VMware Hands-on Labs - HOL-1851-05-ADV


Lab Overview - HOL-1851-05-ADV - VMware Workspace ONE and VMware Horizon 7.1

Lab Guidance


Note: It will likely take more than 90 minutes to complete this lab. You should expect to only finish 2-3 of the modules during your time.  The modules are independent of each other so you can start at the beginning of any module and proceed from there. You can use the Table of Contents to access any module of your choosing.

The Table of Contents can be accessed in the upper right-hand corner of the Lab Manual.

In this lab you will learn how to install and configure VMware Identity Manager (vIDM) on-prem,  how to integrate it with Horizon 7,  ThinApp, SaaS and Web Applications.  You will also learn about configuring vIDM with a RADIUS-based 2-Factor Authentication solution.  

Lab Module List:

 

 Lab Captains:

This lab manual can be downloaded from the Hands-on Labs Document site found here:

http://docs.hol.vmware.com

This lab may be available in other languages.  To set your language preference and have a localized manual deployed with your lab, you may utilize this document to help guide you through the process:

http://docs.hol.vmware.com/announcements/nee-default-language.pdf 

Please take a look at HOL-1851-08-ADV for more information on installing VMware Identity Manager / Workspace ONE as part of a Cloud Pod Architecture deployment.


 

Any App, Any Device

 

VMware Identity Manager (vIDM) is the authentication engine powering VMware's Workspace ONE portal, allowing users a seamless experience to access their applications or virtual desktops from any device. In this lab we will show you how to perfrom a simple setup of the vIDM Appliance, integrate with Horizon View for hosted applications and virtual desktops, leverage Workspace ONE to deploy ThinApps and present web-based applications, leveraging SAML integration. You will also learn how to use a RADIUS-based 2-factor authentication method. While not shown in this lab, you can also present Citrix XenApps through Workspace ONE or present mobile application via Integration with VMware AirWatch (take a look at the HOL-1857-xx-UEM labs).

Before starting with the actual lab, please make yourself familiar with the specifics of the Hand-On-Labs environment. If you are familiar with Lab-Status, drag and copy etc, feel free to skip the next steps and proceed directly to the Module you want to take.

 

 

Alternate Methods of Keyboard Data Entry

During this module, you will input text into the Main Console. Besides directly typing it in, there are two very helpful methods of entering data which make it easier to enter complex data.

 

 

Click and Drag Lab Manual Content Into Console Active Window

You can also click and drag text and Command Line Interface (CLI) commands directly from the Lab Manual into the active window in the Main Console.  

 

 

Accessing the Online International Keyboard

 

You can also use the Online International Keyboard found in the Main Console.

  1. Click on the Keyboard Icon found on the Windows Quick Launch Task Bar.

 

 

Location of the Main Console

 

  1. The area in the RED box contains the Main Console.  The Lab Manual is on the tab to the Right of the Main Console.
  2. A particular lab may have additional consoles found on separate tabs in the upper left. You will be directed to open another specific console if needed.
  3. Your lab starts with 90 minutes on the timer.  The lab can not be saved.  All your work must be done during the lab session.  But you can click the EXTEND to increase your time.  If you are at a VMware event, you can extend your lab time twice, for up to 30 minutes.  Each click gives you an additional 15 minutes.  Outside of VMware events, you can extend your lab time up to 9 hours and 30 minutes. Each click gives you an additional hour.

 

 

Look at the lower right portion of the screen

 

Please check to see that your lab is finished all the startup routines and is ready for you to start. If you see anything other than "Ready", please wait a few minutes.  If after 10 minutes your lab has not changed to "Ready", please ask for assistance.

 

Module 1 - Install and Configure Identity Manager and Workspace ONE (30 minutes)

Introduction


This module will cover the installation and configuration of the on-prem version of VMware Identity Manager (vIDM).  vIDM 2.8.1 appliance features include the portal (which users will see labeled as Workspace ONE), AirWatch Directory integration, access policy integration, and Horizon True SSO support.  It provides a simple and secure enterprise platform that delivers and manages any app on any device by integrating, application and mobility management.

In this module you will review the prerequisites and configure the vIDM appliance for a simple install, as you would for a POC or test environment. Once the configuration is complete, you will take a tour of the interface and view what additional features and functionality are available.

Please note in this module we recommend using Chrome for the best experience. The browser has been configured to ignore self signed certs.

If you are interested in more advanced options for installing, e.g. installaing vIDM as part of Cloud Pod Architecture (CPA), we recommend looking at HOL-1851-08-ADV.


 

What is VMware Identity Manager?

 

What Is VMware Identity Manager?

