Manual Chapter : Integrating APM with VMware Identity Manager

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 15.0.1, 15.0.0, 14.1.2, 14.1.0
Manual Chapter

Integrating APM with VMware Identity Manager

Overview: Processing VDI traffic for VMware Identity Manager

You can configure Access Policy Manager (APM) so that when users launch certain VDI resources (VMware View or Citrix applications) from a VMware Identity Manager portal, the traffic from those resources goes through APM.
APM supports processing traffic for VDI resources launched from VMware Identity Manager with this configuration only:
  • An access profile configured for LTM+APM.
  • Form-based SSO.
APM does not support SSL offloading in this configuration.

Task summary

VMware Identity Manager and DNS configuration requirements

To integrate Access Policy Manager (APM) with VMware Identity Manager, you need to meet configuration requirements that are external to APM:
  • VMware Identity Manager must be configured to point to no more than one View pod.
  • VMware Identity Manager should be configured with a short-lived SAML artifact. The default is 5 minutes.
  • The FQDN for the virtual server that you configure to process SSL traffic from APM to VMware Identity Manager must be the same as the FQDN for VMware Identity Manager.

Configuring forms-based SSO for VMware Identity Manager

You configure form-based SSO with the settings specified in this procedure to meet Access Policy Manager (APM) requirements for integration with VMware Identity Manager.
  1. On the Main tab, select
    Access
    Single Sign-On
    Form Based
    .
    The Form Based screen opens.
  2. Click
    Create
    .
    The New SSO Configuration screen opens.
  3. In the
    Name
    field, type a name for the SSO configuration.
    The maximum length of a single sign-on configuration is 225 characters, including the partition name.
  4. For
    Use SSO Template
    , select
    None
    .
    The screen refreshes to display additional settings.
  5. In the Credentials Source area, retain the default values for the settings.
  6. In the SSO Configuration area, for
    Start URI
    type this string:
    /hc/t/*
    .
  7. For
    Pass Through
    , select
    Enable
    .
  8. For
    Form Method
    , retain the default value
    POST
    .
  9. For
    Form Parameter For User Name
    , type
    username
    .
  10. For
    Form Parameter for Password
    , type
    password
    .
  11. For
    Successful Logon Detection Match Type
    , select
    By Resulting Redirect URL
    .
  12. For
    Successful Logon Detection Match Value
    , type
    /SAAS/apps/*
    .
  13. Click
    Finished
    .

Configuring an access profile for VMware Identity Manager

You configure an access profile to support the LTM-APM profile type and with single domain SSO to meet Access Policy Manager (APM) requirements for integration with VMware Identity Manager.
  1. On the Main tab, click
    Access
    Profiles / Policies
    .
    The Access Profiles (Per-Session Policies) screen opens.
  2. Click
    Create
    .
    The New Profile screen opens.
  3. In the
    Name
    field, type a name for the access profile.
    A access profile name must be unique among all access profile and any per-request policy names.
  4. From the
    Profile Type
    list, select
    LTM-APM
    or
    All
    .
    The
    LTM-APM
    profile type supports web access management configuration. The
    All
    profile type supports
    LTM-APM
    .
    Additional settings display.
  5. In the SSO Across Authentication Domains (Single Domain mode) area:
    1. For
      SSO Configuration
      , select the form-based SSO configuration you created for VMWare Identity Manager earlier.
    2. Retain default settings for
      Domain Cookie
      (blank) and
      Cookie Options
      (with only the
      Secure
      check box selected).
  6. In the Language Settings area, add and remove accepted languages, and set the default language.
    A browser uses the highest priority accepted language. If no browser language matches the accepted languages list, the browser uses the default language.
  7. Click
    Finished
    .

Configuring an access policy for SSO

To support SSO, you configure an access policy with any type of authentication that Access Policy Manager (APM) supports and you cache credentials with SSO Credentials Mapping.
This example uses Active Directory authentication.
  1. On the Main tab, click
    Access
    Profiles / Policies
    .
    The Access Profiles (Per-Session Policies) screen opens.
  2. In the Per-Session Policy column, click the
    Edit
    link for the access profile you want to configure.
    The visual policy editor opens the access policy in a separate screen.
  3. Click the
    (+)
    icon anywhere in the access policy to add a new item.
    Only an applicable subset of access policy items is available for selection in the visual policy editor for any access profile type.
    A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
  4. On the Logon tab, select
    Logon Page
    and click the
    Add Item
    button.
    The Logon Page Agent properties screen opens.
  5. Click
    Save
    .
    The properties screen closes and the policy displays.
  6. On a policy branch, click the
    (+)
    icon to add an item to the policy.
  7. On the Authentication tab, select
    AD Auth
    .
    A properties screen displays.
  8. For
    Server
    , select one from the list.
    Active Directory authentication servers are configured in the
    Access
    Authentication
    area of the Configuration utility.
  9. Click
    Save
    .
    The properties screen closes and the policy displays.
  10. On a policy branch, click the
    (+)
    icon to add an item to the policy.
  11. On the Assignment tab, select
    SSO Credential Mapping
    and click
    Add Item
    .
    A properties screen opens.
  12. Click
    Save
    .
    The properties screen closes and the policy displays.
Click the
Apply Access Policy
link to apply and activate your changes to this access policy.

