In this blog post we focus on Identity Manager Workspace ONE Certificate Authentication and will walk through the process of setting up certificate based authentication for VMware Identity Manager (Workspace ONE) for DMZ deployments. Certificate based authentication has requirements which for the purposes of this blog we assume already exist in the environment. To take advantage of certificate based authentication you need an Active Directory certificate authority installed and configured in which users are enrolled. We will not cover the setup and configuration of a Microsoft Certificate Authority in this blog. Further details around Certificate Authority setup can be found at this link (Certification Authority Setup).
Additionally, we assume Identity Manager (Workspace ONE) has already been installed.
In a DMZ deployment scenario, where the VMware Identity Manager instance is deployed in the DMZ and the VMware Identity Manager connector is deployed in the internal network, if you do not want to allow inbound access to the connector, you can enable certificate authentication on the connector that is embedded in the core VMware Identity Manager Appliance. In this blog, we will use the connector embedded in the core appliance for certificate authentication. For other deployment scenarios you can use the external connector.
To use the connector embedded in the core appliance for certificate authentication, you create a new Workspace identity provider for your directory, associate it with the connector embedded in the core appliance, and enable the Certificate Authentication adapter on the embedded connector. You can then configure your policies to use the certificate authentication method.
Enabling certificate authentication for a VMware Identity Manager (Workspace ONE) requires setting SSL pass-through on the load balancer. This is required for the SSL handshake in between the end user and the connector embedded in the core appliance. The default port is 7443. You set the port and upload the root and intermediate certificates from the certificate authority you wish to use on the Appliance Settings pages, and enable SSL pass-through for the port on the load balancer. Port 443 is used for all other traffic.
Configuring certificate based authentication for a VMware identity manager DMZ deployment
In the administration console, click the Appliance Settings tab, and click Manage Configuration.
Enter the appliance admin user password in the new browser window.
In the left pane, click Install SSL Certificates and select the Passthrough Certificate tab. The default Port is 7443, but can be anything between 1024-65535 and cannot be 8443, which is the admin port. The SSL Certificate Chain must include the entire certificate chain, this includes the root, intermediate, and server certificate, in the following order:
- Server certificate
- Intermediate certificate
- Root certificate
For each certificate, copy everything between and including the lines —–BEGIN CERTIFICATE—– and —–END CERTIFICATE—-Certificates must be in the PEM format. Windows PFX certificates can be converted to PEM format using OpenSSL.
The Private Key is typically generated when the original certificate request was generated.
The private key should begin and end with —–BEGIN PRIVATE KEY—– —–END PRIVATE KEY—–
Once the information has been added in the correct fields click Add.
Note: It will take time for the certificate to be added and the Identity Manager Service to be restarted on the appliance.
After the Identity Manager Service restarts navigate back to the general administration page. Click the Identity & Access Management tab, then go to the Identity Providers tab.
Click Add Identity Provider and select Create Workspace IDP.
In Identity Provider Name, enter a name for the identity provider.
Select the directory for which user will be able to authenticate in the Users section. Local directories are not supported.
In the Connector(s) section, from the Add a Connector drop-down menu, choose the connector embedded in the core appliance.
The embedded connector has the same hostname as the core appliance.Do not select the name of an external connector.Deselect the Bind to AD check box.
Click Add Connector.Important: Do not select the Bind to AD option.In the Network section, select the network ranges from which the identity provider can be accessed.
After the required information is entered click Add.
After the Identity Provider has been added you will see in the list of providers.
(The screenshot below shows the Identity Provider configuration after the settings have been selected and saved.)
Click the name of the Identity Provider you just created.
In the IdP Hostname text box, enter the value from hostname to hostname:port, where port is the custom port you configured for certificate authentication in step 1. This is typically the FQDN of the load balancer in front of the Identity Manger appliances. The port is typically 7443 which should be configured for pass-through.
Next we must enable the CertificateAuthAdapter on the embedded connector.
Click the Identity & Access Management tab, then choose Setup.
In the Connectors page, find the embedded connector. The embedded connector is the core appliance.
In the embedded connector row, click the link in the Worker column.
Note: Each worker is associated with a directory. If multiple workers are listed, click the worker link for the directory for which you want to enable certificate authentication.
Click the Auth Adapters tab, then choose CertificateAuthAdapter.
Configure and enable the adapter.
Click the Select File button, navigate and select the PEM or DER formatted root and intermediate certificates from your certificate authority. These are the certificates mentioned at the beginning of this blog article.
You should see information about the certificates you uploaded in the Uploaded CA Certificates section.
Complete the remaining fields as needed and click Save.
Some selections may differ depending on the environment.
Verify that the Identity Providers page displays the Certificate Authentication method. Go back to the administration console page.
Click the Identity & Access Management tab, then choose Identity Providers.
Verify that Certificate appears in the Authentication Methods column for the new identity provider that you created.
Configure VMware Identity Manager Policies to use the certificate authentication method.
Click the Identity & Access Management tab, then choose Manage, then choose Policies.
Click the policy you wish to edit.
Once you’ve selected the policy click the Edit button.
Click the Next button.
Click the rule which you wish to edit. In this example we are selecting the rule which governs the Web Browser device type.
In the pull down next to then the user may authenticate using select Certificate from the list of choices.
Click Save to make this change.
Click Next to continue.
Click Save to make this change.
Click Save to store the policy changes.
Open a browser on a different system and enter the URL to the Identity Manager instance to test and validate the certificate based authentication.
If certificate authentication is working correctly, and the user has a valid certificate from the certificate authority, a prompt should appear asking the user to select a certificate.Select the correct certificate and click OK to login to VMware Identity Manger.
Once authenticate the user should see the entitled resources.
Jeffrey Davidson, Consulting Architect, VMware EUC Professional Services. Jeffrey has over 15 years of IT experience and joined VMware in 2014. He is also a VCP5-DCV and VCP5-DT. He is a strong advocate of virtualization technologies, focusing on operational readiness, efficiency, and productivity with customers.