VMware Identity Manager is identity management for the mobile cloud era that delivers on consumer-simple expectations like one-touch access to nearly any app, from any device, optimized with AirWatch Conditional Access. Empower employees to get productive quickly with a self-service app store while giving IT a central place to manage user provisioning and access policy with enterprise-class directory integration, identity federation and user analytics expected from the leader of hybrid cloud infrastructure.

What are the Key Benefits?

 

 

Lab Ready?

 

  1. Make sure the 'Lab Status' is 'Ready'
  2. Open README.txt
  3. Make yourself familiar with the content of README.txt, this will make your life easier by allowing you to copy/paste rather than typing, especially if you don't have a US keyboard.

 

 

Start vidm-02a appliance

 

To prepare the interactive part of the lab, we need to start vidm-02 using vSphere Client.

  1. Open Chrome and click on HOL-1851 Admin in the bookmark
  2. Select vCenter HTML5 Client

 

Download and Deploy VMware Identity Manager Appliance



 

vIDM deploy

In this chapter, we will discusses the prerequisites for successfully deploying the Identity Manager (vIDM) apliance. This chapter is strictly theoretical module, with no steps to be performed.

vIDM appliance prerequisites are:

  1. DNS records (both A and PTR-records)
  2. ESXi host to be time synced

A default TLS/SSL server certificate is generated when you deploy a vIDM appliance. For production environments, VMware strongly recommends that you replace the default certificate as soon as possible.

It is important to use Fully Qulified Domain Name (FQDN) during installation of vIDM!

 

 

Configure DNS

 

These steps are not to be performed in the Lab environment.

The vIDM appliance requires both forward (A-record) and reverse (PTR-record) DNS records.

Within this Lab environment the corp.local domain is the main domain.

  1. As shown in this screen capture, there is an Host (A) record for vidm-02a
  2. Looking in the reverse look up zone for the 192.168.110, you can see the PTR record has been created

 

 

Time Sync

 

vIDM is very sensitive to time differences between systems with which it integrates. vIDM uses SAML for a lot of it's functionality. Therefore a maximum of 30 second drift is often enough to break functionality.

You should confirm Time Configuration is set up and running on the host(s).  The appliance will pick up the correct time from the ESXi host. Since you often join vIDM to a Microsoft Active Directory domain, it is important the ESXi host and your domain controllers are time synced to the same source. Many times you can specify one of your domain controllers as the time source for your ESXi host.

These steps are not to be performed in the Lab environment.

To confirm the host has time configured:

  1. Within vCenter, click on your host
  2. Select Configure
  3. Select Time Configuration

 

 

Deploy the VMware Identity Manager Appliance

 

These steps are not to be performed in the Lab environment.

Once all prerequisites are in place and you have downloaded the vIDM Connector from VMware.com you are ready to deploy

  1. From the vSphere Web Client, right click on the cluster you would like to deploy to
  2. Select Deploy OVF Template
  3. Select Local File, then Browse.  Navigate to the OVA file
  4. Click on Next

 

 

 

 

VMware Identity Manager up and running

 

Once the appliance is fully powered on it will display a screen similar to above.

The rest of the configuration is done using the web interface.

 

Initial Configuration of the VMware Identity Manager Appliance


Once the VMware Identity Manager appliance has been deployed and powered on, the remainder of the configuration process is done using a web interface. The first portion of the setup will utilize the  Setup Wizard.

These steps ARE to be performed in the Lab environment .


 

Configure Administrator User

 

  1. Open Active Directory Users and Computers

Note: When synchronizing Workspace ONE with Active Directory, certain user attributes are expected/required. The following steps will walk you through adding some of the attributes we will require (name, username) later in this lab.

 

 

Use the VMware Identity Manager Appliance Setup Wizard

 

Launch Chrome Browser and browse to the new vIDM appliance

  1. Enter https://vidm-02a.corp.local as the URL
  2. As the appliance is new and no certificates have been installed yet, we receive a warning, click ADVANCED
  3. Click Proceed to vidm-02a.corp.local (unsafe)

Note: Please make sure to enter https and use vidm-02a NOT vidm-1a.

 

 

vIDM Appliance Setup

 

1. Click Continue

 

VMware Identity Manager Admin Console Configuration


In this section you will learn how to perform some additional configurations including adding Active Directory, as well as adding users and groups to the appliance.


 

Login into the Portal

 

If you have not closed your web browser, you should now have the login page of Workspace ONE in front of you.

  1. Specify admin as the user (this is the built in web administrative account)
  2. Type VMware1! as the password
  3. Click Sign in

 

 

Modify User Attributes

 

In the portal you can modify the Attributes that are used to sync to Active Directory. Based on how current attributes are configured in the lab, we will modify which attributes users are mapped to:

  1. Click on Identity & Access Management tab
  2. Select Setup
  3. Select User Attributes tab
  4. Uncheck all the boxes except userName
  5. Scroll down, and click on Save

Note: We are de-selecting the other user attributes, as in our test-environment some (like phone number etc.) are not set in Active Directory, if a checked attribute is not set for the user in AD, the user would not get imported to vIDM.

