VMware Hands-on Labs - HOL-1957-02-UEM


Lab Overview - HOL-1957-02-UEM - Workspace ONE UEM - Identity Management

Lab Guidance


Note: It may take more than 90 minutes to complete this lab. You should expect to only finish 2-3 of the modules during your time.  The modules are independent of each other so you can start at the beginning of any module and proceed from there. You can use the Table of Contents to access any module of your choosing.

The Table of Contents can be accessed in the upper right-hand corner of the Lab Manual.

Learn how VMware Identity Manager can act as the primary Identity Provider or federate your authentication to other 3rd Party Identity Providers to provide Single Sign-On capabilities and rich access policies for your workforce.  Learn how to configure and manage VMware Identity Manager for both Software-as-a-Service (SaaS) and on-premises scenarios.  Lastly, explore how the VMware Identity Manager REST APIs can assist in automating common tasks and procedures.

Lab Module List:

Lab Captains:

 Subject Matter Experts:

This lab manual can be downloaded from the Hands-on Labs Document site found here:

http://docs.hol.vmware.com

This lab may be available in other languages.  To set your language preference and have a localized manual deployed with your lab, you may utilize this document to help guide you through the process:

http://docs.hol.vmware.com/announcements/nee-default-language.pdf


 

Location of the Main Console

 

  1. The area in the RED box contains the Main Console.  The Lab Manual is on the tab to the Right of the Main Console.
  2. A particular lab may have additional consoles found on separate tabs in the upper left. You will be directed to open another specific console if needed.
  3. Your lab starts with 90 minutes on the timer.  The lab can not be saved.  All your work must be done during the lab session.  But you can click the EXTEND to increase your time.  If you are at a VMware event, you can extend your lab time twice, for up to 30 minutes.  Each click gives you an additional 15 minutes.  Outside of VMware events, you can extend your lab time up to 9 hours and 30 minutes. Each click gives you an additional hour.

 

 

Alternate Methods of Keyboard Data Entry

During this module, you will input text into the Main Console. Besides directly typing it in, there are two very helpful methods of entering data which make it easier to enter complex data.

 

 

Click and Drag Lab Manual Content Into Console Active Window

 
 

You can also click and drag text and Command Line Interface (CLI) commands directly from the Lab Manual into the active window in the Main Console.  

 

 

Accessing the Online International Keyboard

 

You can also use the Online International Keyboard found in the Main Console.

  1. Click on the Keyboard Icon found on the Windows Quick Launch Task Bar.

 

 

Click once in active console window

 

In this example, you will use the Online Keyboard to enter the "@" sign used in email addresses. The "@" sign is Shift-2 on US keyboard layouts.

  1. Click once in the active console window.
  2. Click on the Shift key.

 

 

Click on the @ key

 

  1. Click on the "@ key".

Notice the @ sign entered in the active console window.

 

 

Activation Prompt or Watermark

 

When you first start your lab, you may notice a watermark on the desktop indicating that Windows is not activated.  

One of the major benefits of virtualization is that virtual machines can be moved and run on any platform.  The Hands-on Labs utilizes this benefit and we are able to run the labs out of multiple datacenters.  However, these datacenters may not have identical processors, which triggers a Microsoft activation check through the Internet.

Rest assured, VMware and the Hands-on Labs are in full compliance with Microsoft licensing requirements.  The lab that you are using is a self-contained pod and does not have full access to the Internet, which is required for Windows to verify the activation.  Without full access to the Internet, this automated process fails and you see this watermark.

This cosmetic issue has no effect on your lab.  

 

 

Look at the lower right portion of the screen

 

Please check to see that your lab is finished all the startup routines and is ready for you to start. If you see anything other than "Ready", please wait a few minutes.  If after 5 minutes you lab has not changed to "Ready", please ask for assistance.

 

Module 1 - Install, Configure and Manage VMware Identity Manager

Introduction


This lab will review how to install, configure, and manage VMware Identity Manager.  These exercises included:

  1. Setup and Install the VMware Identity Manager Connector
  2. Configure, Sync, and Manage Directories and Users
  3. Configuring Identity Providers (IdP) and Authentication Methods for Kerberos and Radius
  4. Configuring and Entitling Applications

Connect to the Conn-01a Server


 

Double-click the conn-01a.rdp link on the Desktop to connect to the Conn-01a Server.

For the initial part of this lab, you will be installing the VMware Identity Manager Connector on the designated server.  It is recommended to install the VMware Identity Manager Connector on a dedicated server or Virtual Machine (VM).


Install and Configure the VMware Identity Manager Connector


The VMware Enterprise Systems Connector has already been downloaded for you.  The VMware Enterprise Systems Connector contains both the AirWatch Cloud Controller (ACC) and VMware Identity Manager Connector services.  For this lab, you will only be installing the VMware Identity Manager Connector service in order to sync and authenticate Active Directory users with your VMware Identity Manager Tenant.


