VMware Identity Manager 19.03.0.0

Last Modified: Jun 27, 2019 @ 7:22 am

Navigation

💡 = Recently Updated

Change Log

Planning

Identity Manager is a component of VMware Workspace ONE.

  • For Horizon, Identity Manager enables SAML authentication, and integration of additional apps from Citrix and the web (e.g. SaaS).
  • For full functionality, Identity Manager should be paired with AirWatch (not detailed in this post).

System and Network Configuration Requirements at VMware Docs.

From Component Design: VMware Identity Manager Architecture in the VMware Workspace ONE and VMware Horizon Reference Architecture:

Single data center:

Multiple data centers:

VMware Blog Post What’s New in VMware Identity Manager 19.03

Upgrade

Version 19.03 no longer includes the embedded Connector so you must deploy one or two Windows machines to run the external connector. The embedded Connector can be migrated to the external Windows connector.

You can upgrade from version 3.2.0.1 or 3.3 directly to version 19.03.0.0. To upgrade from a version prior to 3.2.0.1, you must first upgrade to version 3.2.0.1.

Upgrading can be performed online, or offline. Both are performed from the command line. See About Upgrading to VMware Identity Manager 19.03.0.0 (Linux) at VMware Docs.

Make sure the Identity Manager SQL Service Account is a db_owner on the Identity Manager database. You can remove the permission after the upgrade.

For clusters, remove all nodes except one from the load balancer and upgrade the node that is still connected to the load balancer. Then upgrade the remaining nodes.

If you don’t have an Windows-based Connector and need to migrate from the Embedded Connector, then do the following:

  1. Download the VMware Identity Manager Standalone Connector Installer for Windows. You’ll install this later.
  2. From the same page, download the Cluster Migration Support Tools.
  3. Enable ssh access for the root account if you haven’t already.
  4. WinSCP to the Identity Manager appliance and upload the cluster-support.tgz file to the /root directory. After uploading the file, don’t close WinSCP yet.
  5. SSH (e.g. Putty) to the appliance as root.
  6. Run /usr/local/horizon/update/updatemgr.hzn updateinstaller
  7. You’ll be prompted to enter passwords for the cluster file.

  8. Back in WinSCP, download the .enc file that was created. You might have to refresh WinSCP to see the file.
  9. Then back in SSH, run /usr/local/horizon/update/updatemgr.hzn update
  10. Updating will take several minutes.
  11. Run the check command again to see if there are any other updates available.
  12. Then reboot the appliance.
  13. Build a Windows 2016 server. Windows 2019 is not supported yet. For redundancy, you can build two Windows servers.
  14. Copy the .enc file to the C: drive of the Windows server. It will not work from a UNC path.
  15. On the Windows server, run VMware_Identity_Manager_Connector_19.03.0.0_Installer.exe to install the Connector.
  16. Click Next through a few obvious screens and then check the box when asked Are you migrating your Connector.
  17. Browse to the local .enc file, enter the password specified earlier, and then click Next.
  18. In the next page, verify the hostname, and then click Next.
  19. In the domain user account page, note that some of the authentication methods require the connector to run as a service account so you might as well set that up now. Click Next.

    • The service account must be a local administrator on the Connector server.
  20. Click Next through the end of the wizard.
  21. Click No when prompted to load the Connector’s admin page because the Connector should already be configured.
  22. If Windows Firewall is enabled, then add a rule to permit inbound TCP 8443. This rule allows you to configure Authentication adapters from a remote machine.
  23. In Identity Manager Admin, at Identity & Access Management > Setup > Connectors, you can delete the old embedded connector.
  24. In Identity & Access Management (Manage), click the Identity Providers tab.
  25. Configure the Built-in IdP with the Connectors in Outbound Mode.
  26. Then click the link for the Workspace IdP.
  27. In the IdP Hostname field, edit the URL to point to the external Windows connector. With outbound mode, this URL is only used for Kerberos authentication, if enabled.

After upgrading from 3.0 and older:

  1. In the admin console, go to Catalog > Virtual Apps Collection. This is a new feature in 3.1 and newer.
  2. On the top right, click Add Virtual Apps, and then click Horizon View On-Premises.
  3. If you see an introduction page, then click Get Started.
  4. Select a connector, and then click Migrate Configurations.
  5. You can now manage the Horizon connections from Catalog > Virtual Apps Collection.