During the VMware Identity Manager service directory setup, you select Active Directory user attributes and filters to select which users sync in the VMware Identity Manager directory. You can change the user attributes that sync from the administration console, Identity & Access Management tab, Setup > User Attributes.

Changes that are made and saved in the User Attributes page are added to the Mapped Attributes page in the VMware Identity Manager directory. The attributes changes are updated to the directory with the next sync to Active Directory.

The User Attributes page lists the default directory attributes that can be mapped to Active Directory attributes. You select the attributes that are required, and you can add other attributes that you want to sync to the directory. When you add attributes, the attribute name you enter is case-sensitive. For example, address, Address, and ADDRESS are different attributes.

Important

If you plan to sync XenApp resources with VMware Identity Manager, you must make distinguishedName a required attribute. You must make this selection before creating a directory as attributes cannot be changed from optional to required after a directory is created.

 

 

Add User Directory

 

  1. Confirm you are on the Identity & Access Management tab
  2. Click on Manage
  3. Click Add Directory
  4. Select Add Active Directory over LDAP/IWA

 

 

Configure Directory Access

 

  1. Type corp.local as the Directory Name
  2. Scroll down

 

 

Verify Users

 

  1. Click on Users & Groups tab
  2. Verify you have some users listed

 

 

Verify Groups

 

  1. Click on Groups
  2. Verify Domain Users are listed

 

Admin Console walk-through


This section is aiming to familiarize you with the different parts of the administrative console and where to find a certain settings.

Please feel free to navigate through the admin console in the lab environment.


 

User Engagement Dashboard

 

The very first thing that an administrator sees when accessing the administrator console is the User Engagement Dashboard. Here you get a quick overview of the system. For example how many users and groups your system has. Which applications are used the most. How many logins and much more.

  1. Click on Dashboard

 

 

Navigate to the System Diagnostics Dashboard

 

  1. Click on down arrow next to Dashboard
  2. Choose the System Diagnostics Dashboard

 

 

Navigate to Reports

 

  1. Select the down arrow next to Dashbaord
  2. Select  Reports

 

 

Portal Catalog Settings

 

  1. Click Catalog, and choose Settings

 

 

Identity & Access Management   -  Directories

 

In this section of the console you can not only confirm the domain(s) and the vIDM appliance are in sync but also add additional domains as well.

  1. Click on Identity & Access Management
  2. Confirm you are in the Manage section
  3. Confirm you are on the Directories tab

 

 

Identity & Access Management Tab  -  Additional Settings

 

Lets review the additional Tabs that reside in Identity & Access Management.

  1. Identity Providers: Are systems authenticating users. vIDM comes with its built in iDP but you can also add third party Identity Providers.
  2. Password Recovery Assistant: If users have forgotten their password you can customize the message / link to a web page you display to users. vIDM cannot reset nor change a AD user's password.
  3. Policies: vIDM comes with a default policy called default_access_policy_set. This policy decides if users gets access to the portal itself or not. You can add your own application policies for SAML/WS-Fed based web applications. Using policies you can grant access to the portal from Internet but launching a specific SAML integrated Web application may require users to be on the LAN. Therefore launching the SAML based application form Internet wont work. Policies can use both authentication type and location to base its rules.

 

 

Identity & Access Management - Setup

 

Now we will review options that reside in Setup under the Identity & Access Management section.

  1. Confirm you are on Identity & Access Management, select Setup
  2. First we see the Connectors tab.  This is where you would go to add additional vIDM connectors/appliances as well as adding or changing domain membership

 

 

 

Appliance Settings

 

  1. Select Appliance Settings
  2. Within this tab you can specify the license key and a SMTP server. But most likely you want to configure more so then you need to click on Manage Configuration.  This will cause an additional tab in your browser to be opened.
  3. Enter VMware1!
  4. Click on Login

 

 

Manage Configuration for vIDM Appliance

 

Once you clicked on Manage Configuration, you get access settings for the management of the appliance itself.   These settings are typically one time only settings that you configure once per installation.

  1. Database Connection: Here you specify which database to use. This is the same setting as you where asked during the initial web wizard.

 

Conclusion


You have now completed Module 1.  You should now be familiar with the initial setup and configuration of VMware Identity Manager for a simple install.

Please close all browser windows before proceeding to the next Module.


 

For More Information

 

Additional information on installation or configuration of VMware Identity Manager can be found:

Proceed to any module below which interests you most:

The HOL-1851-8-ADV Lab will cover setup of vIDM with an external database and as part of Cloud Pod Architecture (CPA).