 

Start the VMware Enterprise Systems Connector Installer

 

  1. Click the File Explorer icon from the taskbar.
  2. Click Documents.
  3. Click HOL.
  4. Double-click the VMware Enterprise Systems Connector 9.4.0.0 Installer.exe file.

 

Return to the Main Console


 

With the VMware Identity Manager Connector installed, you will configure the remainder of the requirements for this lab from the Main Console.

Click the Close (X) button on the Remote Desktop Connector bar at the top of your screen.

NOTE: If you do not see the Remote Desktop Connection bar, you  may have un-pinned the bar.  Hover your mouse over the top and center part of the screen to reveal it.


Login to the Workspace ONE UEM Console


To perform most of the lab, you will need to login to the Workspace ONE UEM Admin Console.


 

Launch Chrome Browser

 

Double-click the Chrome Browser on the lab desktop.

 

 

Authenticate to the Workspace ONE UEM Admin Console

 

The default home page for the browser is https://labs.awmdm.com. Enter your Workspace ONE UEM Admin Account information and click the Login button.

NOTE - If you see a Captcha, please be aware that it is case sensitive!

  1. Enter your Username. This is your email address that you have associated with your VMware Learning Platform (VLP) account.
  2. Enter VMware1! for the Password field.
  3. Click the Login button.

NOTE - Due to lab restrictions, you may need to wait here for a minute or so while the Hands On Lab contacts the Workspace ONE UEM Hands On Labs server.

 

 

Accept the End User License Agreement

 

NOTE - The following steps of logging into the Administration Console will only need to be done during the initial login to the console.

You will be presented with the Workspace ONE UEM Terms of Use. Click the Accept button.

 

 

Address the Initial Security Settings

 

After accepting the Terms of Use, you will be presented with a Security Settings pop-up.  The Password Recovery Question is in case you forget your admin password and the Security PIN is to protect certain administrative functionality in the console.  

  1. You may need to scroll down to see the Password Recovery Questions and Security PIN sections.
  2. Select a question from the Password Recovery Question drop-down (default selected question is ok here).
  3. Enter VMware1! in the Password Recovery Answer field.
  4. Enter VMware1! in the Confirm Password Recovery Answer field.
  5. Enter 1234 in the Security PIN field.
  6. Enter 1234 in the Confirm Security PIN field.
  7. Click the Save button when finished.

 

 

Close the Welcome Message

 

After completing the Security Settings, you will be presented with the Workspace ONE UEM Console Highlights pop-up.

  1. Click on the Don't show this message on login check box.
  2. Close the pop-up by clicking on the X in the upper-right corner.

 

Login to the VMware Identity Manager Console


A temporary VMware Identity Manager tenant has been generated for you to use throughout this lab.  The VMware Identity Manager tenant URL and login details were uploaded to the Content section in the Workspace ONE UEM Console at the start of the lab.


 

Accessing Your Tenant Details in the Workspace ONE UEM Console

 

In the Workspace ONE UEM Console:

  1. Click Content.
  2. Expand Content Locker.
  3. Click List View.
  4. Find the text file named vIDM Tenant Details for your@email.shown.here.txt and click the toggle button beside it to select the file.
  5. Click Download.

 

 

Login to Your VMware Identity Manager Tenant

You will now login to your VMware Identity Manager tenant for the following steps.

 

Configure Your VMware Identity Manager Tenant


Before configuring the Directory Services and the VMware Identity Manager settings in the AirWatch Console, you will need to make some configurations your VMware Identity Manager tenant to ensure our Active Directory users are imported and mapped properly based on our configuration.  

Continue to the next step.


 

Edit User Attributes

 

  1. Click Identity & Access Management.
  2. Click Setup.
  3. Click User Attributes.
  4. Enable distinguishedName by clicking the checkbox next to the field.
  5. Enable userPrincipalName by clicking the checkbox  next to the field.
    NOTE - You may need to scroll down to find the distinguishedName and userPrincipalName attributes.

 

 

Save User Attribute Changes

 

  1. Scroll down to the bottom of the page.
  2. Click Save.

 

Create and Configure the VMware Identity Manager Connector


 

In the VMware Identity Manager Administrator Console,

  1. Click Identity & Access Management.
  2. Click Setup.
  3. Click Connectors.
  4. Click Add Connector.

 

Generate the Connector Activation Code

 

  1. Enter Lab for the Connector ID Name.
  2. Click Generate Activation Code.

 

 

Activate the Connector

 

To activate the VMware Identity Manager Connector, you can connect to the hostname over port 8443 where the VMware Identity Manager Connector service was installed.  You installed the VMware Identity Manager Connector service on conn-01a.corp.local in earlier steps.