Preparation

DNS Configuration

If you intend to build multiple appliances (3 or more) and load balance them, specify a unique DNS name for each appliance. The Load Balancing DNS name is different from the appliance DNS names. For example:

  • Appliance 1 = im01.corp.local
  • Appliance 2 = im02.corp.local
  • Appliance 3 = im03.corp.local
  • Load Balancing Name = identity.corp.com. This name is used both internally and externally.

Identity Manager DNS names are separate from Horizon DNS names.

You’ll need SSL certificates that match these names.

Each of these DNS names must have a corresponding reverse DNS pointer record.

  1. Create DNS records for the virtual appliances.
  2. Create reverse pointer records too. Reverse pointer records are required.

LDAP Accounts

  1. All accounts synced with Identity Manager must have First Name, Last Name, and E-mail Address configured, including the Bind account.
  2. Create a new Active Directory group for your Identity Manager users. The Domain Users group will not work. For Horizon integration, assign this group to your pools instead of assigning Domain Users.

SQL Database

If you want to build multiple Identity Manager appliances and load balance them, configure them with an external database (e.g. Microsoft SQL).

For a script that performs all required SQL configuration, see Configure a Microsoft SQL Database at VMware Docs.

  1. In SQL Management Studio, create a New Query.
  2. Copy the SQL commands from VMware Docs and paste them into the New Query window.
    1. For Windows Authentication, copy the commands from Configure the Microsoft SQL Database with Windows Authentication Mode.
    2. For SQL Authentication, copy the commands from Configure Microsoft SQL Database Using Local SQL Server Authentication Mode.
    3. Change the values in the brackets.
    4. According to Rob Beekmans at Deploying VMware Workspace One 3.x – database setup, mandatory or changeable parameters?, in Identity Manager 3.0 and newer, you can change any of the parameters, except that the database schema (but not database name) must be saas.
  3. Then click Execute.

OVF Deployment

  1. Download the Identity Manager 19.03.0.0 SVA OVA file.
  2. If your vCenter is 6.5 Update 2 or newer, then you can use the newer HTML5 vSphere Client. Otherwise, use the older Flash vSphere Web Client.
  3. In the vSphere Web Client, right-click a cluster, and click Deploy OVF Template.
  4. In the Select source page, browse to the identity-manager-19.03.0.0-13322314_OVF10.ova file, and click Next.

  5. In the Select name and location page, enter a name for the VM, and click Next.
  6. In the Select a resource page, select a cluster, and click Next.
  7. In the Review details page, click Next.
  8. In the Accept License Agreements page, click Accept, and then click Next.
  9. In the Select storage page, select Thin Provision, select a datastore, and click Next.
  10. In the Select networks page, select the network for the appliance. You can deploy it either internally, or in the DMZ. If in the DMZ, you can later install Identity Manager Connectors in the internal network in outbound only mode. Click Next.
  11. In the Customize template page:
    1. Make a choice regarding Customer Experience Improvement Program.
    2. Select a time zone.
    3. Expand Networking Properties if it’s not already expanded.
    4. The Networking Properties are displayed in a different order depending on which vSphere Web Client you’re using.
    5. Host Name – Enter a hostname for the first appliance.
      • If you intend to build multiple appliances and load balance them, then each appliance needs a unique name that does not match the load balanced name. If you only want to build one appliance, then the appliance Host Name should match whatever users will use to access Identity Manager.
    6. DNS and Gateway – In the Networking Properties section, enter the standard DNS and Gateway information.
    7. According to Install the VMware Identity Manager OVA File at VMware Docs, the Domain Name and Domain Search Path fields are not used.
    8. IP Address – Enter the IP address that is configured in DNS for the host name. DNS reverse lookup for this IP address must resolve to the appliance Host Name.
  12. Click Next.
  13. In the Ready to complete page, click Finish.

Setup Wizard

  1. Power on the appliance.
  2. Wait for the appliance to power on and fully boot.
  3. Go to https://myIMFQDN to access the Identity Manager Setup Wizard.
    Note: you must connect to the DNS name. Connecting to the IP address will cause problems during the database setup process.
  4. In the Get Started page, click Continue.
  5. In the Set Passwords page, enter passwords for the three accounts, and click Continue.