 

Module 2 - Integrating Identity Manager with Horizon 7.1 (30 minutes)

Introduction


VMware Identity Manager lets you build a self-service app store, so users can access virtually any application on any device from a single portal. This allows for better control for admins and better ease of use for the end-user.

With support for Bring Your Own Device (BYOD) initiatives, Workspace ONE lets IT centrally deliver, manage and secure these assets across devices. It reduces employee on-boarding time, consolidates access to corporate resources for better intellectual property protection and reduces helpdesk calls.

In this module you will learn how to integrate Horizon 7 with VMware Identity Manager to access hosted applications.

 


 

VMware Identity Manager and Horizon SSO

 

  1. A user authenticates to VMware Identify Manager. The administrator can select from an extensive set of authentication methods (RSA SecurID, RADIUS, Biometric, and so on). After authentication, the user selects a desktop or application to launch from VMware Identity Manager.
  2. Horizon Client is launched with the user’s identity, and credentials are directed to the View Connection Server, the broker for Horizon 7.
  3. The broker validates the user’s identity with VMware Identity Manager by sending a SAML assertion.
  4. Using the certificate Enrollment Service, Horizon 7 requests that the Microsoft Certificate Authority (CA) generate a temporary, short-lived certificate on behalf of that user.
  5. Horizon 7 presents the certificate to the Windows operating system.
  6. Windows validates the authenticity of the certificate with Active Directory.
  7. The user is logged in to the Windows desktop or application, and a remote session is initiated on the Horizon Client.

 

 

Lab Ready?

 

  1. Make sure the Lab Status is Ready
  2. Open README.txt
  3. Make yourself familiar with the content of README.txt, this will make your life easier by allowing you to copy/paste rather than typing, especially if you don't have a US keyboard.

Note: It can take 10-20 minutes for the Lab Status to be ready in case of a "cold vPOD". Typically we aim to have several vPODs for each lab ready to go. If your lab is not ready, please wait a couple minutes before calling for help.

If you went through Module 1 prior to this Module, please be sure to close all browser windows prior to proceeding. We will NOT use the vIDM instance (vidm-02a) from Module 1 for this module. Modules 2-5 will use a pre-configured instance of vIDM (vidm-01a).

 

Enabling View Applications for Use with VMware Identity Manager


To enable Horizon 7 Machines or Applications Pools in VMware Identity Manager (vIDM), we have to switch to the Catalog and add a View Application.

As this vPOD is used by other Labs, vIDM has been configured for use with Horizon View already, but we will walk through the steps to verify the necessary steps.


 

Open Workspace ONE Admin Console

 

  1. Open Chrome and select WS1 Admin Bookmark

 

 

Login to Workspace ONE

 

Sign in to Workspace ONE

  1. User admin
  2. Password VMware1!

Note: For this lab we are using the admin user from the System Domain of vIDM, not a domain user. You can configure a domain user or group to be admin users if you prefer.

 

 

Add View Application

 

  1. Switch to Catalog
  2. Click Manage Desktop Applications
  3. Select View Application

 

Enable SAML Authentication in Horizon 7


In this step we will verify that SAML Authentication between Horizon 7 and VMware Identity Manager has been enabled.


 

Login to Horizon View Console

 

  1. User name: administrator
  2. Password: VMware1!
  3. Click Log In

 

 

Switch to Connection Servers

 

  1. Underneath View Configuration, select Servers
  2. Click Connection Servers
  3. Select VIEW-01A
  4. Click Edit

 

Configuring Horizon 7 Application Pools


You will see there are some entitlement for applications (and Desktop Pools) available in Horizon View. We will add a new one for and walk you through the process of synchronizing with vIDM.


 

Add Application to Pool

 

1. Under Catalog select Application Pools

2. Click Add

 

 

Verify WordPad is available

 

1. Verify Wordpad is listed under Application Pools and has status Available

 

Synchronize VMware Identity Manager with Horizon 7


In order for changes from Horizon 7 Application Pools to appear in VMware Identity Manager, we need to synchronize the two.


 

Return to VMware Identity Manager

 

1. Click VMware Workspace ONE tab next to View Administrator in your browser to return to the VMware Identity Manager View Pools site

 

 

Synchronize View Pools

 

  1. Scroll down
  2. Click Sync Now

 

 

Return to Admin Console

 

  1. Click on the first browser TAB to return to the catalog
  2. Refresh page
  3. Scroll down
  4. Verify WordPad is available in the catalog

 

Check Entitlements for Horizon 7 Application Pools via VMware Identity Manager


In this step we will check entitlements for Horizon View Pools in VMware Identity Manager


 

Verify View Pool App Details

 

  1. Click on WordPad

 

 

Verify application entitlement

 

  1. Verify Type is View Hosted Application
  2. Verify the User, Lab 1 is entitled and the deployment is set to Automatic

 

 

Access Application as user

 

Conclusion


In this module you have learned how to enable Horizon 7 Application Pools in VMware Identity Manager and configure SAML Authentication in Horizon View to allow single-sign-on.


