Manual Chapter :
Integrating APM with VMware Identity
Manager
Applies To:
Show VersionsBIG-IP APM
- 17.1.1, 17.1.0, 17.0.0
Integrating APM with VMware Identity
Manager
Overview: Processing VDI traffic for VMware Identity Manager
You can configure Access Policy Manager (APM) so that when users launch certain VDI resources (VMware View or Citrix applications) from a VMware Identity Manager portal, the traffic from those resources goes through APM.
APM supports processing traffic for VDI resources launched from VMware Identity Manager with this configuration only:
- An access profile configured for LTM+APM.
- Form-based SSO.
APM does not support SSL offloading in this configuration.
VMware Identity Manager and DNS configuration requirements
To integrate Access Policy Manager (APM) with VMware Identity Manager, you need to meet configuration requirements that are external to APM:
- VMware Identity Manager must be configured to point to no more than one View pod.
- VMware Identity Manager should be configured with a short-lived SAML artifact. The default is 5 minutes.
- The FQDN for the virtual server that you configure to process SSL traffic from APM to VMware Identity Manager must be the same as the FQDN for VMware Identity Manager.
Configuring
forms-based SSO for VMware Identity Manager
You configure form-based SSO with the settings
specified in this procedure to meet Access Policy Manager (APM) requirements for
integration with VMware Identity Manager.
- On the Main tab, select.The Form Based screen opens.
- ClickCreate.The New SSO Configuration screen opens.
- In theNamefield, type a name for the SSO configuration.The maximum length of a single sign-on configuration is 225 characters, including the partition name.
- ForUse SSO Template, selectNone.The screen refreshes to display additional settings.
- In the Credentials Source area, retain the default values for the settings.
- In the SSO Configuration area, forStart URItype this string:/hc/t/*.
- ForPass Through, selectEnable.
- ForForm Method, retain the default valuePOST.
- ForForm Parameter For User Name, typeusername.
- ForForm Parameter for Password, typepassword.
- ForSuccessful Logon Detection Match Type, selectBy Resulting Redirect URL.
- ForSuccessful Logon Detection Match Value, type/SAAS/apps/*.
- ClickFinished.
Configuring an
access profile for VMware Identity Manager
You configure an access profile to support the
LTM-APM profile type and with single domain SSO to meet Access Policy Manager (APM)
requirements for integration with VMware Identity Manager.
- On the Main tab, click.The Access Profiles (Per-Session Policies) screen opens.
- ClickCreate.The New Profile screen opens.
- In theNamefield, type a unique name for the access profile.
- From theProfile Typelist, selectLTM-APMorAll.TheLTM-APMprofile type supports web access management configuration. TheAllprofile type supportsLTM-APM.Additional settings display.
- In the SSO Across Authentication Domains (Single Domain mode) area:
- ForSSO Configuration, select the form-based SSO configuration you created for VMWare Identity Manager earlier.
- Retain default settings forDomain Cookie(blank) andCookie Options(with only theSecurecheck box selected).
- In the Language Settings area, add and remove accepted languages, and set the default language.A browser uses the highest priority accepted language. If no browser language matches the accepted languages list, the browser uses the default language.
- ClickFinished.
Configuring an
access policy for SSO
To support SSO, you configure an access policy
with any type of authentication that Access Policy Manager (APM) supports and you cache
credentials with SSO Credentials Mapping.
This example
uses Active Directory authentication.
- On the Main tab, click.The Access Profiles (Per-Session Policies) screen opens.
- In the Per-Session Policy column, click theEditlink for the access profile you want to configure.The visual policy editor opens the access policy in a separate screen.
- Click the(+)icon anywhere in the access policy to add a new item.Only an applicable subset of access policy items is available for selection in the visual policy editor for any access profile type.A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
- On the Logon tab, selectLogon Pageand click theAdd Itembutton.The Logon Page Agent properties screen opens.
- ClickSave.The properties screen closes and the policy displays.
- On a policy branch, click the(+)icon to add an item to the policy.
- On the Authentication tab, selectAD Auth.A properties screen displays.
- ForServer, select one from the list.Active Directory authentication servers are configured in thearea of the Configuration utility.
- ClickSave.The properties screen closes and the policy displays.
- On a policy branch, click the(+)icon to add an item to the policy.
- On the Assignment tab, selectSSO Credential Mappingand clickAdd Item.A properties screen opens.
- ClickSave.The properties screen closes and the policy displays.