  1. Click the Options button
  2. Click New Tab
  3. Enter https://conn-01a.corp.local:8443/cfg and press ENTER

 

 

Verify the Connector Activated

 

Back in the VMware Identity Manager Console,

  1. Click the Refresh button in the browser.
  2. Click Identity & Access Management.
  3. Click Setup.
  4. Click Connectors.
  5. Confirm that the Connector now shows the Hostname as conn-01a.corp.local and the Worker named Lab.

This confirms that you have successfully setup and installed the VMware Identity Manager Windows Connector.

 

 

Sync Directory Users to VMware Identity Manager


This section will review how to add a new Directory in VMware Identity Manager and then sync users from our Active Directory into our VMware Identity Manager tenant.


 

Add an Active Directory over LDAP

 

In the VMware Identity Manager Administrator Console,

  1. Click Identity & Access Management
  2. Click Directories
  3. Click Add Directory
  4. Click Add Active Directory over LDAP/IWA

 

 

Confirm the Synced Users Exist

 

  1. Click Users & Groups.
  2. Confirm the corp.local users have synced and are displayed here.

This confirms that you have successfully added a directory to your VMware Identity Manager tenant and you were able to use your previously installed Connector to sync Active Directory users to the directory.

 

Setup an Identity Provider to use Password Cloud Deployment


This section will review how to configure the Built-In Identity Provider (IdP) to allow your corp.local domain users to provide their AD credentials to sign in to the VMware Identity Manager tenant.


 

Configure the Built-In Identity Provider

 

  1. Click Identity & Access  Management.
  2. Click Identity Providers.
  3. Click Built-In.

 

 

Configure the Access Policy

 

  1. Click Identity & Access Management
  2. Click Policies
  3. Click Edit Default Policy

 

 

Verify that corp.local Users Can Login

 

  1. Click Options
  2. Click New incognito window
  3. Enter https://{yourtenant}.vidmpreview.com to navigate back to the login screen of your VMware Identity Manager tenant
    NOTE - Replace {yourtenant} with your tenant name!

 

Setup a Weblink Application and Entitle Users


This section will review how to create a Weblink Application and how to entitle your synced users to access the application.  


 

 

In the VMware Identity Manager Administrator Console,

  1. Click Catalog.
  2. Click New.

 

 

 

  1. Click Options
  2. Click New incognito window
  3. Enter https://{yourtenant}.vidmpreview.com to navigate back to the login screen of your VMware Identity Manager tenant
    NOTE - Replace {yourtenant} with your tenant name!

 

Setup Kerberos Authentication Adapter


This section will review how to configure Kerberos authentication through the IDM Connector to enable Windows Single Sign On.


 

Enable the Kerberos Authentication Adapter on the Connector

 

The setupKerberos.bat file that needs to be run to enable Kerberos Authentication for our VMware Identity Manager Connector is on the server where the VMware Identity Manager Connector service was installed, which was conn-01a.corp.local.

Double-click the conn-01a.rdp link on the Main Console Desktop to connect to the conn-01a server.

 

 

Update the Policy Rules

 

  1. Click Identity & Access Management
  2. Click Manage
  3. Click Policies
  4. Click Edit Default Policy

 

 

Authenticate with Kerberos using the Workspace ONE App

 

From the Desktop, double-click the Win10-01a.rdp shortcut.

 

 

Return to the Main Console

 

Click the X on the Remote Desktop session at the top of your screen to return to the Main Console.

 

Setup RADIUS Authentication


This section will detail how to install and configure a RADIUS server and client for Windows, and how to integrate RADIUS with IDM by enabling the RADIUS Cloud Deployment authentication method.


 

Connect to the Conn-01a Server

 

You will configure the RADIUS server and client on the conn-01a.corp.local server for this exercise.

Double-click the conn-01a.rdp link on the Desktop to connect to the Conn-01a Server.

 

 

Install and Configure a RADIUS Server for Windows

 

  1. Click Server Manager from the task bar.
  2. Click Manage.
  3. Click Add Roles and Features.

 

 

Return to the Main Console

 

With the RADIUS client configured, you will configure the remainder of the requirements from the Main Console.

Click the Close (X) button on the Remote Desktop Connector bar at the top of your screen.

NOTE: If you do not see the Remote Desktop Connection bar, you  may have un-pinned the bar.  Hover your mouse over the top and center part of the screen to reveal it.