Creating a pool for VMware Identity Manager

You create a pool to specify the VMware Identity Manager to integrate with Access Policy Manager (APM).
  1. On the Main tab, click
    Local Traffic
    Pools
    .
    The Pool List screen opens.
  2. Click
    Create
    .
    The New Pool screen opens.
  3. In the
    Name
    field, type a unique name for the pool.
  4. In the Resources area, using the
    New Members
    setting, add the VMware Identity Manager that you want to include in the pool:
    1. Type an IP address in the
      Address
      field, or select a node address from the
      Node List
      .
    2. In the
      Service Port
      field, type
      443
      , which is the default; otherwise, type the port number configured for your VMware Identity Manager.
    3. Click
      Add
      .
  5. Click
    Finished
    .
The new pool appears in the Pools list.

Configuring an HTTPS virtual server

Before you start, you need to have configured a connectivity profile in Access Policy Manager (APM). (Default settings are acceptable.)
You create this virtual server for SSL traffic from APM to VMware Identity Manager.
This is one of two virtual servers that you must configure to process traffic for VMware Identity Manager. Use the same destination IP address for each one.
  1. On the Main tab, click
    Local Traffic
    Virtual Servers
    .
    The Virtual Server List screen opens.
  2. Click
    Create
    .
    The New Virtual Server screen opens.
  3. In the
    Name
    field, type a unique name for the virtual server.
  4. In the
    Destination Address
    field, type the IP address for a host virtual server.
    This field accepts an address in CIDR format (IP address/prefix). However, when you type the complete IP address for a host, you do not need to type a prefix after the address.
  5. In the
    Service Port
    field, type
    443
    or select
    HTTPS
    from the list.
  6. From the
    HTTP Profile (Client)
    list, select a previously-created HTTP/2 profile for client-side traffic.
  7. For the
    SSL Profile (Client)
    setting, in the
    Available
    box, select a profile name, and using the Move button, move the name to the
    Selected
    box.
  8. For the
    SSL Profile (Server)
    setting, select
    pcoip-default-serverssl
    .
  9. From the
    Source Address Translation
    list, select
    Auto Map
    .
  10. In the Access Policy area, from the
    Access Profile
    list, select the access profile that you configured earlier.
  11. From the
    Connectivity Profile
    list, select the connectivity profile.
  12. From the
    VDI Profile
    list, select a VDI profile.
    You can select the default profile,
    vdi
    .
  13. Locate the Resources area of the screen and from the
    Default Persistence Profile
    list, select one of these profiles:
    • cookie
      - This is the default cookie persistence profile. Cookie persistence is recommended.
    • source_addr
      - This is the default source address translation persistence profile. Select it only when the cookie persistence type is not available.
  14. For
    Default Pool
    , select the pool you configured earlier.
  15. Click
    Finished
    .

Configuring a UDP virtual server for PCoIP traffic

Before you start, you must have configured a virtual server to process HTTPS traffic. You need to know the destination IP address of that virtual server.
You create this virtual server to support a PC over IP (PCoIP) data channel for View Client traffic.
  1. On the Main tab, click
    Local Traffic
    Virtual Servers
    .
    The Virtual Server List screen opens.
  2. Click
    Create
    .
    The New Virtual Server screen opens.
  3. In the
    Name
    field, type a unique name for the virtual server.
  4. In the
    Destination Address
    field, type the IP address.
    Type the same IP address as for the virtual server that processes HTTPS traffic
  5. In the
    Service Port
    field, type
    4172
    .
  6. From the
    Protocol
    list, select
    UDP
    .
  7. From the
    Protocol Profile (Client)
    list, select a predefined or user-defined UDP profile.
  8. From the
    Source Address Translation
    list, select
    Auto Map
    .
  9. In the Access Policy area, from the
    VDI Profile
    list, select a VDI profile.
    You can select the default profile,
    vdi
    .
  10. Click
    Finished
    .

Configuring a UDP virtual server for Blast Extreme traffic

Before you start, you must have configured a virtual server to process HTTPS traffic. You need to know the destination IP address of that virtual server.
You create this virtual server to support a Blast Extreme data channel for View Client traffic.
  1. On the Main tab, click
    Local Traffic
    Virtual Servers
    .
    The Virtual Server List screen opens.
  2. Click
    Create
    .
    The New Virtual Server screen opens.
  3. In the
    Name
    field, type a unique name for the virtual server.
  4. In the
    Destination Address
    field, type the IP address.
    Type the same IP address as for the virtual server that processes HTTPS traffic
  5. In the
    Service Port
    field, type
    8443
    .
  6. From the
    Protocol
    list, select
    UDP
    .
  7. From the
    Protocol Profile (Client)
    list, select a predefined or user-defined UDP profile.
  8. From the
    Source Address Translation
    list, select
    Auto Map
    .
  9. In the Access Policy area, from the
    VDI Profile
    list, select a VDI profile.
    You can select the default profile,
    vdi
    .
  10. Click
    Finished
    .

VMware clients and APM integration with VMware Identity Manager

For launching VMware View resources from VMware Identity Manager, Access Policy Manager® (APM) supports the VMware Horizon View client on the desktop and on mobile platforms (iOS and Android) for Blast and PCoIP protocols.
APM does not support the Horizon HTML5 client for launching VMware View resources from VMware Identity Manager.