 

VMware Identity Manager Resources

 

You can find more information on the vIDM website:

https://www.vmware.com/products/identity-manager

 

 

Choose Module to continue with

You can now proceed to the next module or any module below which interests you most:

 

Module 3 - Integrating Identity Manager with ThinApp (30 minutes)

Introduction


In this module you will learn how to configure a ThinApp repository in VMware Identity Manager and entitle users/user groups to access applications. You will learn how to modify existing ThinApp packages to work with VMware Identity Manager and handle updates for ThinApp packages presented via the VMware Identity Manager.


 

Lab Ready?

 

1. Make sure the Lab Status is Ready

2. Open README.txt

3. Make yourself familiar with the content of README.txt, this will make your life easier by allowing you to copy/paste rather than typing, especially if you don't have a US keyboard.

Note: It can take 10-20 minutes for the Lab Status to be ready in case of a "cold vPOD". Typically we aim to have several vPODs for each lab ready to go. If your lab is not ready, please wait a couple minutes before calling for help.

 

Configure ThinApp Repository


In this step you will learn how to add a ThinApp Repository to VMware Identity Manager and entitle ThinApp-Packages to users.


 

Add ThinApp Application

 

  1. Click WS1 Admin to open Admin Console in Chrome
  2. User admin
  3. Password VMware1!
  4. Click Sign In

 

 

Check Log File

 

  1. Select drop down menu next to Catalog
  2. Select Settings

 

 

 

1. Open Command Prompt

 

 

Switch to Catalog / Add ThinApp Application

 

  1. Click on the browser TAB to the right to get to the ThinApp Configuration Page

 

Entitle ThinApp Packages to Users


After the sync with the ThinApp Repository, we need to entitle users to use them.


 

Switch to Catalog

 

  1. In the Administrator Console click Catalog
  2. Click the little arrow next Any Application Type
  3. Select ThinApp Packages
  4. Click on Safari

 

 

Add Entitlement

 

1. Click + Add group entitlement

 

Configure vIDM Desktop Client and Verify ThinApp Package Install


For ThinApp entitlement and deployment to work, each client must have the VMware Identity Manager Desktop Agent installed. This lightweight Agent synchronizes entitlements from the central VMware Identity Manager Portal. The Agent keeps a local entitlement database so users can launch packages while offline. The local entitlement database is by default valid for 30 days. The Agent also enables distribution locally to the client. There is three deployment methods supported for ThinApp Packages; Local, Run From Share and HTTP delivery. Which delivery mechanism to use is specified during installation of the Agent and can be changed via registry keys after the Agent is installed.

Local deployment means clients will download the ThinApp packages to their hard drives from the ThinApp repository using SMB.

Run From Share means the ThinApp packages are never downloaded to the local client but executed over the network using ThinApp's streaming mechanism.

HTTP delivery downloads the packages to the local client using HTTPS as the protocol. This allows the clients to be non-domain members and located outside the firewall (clients do not need direct access to the ThinApp repository, Workspace proxies the file download).


 

Open Windows 10 Desktop

 

  1. Open Base-w10-x64-01 (Windows 10 Desktop)
  2. Select other user: corp\lab2user
  3. Password: VMware1!
  4. Click OK

 

 

Identity Manager Desktop - Login

 

Upon first login of a user after Identity Manager Desktop has been installed, the user needs to authenticate. In this lab environment, we have installed Identity Manager Desktop on base-w10-x64-01 already, so you just need to authenticate the user.

  1. Username lab2user
  2. Password VMware1!
  3. Click Sign in

 

 

Verify Identity Manager Desktop connection

 

With the previous step we authenticated our user to vIDM, you can verify that the VMware Identity Manager Desktop Client has been configured correctly via the task bar icon:

  1. Click to Show Hidden Icons in task bar
  2. Click on the VMware Identity Manager Desktop Icon
  3. Verify you see Next sync in xx seconds

Note:

The default sync time is 5 minutes, for this lab we configured the Client to check for changes every 60 seconds.

In an enterprise environment, you likely would deploy the agent to all computers using your existing software deployment solution (i.e. Microsoft SCCM, Altiris etc.) or have it pre-installed for your VDI environment. The installer allows for silent install without interaction and all switches are well documented.

 

 

Logged In Notification

 

You will see a Status Notifications from the VMware Identity Manager Client in the lower right corner of your screen, confirming succesful log in.

 

 

Package Installed Notification

 

Depending on timing, you might have seen this before the last step, the VMware Identity Desktop Client controls ThinApp Packages for the user and since we set deployment to automatic, the Safari ThinApp Package will get installed for the user.