 

 

Configure the RADIUS Authentication Method for VMware Identity Manager

 

In the VMware Identity Manager Administration Console,

  1. Click Identity & Access Management
  2. Click Setup
  3. Click Connectors
  4. Click Lab

 

 

Configure the Identity Providers

 

  1. Click Identity & Access Management
  2. Click Identity Providers
  3. Click Built-In

 

 

Configure the Policy Rules

 

  1. Click Identity & Access Management.
  2. Click Policies.
  3. Click Edit Default Policy.

 

 

Test RADIUS Authentication from a Web Browser

 

  1. Click Options
  2. Click New incognito window
  3. Enter https://{yourtenant}.vidmpreview.com to navigate back to the login screen of your VMware Identity Manager tenant
    NOTE - Replace {yourtenant} with your tenant name!

 

Instructions for Taking Additional Lab Modules


 

If you are interested in taking additional modules for this lab, please click the END button in the VMware Learning Platform and then relaunch the lab.

Since each module in this lab takes advantage of configuring VMware Identity Manager and the VMware Identity Manager Connector for different use cases, the quickest way to start with a clean infrastructure to complete the next module is to restart the lab.  Once you restart, navigate to the next module using the Table of Contents as shown in the Lab Guidance section.


Conclusion


In this exercise, you learned how to:

This first look into installing, configuring and managing VMware Identity Manager showcases the flexibility and customization you have for creating access policies based on the needs of your enterprise.  Your Identity Providers and Access Policies can be setup to allow your users to authenticate in ways they are familiar with, without needing to spend time re-building these authentication policies from the ground up.

Be sure to check out the additional VMware Identity Manager exercises for additional learning and authentication possibilities.


Module 2 - On-Premises Install for VMware Identity Manager

Introduction


VMware Identity Manager is the identity component of VMware Workspace ONE. This service is available as both a SaaS (Software as a Service) or on-premise service. The on-premise distribution can be deployed as either a Linux based OVA or installed on a Window server.

This hands-on lab will walk you through the installation of the VMware Identity Manager service on a Windows server, as well as the integration of it to an on-premises Active Directory environment for user sync and authentication.

This exercise will follow an architecture in which the different components of VMware Identity Manager are distributed across separate dedicated Windows servers. This allows for a more flexible architecture, in which the main VMware Identity Manager service is placed in a public facing DMZ, while the Active Directory connector and SQL database are maintained within the internal network.

A reference architecture of the VMware Identity Manager service and other service in the Workspace ONE platform can be found in the VMware TechZone: https://techzone.vmware.com/resource/vmware-workspace-one-and-vmware-horizon-7-enterprise-edition-premises-reference


Lab Architecture


We have simplified the architecture to limit the scope for this lab. Let's take a look at what are the different components involved.


 

Components and sub-systems

 

Main Console (192.168.110.10)

vidm-01a (192.168.110.14)

conn-01a (192.168.110.15)

sql-01a (192.168.110.13)

 

 

Use Case and Requirements

For this exercise, the following use cases apply:

For these use cases, the following requirements and decisions are made:

The benefits of this setup are:

 

Create VMware Identity Manager SQL Database


In this exercise, we are going to create a SQL Database for VMware Identity Manager. During the VMware Identity Manager installation process, we will be referencing this database as the target database.


 

Copy the CreateVidmDb Script

 

  1. Click the File Explorer icon from the taskbar
  2. Click Documents
  3. Click HOL
  4. Click VMware Identity Manager
  5. Right-Click CreateVidmDb.txt
  6. Click Edit with Notepad++

 

 

Run the CreateVidmDb Script

 

From the Desktop, double-click SQL Server 2014 Management Studio

 

Install the VMware Identity Manager Service


In this exercise, we are going to run the VMware Identity Manager service application installer to install the VMware Identity Manager service. As discussed in the introduction, we have a dedicated server, vidm-01a.corp.local, setup to host the VMware Identity Manager service and will be installing the service on that server.


 

Connect to VIDM-01 RPD

 

From the Desktop, click the vidm-01a.rdp shortcut.

 

 

Run the VMware Identity Manager Service Installer

 

  1. Click the File Explorer icon from the taskbar on the vidm-01a.corp.local server.
  2. Click Documents.
  3. Click HOL.
  4. Right-click the VMware_Identity_Manager_3.2.0.1_Full_Install.exe file.
  5. Click Run as administrator.

 

 

Complete the VMware Identity Manager Service Install

 

Click Next.

NOTE: It might take a couple of minutes for the installer to load.

 

 

Complete the VMware Identity Manager Setup Wizard

 

  1. Click Advanced.
  2. Click Proceed to vidm-01a.corp.local (unsafe).

Why are you seeing an invalid certificate error?  If you recall, we do not provide a SSL certificate as part of the VMware Identity Manager Service installer.  You will be uploading the SSL certificate after the Setup Wizard, which you are accessing now.

 

 

Perform Initial Configuration in the Administration Console

 

  1. Enter admin for the username.
  2. Enter VMware1! for the password.
  3. Click Sign in.

These credentials are for the Appliance Administrator you configured in the previous steps during the Setup Wizard.