  6. In the Select Database page, change it to External Database.
    Note: this page will only function properly if your address bar has a DNS name instead of an IP address.
  7. For SQL authentication, enter a JDBC URL similar to the following, enter the credentials for the Horizon SQL account, and then click Test Connection.
    jdbc:sqlserver://mysqlserver.corp.local;DatabaseName=saas;multiSubnetFailover=true

  8. For Windows authentication, enter a JDBC URL similar to the following, enter credentials for the Horizon Windows service account, and then click Test Connection.
    jdbc:jtds:sqlserver://<hostname_or_IP_address:port#>/<database_name>;integratedSecurity=true;domain=<domainname>;useNTLMv2=true;multiSubnetFailover=true

  9. The top of the screen should say Connection test successful.
  10. Then click Continue.

  11. In the Setup Review page, click the link to log in to the Admin Console.

SSH – Enable Root Access

This is optional. Enabling root access lets you use root credentials when using WinSCP to connect to the appliance. Instructions can be found at VMware Blog Post Enabling SSH in Horizon Workspace Virtual Appliances.

  1. Putty to the Identity Manager appliance.
  2. Login as sshuser.
  3. Run su – and enter the root password.
  4. Run vi /etc/ssh/sshd_config.
  5. Scroll down to line 49 (PermitRootLogin).
  6. Press <i> on the keyboard to change to insert mode.
  7. Go to the end of the line and change no to yes.
  8. Press <ESC> to exit insert mode.
  9. Type :x to save the file and exit.
  10. Run /etc/rc.d/sshd restart.

Identity Manager Certificate

The Windows Connectors require the Identity Manager certificate to be trusted. Generate a new appliance certificate using a trusted Certificate Authority and install the certificate on the appliance.

  1. Login to the Identity Manager web page as the admin user in the System Domain.
  2. Switch to the tab named Appliance Settings.
  3. Click the Manage Configuration button.
  4. Login using the root password.
  5. On the left, click the page named Install SSL Certificates.
  6. On the right, click Choose File next to Import Certificate File.
  7. Identity Manager 19.03 and newer let you browse to a .pfx file instead of a PEM file.
  8. In the Password field, enter the .pfx password.
  9. Click Save.
  10. It will take several minutes for the certificate to be installed and the appliance to restart.

Load Balancing

Identity Manager can be cloned, clustered, load balanced, and globally load balanced as shown below. Source = Component Design: VMware Identity Manager Architecture in the VMware Workspace ONE and VMware Horizon Reference Architecture

To clone multiple Identity Manager appliances and load balance them, see one of the following:

Note: TLS 1.0 is disabled in Identity Manager 2.6 and newer. If your load balancer does not support TLS 1.2, then see 2144805 Enabling TLS 1.0 protocol in VMware Identity Manager 2.6.

  • NetScaler MPX/SDX added TLS 1.2 on the back end in 10.5 build 58.
  • NetScaler VPX added TLS 1.2 on the back end in 11.0 build 65.

Windows Connector

Identity Manager 19.03 and newer no longer include an embedded connector. Instead, build one or more Windows connectors.

  1. Load balance your Identity Manager appliances so the Connector can connect to the Load Balanced FQDN instead of a single Identity Manager appliance.
  2. Build one or more Windows machines on the internal network that will host the Windows connector. The Windows machines must be joined to the domain.
  3. The Identity Manager certificate must be trusted by the Connector servers.
  4. Login to the Identity Manager administration console through the load balanced FQDN as the admin user in the System Domain.
  5. On the top tabs, switch to Identity & Access Management.
  6. On the sub-menu bar, on the far right, click Setup.
  7. On the sub-menu bar, on the left, click Connectors.
  8. Click the blue Add Connector button.
  9. Give the Connector a name and click Generate Activation Code.
  10. Copy the Activation Code. You’ll need this later.
  11. On the Windows machine, run VMware_Identity_Manager_Connector_19.03.0.0_Installer.exe.
  12. In the Welcome to the Installation Wizard for VMware Identity Manager Connector page, click Next.
  13. In the License Agreement page, click I accept the terms, and then click Next.
  14. In the Destination Folder page, click Next.
  15. Click Yes when asked to install JRE.
  16. Don’t check Are you migrating your Connector and click Next.
  17. Review the hostname and click Next.
  18. Check the box next to Would you like to run the Connector Service as a domain user account. Enter service account credentials. And then click Next.

    • Some authentication methods require the Connector to run as a domain user account.
    • The service account must be added to the local Administrators group.
  19. In the Ready to Install the Program page, click Install.
  20. In the Installation Wizard Completed page, click Finish
  21. Click Yes when prompted to open the admin console (https://idmc01.corp.local:8443/) for the Connector.
  22. If Windows Firewall is enabled, then add a rule to permit Inbound TCP 8443. This rule allows you to configure Authentication adapters from a remote machine.
  23. Try to use Chrome instead of Internet Explorer.
  24. In the Get Started page, click Continue.
  25. In the Set Passwords page, enter passwords, and then click Continue
  26. In the Activate Connector page, paste in the Activation Code you got from the Identity Manager appliance and then click Continue.