 

 

Minimize Remote session

 

  1. Close Safari (if open)
  2. Minimize (don't close!) the Remote Desktop session, to switch back to the Main Console

 

Updating ThinApp Packages


Now we will show you how to update a ThinApp Package in VMware Identity Manager. First we entitle Notepad++ 7.2 and then we'll update it to Notepad++ 7.4.1. For VMware Identity Manager to discover a ThinApp package as an update to an existing package, the new package needs:

It is not necessary for the new package to be captured as update to an existing package, the necessary changes can be made by modifying the Package.ini and/or using relink.exe.  


 

Switch Back To Admin Console

 

  1. Switch to Catalog
  2. Select ThinApp Packages as filter
  3. Click Notepad++ 7 (32-bit x86)

 

 

Verify Notepad++ Gets Deployed

 

As mentioned before, Identity Manager Desktop will check every 60 seconds for updates, based on timing, you might have to wait a couple of seconds before Notepad++ will appear on the desktop.

  1. Open NotePad++ from Desktop
  2. Click the ?
  3. Select About Notepad++

 

 

Get AppID of previous Notepad++ version

 

Now let's go throught the necessary steps to update an existing ThinApp Package within Workspace ONE. We already saw in the admin console that the Version of the existing Notepad++ package is 1.0, now we need to get the AppID of the package. There are different ways of getting the ApID (GUID) of the existing package, for example, you can run a relink -h on the package or get it from the Workspace ONE Admin Cosnole, this is what we are doing for this lab:

Back on the Main Console, you should still see Modify application screen, if not, open the WS1 Admin console and got to Notepad++ in the Catalog again.

  1. Click on Details
  2. Mark the GUID, you can do this by clicking on the left bracket and and move the mouse to the right bracket while still pushing down the mouse button. Make sure to include both brackets.
  3. Right-click on on the marked GUID to open the menu
  4. select Copy

 

 

 

1. Open Command Line

 

 

Re-Sync ThinApp Repository

 

  1. Open VMware Identity Manager Admin Console and switch to Catalog
  2. Click on Manage Desktop Applications
  3. Select ThinApp Application

 

 

Verify Entitlement

 

1. Click on 'Notepad++ (32-bit x86)'

Note: Though both versions of Notepad++ were uploaded to VMware Identity Manager, only one version is displayed in the catalog. If you want both versions to show, you can do so, by using different values for the InventoryName in the Package.INI and AppIDs, you will have to manage the packages/entitlements independently.

 

 

Switch Back to Remote Desktop

 

1. Switch back to the Remote Desktop session

 

 

Verify new Version got installed

 

  1. Open Notepad ++
  2. Click on ?
  3. Select About Notepad++
  4. Verify Version is 7.4.1
  5. Click OK
  6. Close Notepad++

 

 

Log Out from Remote Desktop

 

  1. Click Start Menu
  2. Click on Lab 2 User
  3. Select Sign Out

 

Conclusion


In this module you have learned how to add a ThinApp Repository to VMware Identity Manager and present ThinApp Packages to users. You have also learned how to use Relink.exe to modify existing ThinApp Packages to work with VMware Identity Manager and how to update an existing ThinApp Package with a new version.


 

VMware Identity Manager Resources

 

You can find more information on our website:

http://www.vmware.com/products/identity-manager/

 

 

Choose Module to continue with

You can now proceed to the next module or any module below which interests you most:

 

 

Module 4 - Multifactor Authentication using RADIUS (30 minutes)

Introduction


VMware Identity Manager allows for setting up Network Ranges and different authentication policies can be assigned to different network ranges.

For example, you want your end-users to authenticate with their AD credentials while they are in the office and connected to the corporate network, while you might want them to use 2-factor authentication when working from home.

For this lab we are using FreeRADIUS.net, in a real-world scenario this could be your RSA Server or any other 2-factor authentication solution supporting RADIUS protocol. We have setup a different password (123456) other than the default AD-password (VMware1!) typically used in the HOL, consider this your RSA token.


 

Lab Ready?

 

1. Make sure the Lab Status is Ready

 

 

Start FreeRADIUS.net

 

  1. Open Start Menu
  2. Select FreeRADIUS START
  3. Verify FreeRADIUS is started and Ready to process requests.

 

Setup RADIUS as Authentication Adapter


In this module we will setup RADIUS as an additional authentication adapter and configure it to work our FreeRADIUS.net.