 

 

Return to the Main Console

 

You will return to the Main Console to complete additional exercises.  Click the Close (X) button on the Remote Desktop Connection bar at the top of your screen.

 

Navigate to the VMware Identity Manager Admin Console


 

Double-click the Chrome Browser on the lab desktop.


 

Navigate to the VMware Identity Manager Admin Console

 

  1. Click Options.
  2. Click New tab.
  3. Enter https://vidm-01a.corp.local and press ENTER.

Remember that you installed the VMware Identity Manager service with the hostname as vidm-01a.corp.local.  This is where your users will navigate to in order to access to administration console.

 

 

Login to the VMware Identity Manager Administration Console

 

  1. Enter admin for the Username.
  2. Enter VMware1! for the Password.
  3. Click Sign in.

These are the administrator credentials you created during the VMware Identity Manager service installation.

 

 

Confirm Authentication was Successful

 

If the VMware Identity Manager Administration Console loads as shown above, then you were able to authenticate successfully.  You will be returning to the Administration Console in later steps for additional configuration.

 

Install the VMware Identity Manager Connector


The VMware Identity Manager Connector will be responsible for integrating VMware Identity Manager with the on-premises Active Directory. This exercise will guide you through install the VMware Identity Manager Connector with the proper configurations to meet the use case and requirements we discussed in the introduction.


 

Connect to the Conn-01a Server

 

Double-click the conn-01a.rdp link on the Desktop to connect to the Conn-01a Server.

You will be installing the VMware Identity Manager Connector on the designated server.  It is recommended to install the VMware Identity Manager Connector on a dedicated server or Virtual Machine (VM).

 

 

Start the Computer Browser Service

 

Click the Windows Start Button from the task bar of the conn-01a Server.

 

 

Enable NetBIOS over TCP/IP

 

  1. Right-click the Network icon.
  2. Click Open Network and Sharing Center.
  3. Click Ethernet0 2 from the Network and Sharing Center.

 

 

Start the VMware Enterprise Systems Connector Installer

 

  1. Click the File Explorer icon from the taskbar.
  2. Click Documents.
  3. Click HOL.
  4. Right-click the VMware Enterprise Systems Connector Installer.exe file.
  5. Click Run as Administrator.

 

 

Return to the Main Console

 

With the VMware Identity Manager Connector installed, you will configure the remainder of the requirements for this exercise from the Main Console.

Click the Close (X) button on the Remote Desktop Connector bar at the top of your screen.

NOTE: If you do not see the Remote Desktop Connection bar, you  may have un-pinned the bar.  Hover your mouse over the top and center part of the screen to reveal it.

 

Activate the VMware Identity Manager Connector


In the previous exercise, we completed the installation of the VMware Identity Manager Connector, but we did not activate the Connector yet.  In this exercise, you will activate and register the VMware Identity Manager Connector from the VMware Identity Manager Administration Console.


 

Add a Connector

 

Return to Google Chrome.  In the VMware Identity Manager Administrator Console,

  1. Click Identity & Access Management.
  2. Click Setup.
  3. Click Connectors.
  4. Click Add Connector.

 

 

Activate the Connector

 

To activate the VMware Identity Manager Connector, you can connect to the hostname over port 8443 where the VMware Identity Manager Connector service was installed.  You installed the VMware Identity Manager Connector service on conn-01a.corp.local in earlier steps.

  1. Click the Options button
  2. Click New Tab
  3. Enter https://conn-01a.corp.local:8443/cfg and press ENTER

 

 

Verify the Connector Activated

 

Back in the VMware Identity Manager Console,

  1. Click the Refresh button in the browser.
  2. Click Identity & Access Management.
  3. Click Setup.
  4. Click Connectors.
  5. Confirm that the Connector now shows the Hostname as conn-01a.corp.local and the Worker named Lab.

This confirms that you have successfully setup and installed the VMware Identity Manager Windows Connector.

 

 

Sync Directory Users to VMware Identity Manager


This section will review how to add a new Directory in VMware Identity Manager and then sync users from our Active Directory into our VMware Identity Manager tenant.


 

Add an Active Directory over LDAP

 

In the VMware Identity Manager Administrator Console,

  1. Click Identity & Access Management
  2. Click Directories
  3. Click Add Directory
  4. Click Add Active Directory over LDAP/IWA

 

 

Confirm the Synced Users Exist

 

  1. Click Users & Groups.
  2. Confirm the corp.local users have synced and are displayed here.

This confirms that you have successfully added a directory to your VMware Identity Manager tenant and were able to use your previously installed Connector to sync Active Directory users to the directory.