    • If you see a message about unable to find a valid certificate, then you might have to paste in the Root CA certificate.

Configuration

  1. Login to the Identity Manager web page as the admin user in the System Domain.

    • Note: if you mis-configure Access Policies and lock yourself out of the main Identity Manager logon page, then add /SAAS/login/0 to the end of the URL (e.g. https://identity.corp.com/SAAS/login/0) to login directly to the System Domain.
  2. Switch to the Identity & Access Management tab.
  3. On the top right, switch to the Setup view.
  4. On the left, switch to the User Attributes sub-tab.
  5. Scroll down. Check the boxes next to distinguishedName and userPrincipalName. These are needed for Horizon.
  6. In the Add other attributes to use section, click the plus icon.
  7. Enter objectGUID.
  8. Click the green plus and add mS-DS-ConsistencyGuid. These are needed for Office 365 integration.
  9. Then click Save.
  10. On the top right, switch to the Manage view.
  11. On the Directories tab, click Add DirectoryAdd Active Directory over LDAP/IWA.
  12. Enter a Directory Name.
  13. Change it to Active Directory (integrated Windows Authentication).
  14. Select a Sync Connector. You can select more Sync Connectors later.
  15. Scroll down.
  16. Enter the LDAP Bind credentials. Click Save & Next.
  17. Select the domains you want to sync, and click Next.
  18. In the Map User Attributes page, scroll down, select any missing attribute, and click Next.
  19. In the Select the Groups page, click the plus icon to add a DN.
  20. Enter a Base DN in LDAP format, and click Find Groups.
  21. Click Select.
  22. Search for your Identity Users group and select it. Don’t select Domain Users since it won’t work.
  23. Click Next.
  24. In the Select the Users page, click Next.
  25. In the Review page, click Edit.
  26. Select a more frequent sync schedule, and click Save.
  27. Click Sync Directory.

  28. You can click the link to view the Sync log.
  29. You can also click the directory name, and then click Sync log to view the log.

  30. Sync Settings can be changed by clicking the button on the right.

Connector Outbound Mode

To enable Connector outbound mode (outbound ports only):

  1. Go to Identity & Access Management > Manage > Identity Providers.
  2. Click the link for the Built-in Identity Provider.
  3. In the Users section, check the box next to your directory.
  4. In the Network section, select a range.
  5. In the Connector(s) section, select the first connector and click Add Connector.
  6. If you have another connector for the same domain(s), select the second connector and click Add Connector.
  7. In the Connector Authentication Methods section, check the box next to Password (cloud deployment).
  8. Then click Save.
  9. In Identity & Access Management (Manage), click the Policies tab.
  10. Edit the default_access_policy_set.
  11. Click the link for the first rule.
  12. Next to then the user may authenticate using, change it to Password (cloud deployment). Then save the rule.
  13. Repeat for all other rules in the policy.
  14. Click Next and then click Save.

Sync Connector Redundancy

  1. In the Identity Manager console, in the Identity & Access Management page, switch to the Manage view, and click Identity Providers.
  2. Click the link for the Workspace Identity Provider.
  3. Scroll down. Select the second connector. Enter the Bind password. Click Add Connector.
  4. On the left, click the Directories link.
  5. Click the link for your Active Directory domain.
  6. On the right, click the Sync Settings button.
  7. Switch to the Sync Connectors tab.
  8. Select the second connector and click the plus icon.
  9. You can order the connectors in failover order. Click Save.

Sync Group Membership

By default, Identity Manager does not synchronize group members. You can force a sync.

  1. Go to Users & Groups > Groups.
  2. Notice that the groups are Not Synced. Click the link for a group.
  3. Switch to the Users tab. Then click the Sync Users button.

Logon Experience

  1. Go to Identity & Access Management > Setup > Preferences.
  2. On the bottom, Identity Manager 2.9.1 and newer lets you optionally hide the Domain Drop-Down menu. Then select the unique identifier that Identity Manager will use to find the user’s domain (typically UPN). Identity Manager 3.3 and newer can show a Domain Drop-Down if a unique domain cannot be identified.
  3. The user will be prompted to enter the unique identifier.