 

Open Identity Manager console

 

  1. Click WS 1 Admin to open Management Console
  2. Username: admin
  3. Password: VMware1!
  4. Click Sign in

 

 

Setup Authentication Adapters

 

  1. Click Identity & Access Management tab
  2. Click Setup
  3. Click on vidm-01a.corp.local

 

 

Modify Authentication Adapters

 

  1. Click Auth Adapters
  2. Scroll down
  3. Click RadiusAuthAdapter

 

 

Configure RADIUS

 

  1. Check 'Enable RADIUS Adapter'
  2. Check 'Enable direct authentication to Radius server during auth chaining'
  3. Set 'Number of attempts to Radius server' to 5
  4. Set 'Server timeout in seconds' to 5
  5. Specify 192.168.110.10 as the RADIUS server ip
  6. Scroll down
  7. Set Accounting port to 1813
  8. Chose PAP as Authentication type
  9. Enter HOLrocks! as the shared secret
  10. Scroll down (leave configuration for secondary server empty)
  11. Click Save

 

 

Return to Admin Console

 

1. Close this tab to return to the Admin Console

 

Create Network Range and modify policy


Now we create a networks range for our test VM (Windows10-01a) and modify the default policy to use RADIUS for this specific range we create.


 

Define Network Range

 

1. Click Network Ranges
2. Click Add Network Range

 

 

Define Network Range cont.

 

1. Enter RADIUS Test as 'Name' for the network range
2. Provide a description RADIUS Test (optional)
3. Enter view-01a.corp.local as Client Access URL Host
4. Set URL Port to
443
5. Enter 192.168.100.113 as 'From'
6. Enter 192.168.100.113 as 'To'
7. Click Save

This will add a "range" of one IP-Address (our Windows 10 VM)

 

 

Verify the new network range has been added

 

 

 

Change default access policy

 

  1. Click Manage tab
  2. Click Policies
  3. Click default_access_policy_set

 

 

Add new Web browser rule

 

1. Scroll down
2. Click the '+' sign

 

 

Configure Policy Rule

 

1. Select RADIUS Test from dropdown menu
2. Select Web Browser from dropdown menu
3, Select RADIUS from dropdown menu
4. Click OK

 

 

Change Policy Rule Order

 

1. Click the icon in front of RADIUS Test
2. Drag the rule all the way to the top
3. Click Save

 

 

Verify authentication methods

 

  1. Verify RADIUS is now the first authentication method to be tried for the Network Range RADIUS test, when connecting via a Web Browser.

 

Verify functionality


Now we will verify the new policy is active.


 

Open New Incognito Windows

 

Open a new incognito browser window:

  1. Cick the vertical dots in the upper right corner
  2. Select New incognito window

 

 

Log in to WS1

 

  1. Click WS1
  2. Click Next

 

 

Log In as lab1user

 

  1. User lab1user
  2. Click VMware1!

 

 

Verify Login

 

You should have successfully logged in to the Workspace ONE console using your domain password.

1. Close the Incognito Window

 

 

Test RADIUS Authentication from Windows10 VM

 

Now to the real test, minimize your browser windows.

  1. Click Base-w10 Shortcut
  2. Select "Use another account"
  3. Username corp\lab1user
  4. Password VMware1!
  5. Click Login

 

 

Open Edge Browser

 

  1. Open Microsoft Edge browser
  2. Browse to vidm-01a.corp.local
  3. Click Next

 

 

Authenticate Using RADIUS

 

  1. Notice "Please enter RADIUS Passcode"
  2. Notice Authentication is set to RADIUS Passcode

 

 

Login using RADIUS

 

  1. Username lab1user (all in lowercase)
  2. Password 123456  
  3. Click Sign In

Note: Lab1user's Active Directory password is VMware1! (as you verified before). The RADIUS server has 123456 configured as the lab1user's password, in a real-world scenario, this could be your RSA token.

 

 

Verify access

 

Verify you can access the portal successfully.

 

 

Disconnect and Log Off

 

  1. Click Start Menu
  2. Click on Lab 1 User
  3. Select Sign out

 

Conclusion


We have shown how easy it is to integrate VMware Identity Manager with a RADIUS compatible 2FA solution. You can leave the FreeRADIUS running, if you are taking the Modules in a different order and the next Modules asks for login from the Windows 10 VM, please use the RADIUS Password 123456 instead of VMware1!

VMware Identity Manager also comes with a built-in 2FA solution, due to the networking limitation of this environment, we could not show it in this lab, but you can learn more anout here: VMware Verify.

You can find a walkthrough of VMware Verify below:

http://support.vmtestdrive.com/article/252-vmware-verify-demo-walkthrough

VMware Verify uses mobile push tokens, leveraging the Verify app for iOS and Android.


 

Conclusion

 

You can find additional information on User Authentication options, including RADIUS, in the documentation for VMware Identity Manager.

The QR-Code will take you the link below:

Configuring RADIUS for VMware Identity Manager.

 

 

Choose Module to continue with

You can proceed to the next module or any module below which interests you most:

 

 

Module 5 - Integrating Identity Manager with SAML-based Web App (30 minutes)

Introduction


In this module you will learn how to configure Web and SaaS applications in VMware Identity Manager. With VMware Identity Manager, you can provide Single-Sign-On (SSO) for your users to any web application supporting Security Assertion Markup Language (SAML).