 

Login as a Domain User


Now that you have successfully synced your corp.local domain users to VMware Identity Manager by using the VMware Identity Manager Connector, you will confirm that you are able to authenticate to the VMware Identity Manager Console by providing credentials for a corp.local domain user.


 

Verify that corp.local Users Can Login

 

  1. Click Options
  2. Click New incognito window
  3. Enter https://vidm-01a.corp.local to navigate back to the login screen of your VMware Identity Manager Console.

 

 

Close the Incognito Session

 

Click the Close button in the top-right corner of the Incognito session to return to the VMware Identity Manager Administration Console.

 

Setup Kerberos Authentication Adapter


This section will review how to configure Kerberos authentication through the IDM Connector to enable Windows Single Sign On.


 

Setup Kerberos Authentication using the Batch File

 

The setupKerberos.bat file that needs to be run is on the server where the VMware Identity Manager Connector service was installed, which was conn-01a.corp.local.

Double-click the conn-01a.rdp link on the Desktop to connect to the conn-01a server.

 

 

Enable the Kerberos Authentication Adapter on the Connector

 

In the VMware Identity Manager Administration Console,

  1. Click Identity & Access Management
  2. Click Setup
  3. Click Connectors
  4. Click the Lab worker link

 

 

Update the Policy Rules

 

  1. Click Identity & Access Management.
  2. Click Manage.
  3. Click Policies.
  4. Click Edit Default Policy.

 

 

Authenticate with Kerberos using the Workspace ONE App

 

From the Desktop, double-click the Win10-01a.rdp shortcut.

 

 

Return to the Main Console

 

Click the X on the Remote Desktop session at the top of your screen to return to the Main Console.

 

Instructions for Taking Additional Lab Modules


 

If you are interested in taking additional modules for this lab, please click the END button in the VMware Learning Platform and then relaunch the lab.

Since each module in this lab takes advantage of configuring VMware Identity Manager and the VMware Identity Manager Connector for different use cases, the quickest way to start with a clean infrastructure to complete the next module is to restart the lab.  Once you restart, navigate to the next module using the Table of Contents as shown in the Lab Guidance section.


Conclusion


In this exercise, you have completed the process of deploying VMware Identity Manager on-premise. This deployment followed the standard architecture in which the different components of VMware Identity Manager are installed on separate dedicated servers. This architecture was composed of the main VMware Identity Manager service running a non-domain joined Windows server, and the VMware Identity Manager Connector and SQL database running on dedicated, domain-joined Windows servers.

After successful installation of the different components, VMware Identity Manager was integrated to an on-premises Active Directory server for both user sync and authentication. Authentication for LDAP and Kerberos protocols were configured and tested successfully.

This concludes this lab.


Module 3 - Third party Identity Provider Integration with ADFS

Introduction


Active Directory Federation Services (AD FS) is a Windows Server component that provides single sign-on access to applications and systems for users using claims-based authentication.  You can configure VMware Identity Manager to use Active Directory Federation Service (AD FS) as the third-party identity provider for authentication.  In this lab, we’ll review how to install and configure AD FS and how to add AD FS as a 3rd party IdP in VMware Identity Manager.


 

Prerequisites

For this exercise, all of the prerequisites will be available to you.

 

AD FS Overview


 

AD FS utilizes claims-based authorization to implement identity federation.  By default, VMware Identity Manager uses Security Assertion Markup Language (SAML), which is an assertion-based form of authorization. Conceptually, there are many parallels between SAML and AD FS. Use these similarities, outlined in the above table, as a foundation for understanding VMware Identity Manager and AD FS integration.


 

AD FS Claims

A claim is a statement about a user that includes values about the user (ie: user principal name (UPN), email address, role, group, windows account name, etc.) which are contained in a trusted token.  Trusted parties, called relying parties, use the values stored in the claim to determine how to authorize the request.

Claims providers, such as your Active Directory, source and sign these claims.  The Federation Service brokers trust between claims providers and relying parties by processing and exchanging claims between these parties to allow for authorization decisions to be made based on the statements of the claim.

  1. The client requests a trusted token for access to a relying party, such as a web-hosted application.
  2. The client authenticates against AD FS, validated by the trusted attribute store.
  3. A trusted token is returned to the client upon successfully authenticating, which presents the trusted token to the relying party.
  4. The relying party validates that the trusted token and allows access.

 

Install and Configure AD FS (Video Walkthrough)


For this exercise, you will need AD FS installed and configured to authenticate our domain users.  Since the focus of this exercise is to integrate VMware Identity Manager with an existing AD FS deployment, you will not be installing the AD FS instance from scratch.

The below video will demonstrate how to install and configure a basic AD FS deployment, which has already been configured for you.  If you are interested in seeing the initial installation, please watch the below video for a step-by-step walk-through of the process. Otherwise, please continue to the next step to continue with the exercise.