Administrators

Identity Manager 3.2 and newer:

  1. Go to the Roles tab.
  2. You can add a Role. See VMware Blog Post Introducing Role-Based Access Control (RBAC) in VMware Identity Manager 3.2.
  3. Select an existing role (e.g. Super Admin), and click Assign.
  4. Search for the user that you want to assign the role to. If the user doesn’t show up, then make sure you are syncing the user, or sync the members of a group that the user is a member of.
  5. Then click Save.

Identity Manager 3.1 and older:

  1. You can promote individual users (but not groups) to administrators. In the Admin console, on the top left, click the Users & Groups tab.
  2. Switch to the Users sub-tab.
  3. Click a username. Note: you might not see users until a group is assigned to a resource (e.g. Horizon Pool).
  4. Scroll down.
  5. In Identity Manager 3.1 and older, you can change the Role drop-down to Administrator. Click Save.

License

  1. Switch to the tab named Appliance Settings.
  2. On the left, click License.
  3. On the right, enter the license key, and click Save. A Horizon Advanced or Horizon Enterprise license key will work.

SMTP

  1. On the top, click the Appliance Settings tab,
  2. On the left, click the SMTP node.
  3. On the right, enter your mail server information, and click Save.

Kerberos Authentication

Kerberos lets users Single Sign-on to the Identity Manager web page. Some notes on Kerberos authentication:

  • It only works for Windows clients.
  • The clients connect to the Connectors so firewall must permit the inbound connection on TCP 443. Outbound only does not work with Kerberos.
    • For High Availability, load balance your Connectors.
  • The Connector (or load balancer) must have a valid, trusted certificate.
  • The Connector’s FQDN (or load balancer FQDN) must be in Internet Explorer’s Local Intranet zone.

Connector Certificate

To upload a certificate to the Connector:

  1. Point Chrome to https://myConnectorFQDN:8443/cfg
  2. Click the link for Appliance Configurator.
  3. Login using the Connector’s password.
  4. On the left is Install SSL Certificates.
  5. On the right is the tab named Server Certificate.
  6. Next to Import Certificate File, click Choose File.
  7. Identity Manager 19.03 and newer support .pfx files. If you select a .pfx, there’s no need to select a Private Key file.
  8. In the Password field, enter the password for the .pfx file.
  9. Click Save.
  10. It will take several minutes to install the certificate and restart the Connector service.

TCP 443 Inbound

TCP 443 must be opened inbound to the Connectors. You might have to add TCP 443 to a Windows Firewall rule.

Enable Kerberos authentication on the Connector

  1. Login to the Windows Connector machine.
  2. Go to C:\VMware\VMwareIdentityManager\Connector\usr\local\horizon\scripts.
  3. Right-click setupKerberos.bat and Run as administrator. (source = VMware 2149753 Run Script to Resolve Kerberos Initialization Error in VMware Identity Manager Connector on Windows)
  4. The script will prompt you for credentials that can create a user account in Active Directory.
  5. Login to the Identity Manager administration web page.
  6. On the top, go to the Identity & Access Management tab.
  7. On the right, change to the Setup view.
  8. On the left, click the Connectors sub-tab.
  9. Click the blue hostname link for the Connector.
  10. Switch to the Auth Adapters tab.
  11. You may enable Kerberos or other authentication adapters from this page by clicking the Adapter Name.
  12. Enter sAMAccountName as the Directory UID Attribute.
  13. Check the box next to Enable Windows Authentication.
  14. For High Availability, you can load balance your Connectors, check Enable Redirect, and then enter the load balanced FQDN.
  15. Click Save. The Authentication Adapters page will show it as Enabled.

Configure Policy to use Kerberos

  1. After enabling the Kerberos adapter, in Identity Manager 3.2 and newer, go to Identity & Access Management > Manage > Policies and click Network Ranges.

    • In Identity Manager 3.1 and older, go to Identity & Access Management > Setup > Network Ranges.
  2. Add a Network Range for internal networks if you haven’t already.
  3. Go to Identity & Access Management > Manage > Policies.
  4. In Identity Manager 3.2 and newer, click Edit Default Policy.

    • In Identity Manager 3.1 and older, click the link for default_access_policy_set.
  5. In Identity Manager 3.2 and newer, click Next to go to the Configuration page.
  6. Click Add Policy Rule. Or Click the plus icon to add a Policy Rule.

  7. Select a Network Range.
  8. For user is trying to access content from, set it to Web Browser.
  9. Identity Manager 2.9.1 adds a Edit Groups button to policy rules, which allows different authentication methods for different groups. When enabled, Identity Manager asks the user for username only, and then looks up group membership to determine which authentication methods should be used. See Configuring Access Policy Settings at VMware Docs.
  10. Select Kerberos as the first authentication method.
  11. Select Password as the second authentication method. Click Save or OK.

