Stikkordarkiv: Single Sign-On

How to enable true SSO for vRealize suite logins

If you have vRealize Suite license it is a good chance that you have deployed a vRealize Suite Lifecycle Manager and the included Identity Manager appliance. If not you probably should! You will have a nice portal for all your vRealize URLs with SSO, but you do not have true SSO all the way from your windows client to your vRealize applications. Users still have to login to the portal each time they want to use it. Here is a quick write up on how to enable kerberos authentication to achieve true SSO.

Attention
If you have vIDM 3.3.3 and 3.3.4 this feature is not working with the embedded connector. please upgrade to 3.3.5 where it is working again.

In this blog I will walk you through how to setup true SSO, but first to some prerequisites.

vIDM portal

Prerequisites

How to setup true-SSO in VMware Identity Manager

If all prerequisite are met we can start the setup. But before we can configure the adapter we need to join the appliance to the domain. Login to your Identity Manager with admin user and go to Identity & Access Management and then Setup

Under Available Actions click Join Domain and Insert username and password to join the domain. You can leave Organizational unit (OU) of domain to join blank or
If you want the machine placed directly in the correct OU, just add the details for your environment. Example: OU=Computers,OU=LAB,DC=lab,DC=vedaa,DC=net

When that is done we can continue and enable KerberosIdpAdapter
Make sure you still are at Identity & Access Management and Setup as before.
Under Worker click on your appliance FQDN and then Auth Adapters

Now click on KerberosIdpAdapter check the box Enable Windows Authentication and click Save. Close the current browser tab.

Go back to Identity & Access Management but this time stay on Manage and click on Policies. Select the default_access_policy_set and click edit

Click next og 2 Configuration and then click on All Ranges (Device Type Web Browser)

Edit the policy by first clicking ADD FALLBACK METHOD. Then change the order of the logins as shown below. First Kerberos then Password and last Password (Local Directory) then click Save, and then Next and Save.

True SSO should now be working form the VMware side of things. If it is not working take a look at thees additional steps.

Additional settings

Here is some additional steps you might need to perform if it is not working. First make sure that vIDM URL is part of local intranet zone. If it is not add it by following thees steps.

In Windows search for Internet Options
In Internet Options, click the Security tab.
On the Security page, select Local intranet.
Click Sites and add your vIDM URL to the list of websites.

It it is still not working verify that Integrated Windows Authentication is enabled.

In the Internet Options window, click the Advanced tab. In the Settings list, under Security, select Enable Integrated Windows Authentication.

Reference

https://docs.vmware.com/en/VMware-Workspace-ONE-Access/3.3/rn/VMware-Identity-Manager-335-Release-Notes.html

Passord fri hverdag med VMware Workspace One Access

Workspace One

Jeg har enda tilgode å møte noen som syntes det er gøy å logge inn i mange forskjellige løsninger. Man kunne håpet at man var kommet lenger, men dessverre er det fremdeles mange som må slite med en haug med forskjellige brukernavn og passord.

For noen dager siden fikk jeg en god opplevelse ved å få på plass full «Single Sign-On» fra Windows klient via portal og inn applikasjonen uten å oppgi et eneste bruksnavn eller passord. Produktet benyttet heter VMware Workspace One Access.

Workspace ONE Access kan settes opp i eget datasenter eller kjøpes som en SAAS tjeneste fra VMware.

Katalogen

Workspace ONE Access applikasjonen inneholder en katalog man kan fylle med snarveier til alle selskapets applikasjoner og desktops. Den støtter interne og eksterne nettsider, Citrix Publiserte Applikasjoner samt Horizon desktops lokalt eller i skyen.

Løsningen Inneholder også over 100 ferdig konfigurerte SAAS tjenester for SAML mot tjenester som Office 365, Google Apps, Dropbox, AWS, Salsforce, Webex m.m.

I tillegg til SAML 2.0 og 1.1 støtter den også WSFed 1.2 og OpenID Connect mot tjenesten du skal ta inn i løsningen og på andre siden kan den kobles mot AD, ADFS, AAD, Okta, og Ping. Dette gjør at man kan skape en bro mellom flere identitets kilder og applikasjoner og på den måten kunne gi passord fri tilgang til brukene gjennom Workspace One portalen.

Under er et bilde av hvordan samlingen av linker og applikasjoner kan se ut. Her brukt sammen med vRealize Suite Lifecycle Manager for å samle å gi passord fri tilgang til disse VMware tjenestene.

Samling av snarveier i Workspace ONE Access katalogen med Single Sign-on til alle vRealize produktene og NSX.

Man kan også enkelt styre tilgang til hver enkelt link, sette på godkjenning for utvalte programmer og begrense tilgang til spesifikke applikasjoner basert på forskjellige kriterier. Det er også støtte for MFA.

Hva mer kan Workspace ONE Access?

Det er mye mer Workspace One Access kan brukes til som jeg ikke har vært innom her, se video under for en dyperer gjennomgang.

VMware Workspace One Access: End-User Experience – Feature Walk-Through

VMware Workspace ONE Access: End-User Experience – Feature Walk-through

Gratis prøveperiode ut Juli 2020 pga Korona

VMware gir for tiden utvidet testperiode for dem som ønsker å prøve ut Workspace One
https://www.vmware.com/solutions/business-continuity.html

Dokumentasjon

Produktsidenhttps://www.vmware.com/products/workspace-one/access.html
TechZonehttps://techzone.vmware.com/resource/workspace-one
VMware Docs https://docs.vmware.com/en/VMware-Workspace-ONE-Access/index.html

How to configure SSO web links in VMware Identity Manager Catalog for vRealize Suite Lifecycle Manager imported products

When you deploy a product from vRSLCM its single sign-on link is automatically created in the Identity manager catalog. But if you import an existing vRealize product it will not. Bummer! Or that being said I have not tested importing solutions that already had vIDM configured for authentication without the catalog entry.

Anyways if you have imported an existing product into vRSLCM and you are missing the SSO link in your catalog. This is how I fixed it (don’t know if this is the official way)

First you need to enable login with identity manager for the product you want to configure SSO for. When that is done and working do the following for the different products.

vRealize Network Insight

Right click on the login button and copy the URL. You will get something like the url listed under. You just need to fix the URL in the end to be like mine but with your vRNI link.

https://YOUR.IDENTITYMANAGER.FQDN/SAAS/auth/oauth2/authorize?response_type=code&client_id=YOURID_auth_grant&scope=openid+user+email&redirect_uri=http://YOUR.VRNI.FQDN/#home

vRealize Operations Manager

For the vROPS I was not able to use get the correct URL in the same way, here I used F12 in Google Chrome and recorded my login. I found the correct URL on the first line «authorize?response_type=…………..» and It should look something like this.

https:/your.identitymanager.fqdn/SAAS/auth/oauth2/authorize?response_type=code&client_id=yourid&redirect_uri=https://your.vrops.fqdn/ui/vidmClient/vidm

Add SSO weblink to Identity Manager Catalog

When you got the URL go into your Identity managers Administrator Console and under Catalog and Web Apps create a new web link.
In the Configuration menu choose Authentication Type «Web Application Link» and in Target URL insert the URL you copied from vRealize Network Insight login screen.