Download the ADFS Federation Metadata XML


To establish trust between VMware Identity Manager and our ADFS instance, you will need to download the ADFS Federation Metadata.  


 

Download the Federation Metadata XML

 

Double-click the Chrome Browser on the lab desktop.

 

 

Finding the Federation Metadata Endpoint

Before continuing, you may be wondering how to get the Federation Metadata endpoint.  Review the next steps to see how to retrieve the Federation Metadata endpoint from your ADFS server.

 

Connect to the Conn-01a Server


 

Double-click the conn-01a.rdp link on the Desktop to connect to the Conn-01a Server.

For the initial part of this lab, you will be installing the VMware Identity Manager Connector on the designated server.  It is recommended to install the VMware Identity Manager Connector on a dedicated server or Virtual Machine (VM).


Install and Configure the VMware Identity Manager Connector


The VMware Enterprise Systems Connector has already been downloaded for you.  The VMware Enterprise Systems Connector contains both the AirWatch Cloud Controller (ACC) and VMware Identity Manager Connector services.  For this lab, you will only be installing the VMware Identity Manager Connector service in order to sync and authenticate Active Directory users with your VMware Identity Manager Tenant.


 

Start the VMware Enterprise Systems Connector Installer

 

  1. Click the File Explorer icon from the taskbar.
  2. Click Documents.
  3. Click HOL.
  4. Double-click the VMware Enterprise Systems Connector Installer.exe file.

 

Return to the Main Console


 

With the VMware Identity Manager Connector installed, you will configure the remainder of the requirements for this lab from the Main Console.

Click the Close (X) button on the Remote Desktop Connector bar at the top of your screen.

NOTE - If you do not see the Remote Desktop Connection bar, you  may have un-pinned the bar.  Hover your mouse over the top and center part of the screen to reveal it.


Login to the Workspace ONE UEM Console


To perform most of the lab, you will need to login to the Workspace ONE UEM Admin Console.


 

Launch Chrome Browser

 

Double-click the Chrome Browser on the lab desktop.

 

 

Authenticate to the Workspace ONE UEM Admin Console

 

The default home page for the browser is https://labs.awmdm.com. Enter your Workspace ONE UEM Admin Account information and click the Login button.

NOTE - If you see a Captcha, please be aware that it is case sensitive!

  1. Enter your Username. This is your email address that you have associated with your VMware Learning Platform (VLP) account.
  2. Enter VMware1! for the Password field.
  3. Click the Login button.

NOTE - Due to lab restrictions, you may need to wait here for a minute or so while the Hands On Lab contacts the Workspace ONE UEM Hands On Labs server.

 

 

Accept the End User License Agreement

 

NOTE - The following steps of logging into the Administration Console will only need to be done during the initial login to the console.

You will be presented with the Workspace ONE UEM Terms of Use. Click the Accept button.

 

 

Address the Initial Security Settings

 

After accepting the Terms of Use, you will be presented with a Security Settings pop-up.  The Password Recovery Question is in case you forget your admin password and the Security PIN is to protect certain administrative functionality in the console.  

  1. You may need to scroll down to see the Password Recovery Questions and Security PIN sections.
  2. Select a question from the Password Recovery Question drop-down (default selected question is ok here).
  3. Enter VMware1! in the Password Recovery Answer field.
  4. Enter VMware1! in the Confirm Password Recovery Answer field.
  5. Enter 1234 in the Security PIN field.
  6. Enter 1234 in the Confirm Security PIN field.
  7. Click the Save button when finished.

 

 

Close the Welcome Message

 

After completing the Security Settings, you will be presented with the Workspace ONE UEM Console Highlights pop-up.

  1. Click on the Don't show this message on login check box.
  2. Close the pop-up by clicking on the X in the upper-right corner.

 

Login to the VMware Identity Manager Console


A temporary VMware Identity Manager tenant has been generated for you to use throughout this lab.  The VMware Identity Manager tenant URL and login details were uploaded to the Content section in the Workspace ONE UEM Console at the start of the lab.


 

Accessing Your Tenant Details in the Workspace ONE UEM Console

 

In the Workspace ONE UEM Console:

  1. Click Content.
  2. Expand Content Locker.
  3. Click List View.
  4. Find the text file named vIDM Tenant Details for your@email.shown.here.txt and click the toggle button beside it to select the file.
  5. Click Download.

 

 

Login to Your VMware Identity Manager Tenant

You will now login to your VMware Identity Manager tenant for the following steps.

 

Configure Your VMware Identity Manager Tenant


Before configuring the Directory Services and the VMware Identity Manager settings in the AirWatch Console, you will need to make some configurations your VMware Identity Manager tenant to ensure our Active Directory users are imported and mapped properly based on our configuration.  