  12. Drag the new Policy Rule to move it to the top. Then click Next and Save.

Customize Appearance

  1. If you go to Identity & Access Management > Setup > Custom Branding, on the Names & Logos tab you can change the browser’s title and favicon.
  2. If you then switch to the Sign-In Screen page, you can upload a logo, upload an image, and change colors.
  3. If you go to Identity & Access Management > Manage > Password Recovery Assistant, you can configure a link to a password recovery tool, or change the Forgot password message.
  4. If you scroll down you can optionally Show detailed message to End User when authentication fails.
  5. Click Catalog, and then click Settings.
  6. On the left, click User Portal Branding.
  7. Make changes to Logos, colors, etc.

Resources

Horizon Administrator – Enable SAML Authentication

  1. Login to Horizon Administrator.
  2. On the left, under View Configuration, click Servers.
  3. On the right, switch to the Connection Servers tab.
  4. Select a Connection Server, and click Edit.
  5. On the Authentication tab, change Delegation of authentication to VMware Horizon to Allowed.
  6. Click Manage SAML Authenticators.
  7. Click Add.
  8. In the Label field, enter a descriptive label.
  9. In the Metadata URL field, enter the Identity Manager FQDN.
  10. In the Administration URL field, enter the Identity Manager FQDN, and click OK.
  11. If you see a certificate error, click View Certificate, and then click Accept.
  12. Or click OK if server’s identity was verified.
  13. Click OK to close the Manage SAML Authenticators window.
  14. Horizon 7.2 adds a Workspace ONE mode, which forces all Horizon Clients to connect through Identity Manager instead of directly to the Connection Servers. Delegation of authentication must be set to Required before Workspace ONE mode can be enabled.
  15. The Horizon Administrator dashboard shows you the status of the SAML Authenticator under Other components.

Identity Manager – Virtual Apps Collection for Horizon View

If your Identity Manager is version 3.1 through 3.3, skip ahead to the instructions for 3.1 through 3.3.

If your Identity Manager is version 3.0 or older, skip ahead to the instructions for 3.0 and older.

If your Identity Manager is version 19.03 or newer:

  1. In the Identity Manager Admin Portal, click the Catalog tab, and then click Virtual Apps Collection.
  2. If you see Introducing Virtual Apps Collection page, click Get Started.
  3. Click the SELECT link in the Horizon box.
  4. Give the Horizon Connection a name.
  5. Arrange the Sync Connector appliances in priority order. Click Next.
  6. Click Add a Pod.
  7. Enter the FQDN of a Connection Server in the Pod.
  8. Enter Horizon View admin credentials in UPN format. The account needs at least Read Only Administrator access to Horizon.
  9. Click Add.
  10. You can optionally add more pods and then enable the Cloud Pod Architecture option. Click Next when done.
  11. Change the Sync Frequency as desired.
  12. Click Next when done.
  13. Click Save & Configure Network Range. The connection is tested at this time.
  14. The URLs for accessing Horizon are defined in each Network Range. For each URL, create Network Ranges. Or click All Ranges.
  15. Near the bottom, in the Client Access FQDN field, enter the FQDN that users in this Network Range use to login to Horizon. Then click Save. Note: the Horizon FQDN is different than the Identity Manager FQDN.
  16. After the Horizon Virtual Apps Collection is added, select it, and click Sync.

    • Note: whenever you make a change to the pools in Horizon Administrator, you must either wait for the next automatic Sync time, or you can return to this screen and click Sync.
  17. In the Calculating Sync Actions page, click Save.
  18. If you go to Catalog > Virtual Apps, you will see your synced Application and Desktop pools.
  19. Skip ahead to the Horizon Pools Catalog section.

Identity Manager 3.1 through Identity Manager 3.3

Horizon Connection (Virtual Apps Collection) instructions for Identity Manager 3.1 through Identity Manager 3.3:

