SSO) experience for Log Insight as a separate VA. More information on vIDM can be found here.

 

VMware Identity Manager does not replace Active Directory, it integrates with it. Microsoft Active Directory integration will be configured in VMware Identity Manager instead of Log Insight. You can read on the difference between Log Insight and AD here.

 

Limited vIDM usage is free for Log Insight and included in Log Insight 4.5 download page as a separate VA. vIDM VA is included in Log Insight 4.5 Download page as shown below:

 

 It is located below the Log Insight Agents download.

How to Use vIDM for Log Insight

Configuration is done on the same Authentication page as Active Directory (AD):

IMPORTANT: Binding user must be a local VIDM user to work.

You must provide configuration information to an external VIDM instance (either on-prem or cloud). Once configuration is complete, you can navigate to the /admin/users page to add VIDM users and groups:

li-40-vidm3

IMPORTANT: Pay special attention to the domain field as failing to set this properly will result in errors.

How to Log In using vIDM for Log Insight

It should be noted that once you enable VIDM the log on page for Log Insight will look a little different:

li-40-vidm4

You will see that you must specify a provider (first drop-down). When you select VIDM, you will then be redirected to VIDM to authenticate unless you already have an active browser SSO token.

 

Migrating from AD to vIDM for Log Insight

It is not a best practice to have both AD and VIDM configured simultaneously. For those upgrading, it may be necessary to migrate from AD to VIDM. Here are the steps to migrate:

  1. Add VIDM integration to LI (not users or groups)
  2. Create a snapshot of all LI nodes
  3. Run a CLI script to migrate existing users  (script here)
  4. Disable AD integration in LI
  5. Add VIDM groups as needed
  6. Modify users as needed

For Log Insight 4.5 we are dropping AD support but you can still have vIDM with AD in the back. You can find the article detailing the migration from AD to vIDM for Log Insight here.

For more information on vIDM on-premise deployment requirements and architectural design, click here.