This will allow your users to have a single entry point for applications (ThinApps, Citrix XenApp, RDSH, SaaS) and VDI Desktops. With AirWatch you can even extend this to mobile apps.


 

Lab Ready?

 

1. Make sure the Lab Status is Ready

2. Open README.txt

3. Make yourself familiar with the content of README.txt, this will make your life easier by allowing you to copy/paste rather than typing, especially if you don't have a US keyboard.

 

Create Web Based Application Shortcut


In this example we will create a simple shortcut for a Web Application, without passing any user information for single-sign-on. This basically just creates a Bookmark and is the simplest form of integrating a Web Application or Website into VMware Identity Manager.


 

Login to VMware Identity Manager

 

  1. Open WS1 Admin in Chrome
  2. Username: admin
  3. Password: VMware1!
  4. Click Sign in

 

 

Create New Web Application

 

  1. Click 'Catalog'
  2. Click 'Add Application'
  3. Under Web Application select '...create new one'

 

 

Add Entitlement

 

  1. Click on 'Add group entitlement'

 

 

Verify vSphere Web Client Shortcut is available

 

  1. Click drop down menu next to user name
  2. Select 'User Portal'

 

Add SAML based Web Application and SSO Configuration


In this lab we will add our SAML 2.0 Test-App and configure VMware Identity Manager to pass user information to the app. In preparation for this lab, we already configured the SAML Test-App to trust VMware identity Manage by adding the certificate to the Test App.


 

Switch back to Administration Console

 

  1. Click the drop down menu next to the user name
  2. Select 'Administration Console'

 

 

SAML 2.0 Preparation

 

SAML Integration requires configuration on the VMware Identity Manager side and on the side of the application you want to integrate. For the SAML 2.0 test app we use later in this lab, this configuration was done for you. You can find the necessary information (signing certificate and IdP URL) in the Administration Console:

  1. Click drop-down menu
  2. Select 'Settings'
  3. Click 'SAML Metadata'
  4. SAML Metadata (IdP and SP) can be retrieved here
  5. Signing Certificate

 

 

 

Configuration SAML Test App

 

You don't have to perform this step in the lab.

As the configuration is very specific to this simple test-app, we didn't add those steps to the lab. However, if you are really interested, you can use WinSCP or Putty to look at the settings.php file on saml-test.corp.local, the file is located under /var/www/html/saml/demo

 

 

Add SAML Application

 

  1. Click on 'Catalog'
  2. Click on 'Add Application'
  3. Select '...create a new one'

 

 

Add Entitlement

 

  1. Click 'Add group entitlement'

 

 

Open New Incognito Browser Window

 

  1. Click on the 3 vertical dots
  2. Select 'New incognito window'

 

 

Log In to Workspace ONE

 

  1. Click Next

 

 

Open SAML 2.0 APP

 

  1. Click SAML 2.0 App

 

 

Verify attributes are displayed

 

  1. Verify attributes firstname/lastname, username and principalname (=email) have been passed correctly to the SAML-Test App
  2. Click 'Close Tab'

 

For this to work, the necessary information must be available for each user in Active Directory and the attributes need to be synced with vIDM. If you make changes to attributes in AD, a sync between VMware Identity Manager and the Directory has to happen.

 

 

Cloud Application Catalog

 

VMware Identity Manager also allows for adding 'Web Application from the cloud application catalog', since this environment is not connected to the Internet, you won't be able to test this option. The catalog currently consists of over 90 (and growing) pre-configured templates for typically used web/SaaS applications such as ADP, Salesforce.com, Office 365, Workday, ServiceNow and many others more.

The steps below won't work in the HOL environment, as this environment is not connected to the Internet, they are ment just as a reference.

  1. Add Application
  2. Web Application ...from the cloud application catalog

 

Conclusion


In this module you learned how add a simple shortcut for a web-based application and how to integrate a more complex SAML 2.0 based application, to which we passed certain user specific attributes. Depending on the application you want to integrate you might have to configure different settings in VMware Identity Manager and your application. Always consult documentation for VMware Identity Manager and your application for details.


 

VMware Identity Manager Integration Documentation Library

 

You can find more information on our website:

https://www.vmware.com/support/pubs/vidm_webapp_sso.html

 

 

Choose Module to continue with

You can proceed to the next module or any module below which interests you most:

 

Lab Conclusion

Conclusion



 

This concludes lab 1851-05-MBL. Please make sure to fill out the survey at the end.

 

Conclusion

Thank you for participating in the VMware Hands-on Labs. Be sure to visit http://hol.vmware.com/ to continue your lab experience online.

Lab SKU: HOL-1851-05-ADV

Version: 20180614-203637