  1. In the Identity Manager Admin Portal, click the Catalog tab, and then click Virtual Apps.
  2. On the top right, click Virtual App Configuration.
  3. If you see Introducing Virtual Apps Collection page, click Get Started.
  4. On the top right, click Add Virtual Apps, and then click Horizon View On-Premises.
  5. In the Horizon View On-Premises page, configure the following:
    1. Give the Horizon Connection a name.
    2. Choose a Sync Connector appliance.
    3. Enter the FQDN of a Connection Server in the Pod.
    4. Enter Horizon View admin credentials in UPN format. The account needs at least Read Only Administrator access to Horizon.
    5. Scroll down.
    6. Notice the link to Add Horizon Pod. This is for Could Pod Architecture.
    7. Check the box next to Perform Directory Sync.
    8. Change the Sync Frequency as desired.
    9. Activation Policy can be Automatic or User-ActivatedUser-Activated means users have to go to the App Center to add the icons to the My Apps portal.
    10. Click Save when done.
  6. After the Horizon connection is added, on the right side of the screen, click Sync.
    • Note: whenever you make a change to the pools in View Administrator, you must either wait for the next automatic Sync time, or you can return to this screen and click Sync Now.
  7. In the Calculating Sync Actions page, click Save.
  8. Click the blue Refresh link until the sync is completed.
  9. If you go to Catalog > Virtual Apps, you will see your synced Application and Desktop pools.
  10. Skip ahead to the Horizon Pools Catalog section.

Identity Manager 3.0 and older

Horizon Connection Instructions for Identity Manager 3.0 and older:

  1. In the Identity Manager Admin Portal, click the Catalog tab, and then click Application Catalog.
  2. Click Manage Desktop Applications, and then click Horizon View On-Premises.
  3. Click one of the connectors.
  4. Check the box next to Enable Horizon View Applications and Desktops.
  5. Enter the address of a Horizon Connection Server (or load balanced FQDN). Note: reverse IP lookup must be functional for this DNS name.
  6. Enter View Administrator credentials in userPrincipalName format. The account needs at least Read Only Administrator access to Horizon.
  7. Notice the link to Add Horizon Pod. This is for Could Pod Architecture.
  8. Deployment Type can be Automatic or User-Activated. User-Activated means users have to go to the App Center to add the icons to the My Apps portal.
  9. Specify the Viewpool sync frequency, and click Save. New pools created in Horizon Administrator don’t show up in Identity Manager until a sync is performed.
  10. Near the top of the screen you might see red text. Click Invalid SSL Cert.
  11. In the Certificate Information page, click Accept.
  12. Near the bottom of the page click Sync Now. Note: whenever you make a change to the pools in View Administrator, you must either wait for the next automatic Sync time, or you can return to this screen and click Sync Now.
  13. If sync fails, see VMware 2091744 Synchronizing VMware Horizon View Pool in Workspace Portal fails with the error: Failed to complete View sync due to a problem with the View Connection Server.
  14. Then click Save and Continue. Note: whatever groups are entitled to Horizon Pools and Applications must also be synced (Active Directory) with Identity Manager.

Horizon Pools Catalog

  1. In the Identity Manager Admin console, at Catalog > Virtual Apps, you can see the Horizon View icons. Only the pools in the root Access Group are synced.
  2. Click an icon and then click View Assignments.
  3. Make sure entitlements are listed. Entitlements are defined in Horizon Administrator, and not in Identity Manager. Identity Manager merely syncs the entitlements from Horizon.
  4. Only AD groups synced to Identity Manager will be displayed. Domain Users won’t sync to Identity Manager, so entitle the Horizon pools to AD groups other than Domain users.
  5. If you make changes in Horizon Administrator, then manually sync the Virtual Apps Collection so the changes are reflected in Identity Manager.
  6. Back in the Virtual Apps list, if you check the box next to one of the icons, you can place the icon in a Category by clicking the Categories menu.
    • You can select or or more existing categories.
    • Or type in a new category name at the top of the list.
  7. The category is then displayed next to the catalog item.
  8. Identity Management 3.1 adds a Recommended category.

  9. In Identity Manager 3.2 and newer, go to Catalog > Settings.
  10. On the left, click User Portal Configuration.
  11. From this screen, you can control tab visibility, and put recommended apps in the Bookmarks tab. Click Save when done.

Separate Horizon View Connection Server groups (e.g. multi-datacenter) can be configured in failover order. See Configure Failover Order of Horizon View and Citrix-based Resources at VMware Docs.

Identity Manager – Horizon URLs

The URL used to launch a Horizon icon from Identity Manager can be different for each Network Range. For internal users, the URL should point to the load balanced VIP for the Connection Servers. For external users, the URL should point to load balanced Unified Access Gateways.

In Identity Manager 19.03 and newer:

  1. Go to Catalog > Virtual Apps Collection.
  2. Click the link for a Virtual Apps Collection.
  3. Click Edit Network Range.
  4. Click an existing Network Range, or create a new one.
  5. Near the bottom, in the Client Access FQDN field, enter the FQDN that users on this Network Range should use to access Horizon. Then click Save. Note that the FQDN for Horizon is different than the FQDN for Identity Manager.