Click the
Apply Access Policy
link to apply and
activate your changes to this access policy. Creating a pool for VMware Identity
Manager
You create a pool to specify the
VMware Identity Manager to integrate with Access Policy Manager
(APM).
- On the Main tab, click.The Pool List screen opens.
- ClickCreate.The New Pool screen opens.
- In theNamefield, type a unique name for the pool.
- In the Resources area, using theNew Memberssetting, add the VMware Identity Manager that you want to include in the pool:
- Type an IP address in theAddressfield, or select a node address from theNode List.
- In theService Portfield, type443, which is the default; otherwise, type the port number configured for your VMware Identity Manager.
- ClickAdd.
- ClickFinished.
The new pool appears in the Pools list.
Configuring an HTTPS
virtual server
Before
you start, you need to have configured a connectivity profile in Access Policy Manager (APM).
(Default settings are acceptable.)
You
create this virtual server for SSL traffic from APM to VMware Identity Manager.
This is one of
two virtual servers that you must configure to process traffic for VMware Identity Manager. Use
the same destination IP address for each one.
- On the Main tab, click.The Virtual Server List screen opens.
- ClickCreate.The New Virtual Server screen opens.
- In theNamefield, type a unique name for the virtual server.
- In theDestination Addressfield, type the IP address for a host virtual server.This field accepts an address in CIDR format (IP address/prefix). However, when you type the complete IP address for a host, you do not need to type a prefix after the address.
- In theService Portfield, type443or selectHTTPSfrom the list.
- From theHTTP Profile (Client)list, select a previously-created HTTP/2 profile for client-side traffic.
- For theSSL Profile (Client)setting, in theAvailablebox, select a profile name, and using the Move button, move the name to theSelectedbox.
- For theSSL Profile (Server)setting, selectpcoip-default-serverssl.
- From theSource Address Translationlist, selectAuto Map.
- In the Access Policy area, from theAccess Profilelist, select the access profile that you configured earlier.
- From theConnectivity Profilelist, select the connectivity profile.
- From theVDI Profilelist, select a VDI profile.You can select the default profile,vdi.
- Locate the Resources area of the screen and from theDefault Persistence Profilelist, select one of these profiles:
- cookie- This is the default cookie persistence profile. Cookie persistence is recommended.
- source_addr- This is the default source address translation persistence profile. Select it only when the cookie persistence type is not available.
- ForDefault Pool, select the pool you configured earlier.
- ClickFinished.
Configure a UDP virtual server for PCoIP traffic
Before you start, you must have configured
a virtual server to process HTTPS traffic. You need to know the destination IP address of that
virtual server.
You create this virtual server to support
a PC over IP (PCoIP) data channel for View Client traffic.
- On the Main tab, click.The Virtual Server List screen opens.
- ClickCreate.The New Virtual Server screen opens.
- In theNamefield, type a unique name for the virtual server.
- In theDestination Addressfield, type the IP address.Type the same IP address as for the virtual server that processes HTTPS traffic
- In theService Portfield, type4172.
- From theProtocollist, selectUDP.
- From theProtocol Profile (Client)list, select a predefined or user-defined UDP profile.
- From theSource Address Translationlist, selectAuto Map.
- In the Access Policy area, from theVDI Profilelist, select a VDI profile.You can select the default profile,vdi.
- ClickFinished.
Configuring a UDP
virtual server for Blast Extreme traffic
Before
you start, you must have configured a virtual server to process HTTPS traffic. You need to know
the destination IP address of that virtual server.
You
create this virtual server to support a Blast Extreme data channel for View Client traffic.
- On the Main tab, click.The Virtual Server List screen opens.
- ClickCreate.The New Virtual Server screen opens.
- In theNamefield, type a unique name for the virtual server.
- In theDestination Addressfield, type the IP address.Type the same IP address as for the virtual server that processes HTTPS traffic
- In theService Portfield, type8443.
- From theProtocollist, selectUDP.
- From theProtocol Profile (Client)list, select a predefined or user-defined UDP profile.
- From theSource Address Translationlist, selectAuto Map.
- In the Access Policy area, from theVDI Profilelist, select a VDI profile.You can select the default profile,vdi.
- ClickFinished.
VMware clients and APM integration with
VMware Identity Manager
For launching VMware View resources from VMware Identity Manager, Access
Policy Manager® (APM®) supports the VMware Horizon View client on the
desktop and on mobile platforms (iOS and Android) for Blast and PCoIP protocols.
APM does not support the Horizon HTML5 client
for launching VMware View resources from VMware Identity Manager.