In Identity Manager 3.3 and older:

  1. In the Identity Manager administrator interface, go to Identity & Access Management (Manage) > Policies sub-tab > Network Ranges.

    • Before 3.2, this was located under Identity & Access Management > Setup view > Network Ranges.
  2. You can edit the default ALL RANGES, or add a new Network Range.


  3. In Identity Manager 3.1 and older, you can specify the Horizon URL for the IP range from here. You can have different Horizon Client Access URLs for different IP ranges (e.g. internal vs external). For external users, the URL points to Access Points or Horizon Security Servers.
  4. In Identity Manager 3.2 and newer, after creating the Network Ranges, go to Catalog > Virtual Apps.
  5. On the top right, click Virtual App Settings.
  6. Click a Network Range.
  7. In the Client Access URL Host field, enter the FQDN that resolves to the internal Connection Server load balancer, or the external Unified Access Gateway load balancer. Then click Finish.

Identity Manager User Portal

The User Portal is the interface that non-administrators see after logging in. Administrators can switch to the User Portal by clicking the username on the top right and clicking User Portal.

Administrators in the User Portal can switch to the Administration Console by clicking the username on the top right.

Some User Portal features:

  1. When a user logs in to the Identity Manager web page the pool icons will be displayed.
  2. When the user clicks an icon, you can use either Horizon client or Browser for opening a pool. To set the default launch method:
    1. On the top right, click your name, and click Settings.
    2. On the left, click Preferences.
    3. Make your choice and click Save.
    4. The Horizon Client option has a link to download and Install the Horizon Client.
  3. Back in the icons list, when the user clicks Open next to an icon, there’s a link to Install the Horizon Client.
  4. To mark an icon as a Bookmark, click the bookmark icon next to each app.
  5. Or click an app icon to open the app’s Description page, and then click Bookmark.
  6. Then you can click Bookmarks tab to display only icons that are marked as Bookmarks.
  7. If you configured Categories, they are listed in the left side of the page. When you click a category, only the icons in that category are displayed.

139 thoughts on “VMware Identity Manager 19.03.0.0”

  1. Got a question that I’m hoping you might be able to answer:-)

    I’ve got a IDM Cluster in the DMZ and an IDM Connector in the LAN, for IDM it’s behind a load balancer in the DMZ along with UAG that is handling Horizon.

    I would like a single access point into all services using IDM (mainly so I only have a single UI to brand) in the past IDM would be in the LAN and we’d use UAG to reverse proxy it and when both Horizon and IDM are configured on the same UAG then going to either IDM or Horizon URL takes you to IDM.

    I want to do the same thing where Horizon is sort of masked behind IDM on UAG.

    I found this passage in the vidm-install.pdf

    VMware Unified Access Gateway 2.8 and later supports reverse proxy functionality to allow users to securely access the VMware Identity Manager unified catalog remotely. Unified Access Gateway can be deployed in the DMZ behind the load balancers frontending the VMware Identity Manager appliance.

    Now this makes it sound like it’s a supported topology where IDM and UAG are in the DMZ and both using the same load balancer and that I can configure UAG to reverse proxy IDM and achieve the setup I desire but looking to make sure this is a supported configuration as right now IDM and UAG have their own public IPs and UAG is only managing access to Horizon.

    Thanks

    1. You can place the connection servers into Workspace one mode, this will stop users going directly to the View Connection Server URL and redirect them to the vIDM instance for them to authenticate there, then be SSO’d to a Desktop in Horizon.

      You know the bit in the Horizon Console (under each connection server) where you configure the SAML Authenticator? when on the drop down next to that section click “required” and you will be asked to put in a URL. put the vIDM VIP URL.

      1. I’ve given that a try and didn’t like it, I have a folder structure on the Desktop and Start Menu for Horizon and when in Workspace ONE mode it looks to break that and all you get is the webpage to select the needed app. I only want to force Horizon HTML Access through IDM, that way they see other web based apps and Horizon apps all a single console.

        I might be asking for to much currently.

        1. Yes, placing vIDM into the picture takes out shortcuts. That piece is documented along with the other features that’s are rendered useless or not supported while using vIDM. Pain in the ass, I know!

          There’s no way that I know of to redirect only HTML traffic to vIDM and Blast/pcoip go direct to the connection brokers. I don’t even think doing funky non standards port config will work.

Leave a Reply to mattymay1at Cancel reply