Continue to the next step.


 

Edit User Attributes

 

  1. Click Identity & Access Management.
  2. Click Setup.
  3. Click User Attributes.
  4. Enable distinguishedName by clicking the checkbox next to the field.
  5. Enable userPrincipalName by clicking the checkbox  next to the field.
    NOTE - You may need to scroll down to find the distinguishedName and userPrincipalName attributes.

 

 

Save User Attribute Changes

 

  1. Scroll down to the bottom of the page.
  2. Click Save.

 

Create and Configure the VMware Identity Manager Connector


 

In the VMware Identity Manager Administrator Console,

  1. Click Identity & Access Management
  2. Click Setup
  3. Click Connectors
  4. Click Add Connector

 

Generate the Connector Activation Code

 

  1. Enter Lab for the Connector ID Name.
  2. Click Generate Activation Code.

 

 

Activate the Connector

 

To activate the VMware Identity Manager Connector, you can connect to the hostname over port 8443 where the VMware Identity Manager Connector service was installed.  You installed the VMware Identity Manager Connector service on conn-01a.corp.local in earlier steps.

  1. Click the Options button
  2. Click New Tab
  3. Enter https://conn-01a.corp.local:8443/cfg and press ENTER

 

 

Verify the Connector Activated

 

Back in the VMware Identity Manager Console,

  1. Click the Refresh button in the browser.
  2. Click Identity & Access Management.
  3. Click Setup.
  4. Click Connectors.
  5. Confirm that the Connector now shows the Hostname as conn-01a.corp.local and the Worker named Lab.

This confirms that you have successfully setup and installed the VMware Identity Manager Windows Connector.

 

 

Sync Directory Users to VMware Identity Manager


This section will review how to add a new Directory in VMware Identity Manager and then sync users from our Active Directory into our VMware Identity Manager tenant.


 

Add an Active Directory over LDAP

 

In the VMware Identity Manager Administrator Console,

  1. Click Identity & Access Management
  2. Click Directories
  3. Click Add Directory
  4. Click Add Active Directory over LDAP/IWA

 

 

Confirm the Synced Users Exist

 

  1. Click Users & Groups.
  2. Confirm the corp.local users have synced and are displayed here.

This confirms that you have successfully added a directory to your VMware Identity Manager tenant and were able to use your previously installed Connector to sync Active Directory users to the directory.

 

Create a Third Party Identity Provider


In order for AD FS to authenticate our users, we need to create a Third Party Identity Provider (IdP) within VMware Identity Manager and use the FederationMetadata.xml downloaded from our Federation Service to establish trust between AD FS as the Identity Provider and VMware Identity Manager as the Service Provider.  


 

Copy the ADFS Federation Metadata XML

 

  1. Click the File Explorer icon from the taskbar.
  2. Click Documents.
  3. Right-click the FederationMetadata.xml.
  4. Click the Edit with Notepad++.

 

 

Create Third Party Identity Provider in VMware Identity Manager

 

Navigate to your VMware Identity Manager Administration Console in Chrome.

  1. Click Identity & Access Management
  2. Click Identity Providers
  3. Click Add Identity Provider
  4. Click Create Third Party IDP

 

Configure Access Policies in VMware Identity Manager


Now that we've created our Third Party IDP for AD FS in VMware Identity Manager, we need to use the Authentication Methods we created in our Access Policies to authenticate our domain users with our Third Party IDP authentication methods rather than using the default access policy rules for authenticating our domain users through the Password (AirWatch Connector) method.


 

Edit the Access Policy

 

  1. Click Identity & Access Management
  2. Click Policies
  3. Click the default_access_policy_set to edit it

 

 

Create A New Policy Rule for Domain Users

 

  1. Click the Configuration tab.
  2. Click Add Policy Rule.

 

 

Save the Updated Policy Rules

 

Click Save

 

Configure Relying Party Trust in AD FS


With our Third Party IDP configured in VMware Identity Manager and our Service Provider Metadata in hand, we can now configure a Relying Party Trust in AD FS for our VMware Identity Manager tenant.  This will utilize our Service Provider metadata to establish trust between AD FS as the Identity Provider and VMware Identity Manager as the Service Provider.


 

Connect to the adfs-01a Server

 

Double click the adfs-01a.rdp link from the Desktop.

You will need to modify your ADFS configuration to establish trust to VMware Identity Manager, which must be done from the server where we have installed ADFS.

 

 

Add Relying Party Trust

 

Return to AD FS Management.  If closed, you can either navigate to Server Manager and click Tools > AD FS Management or search for "AD FS Management" from the Start menu.

  1. Expand Trust Relationships
  2. Click Relying Party Trusts
  3. Click Add Relying Party Trust

This will open the Add Relying Party Trust Wizard. Click Start to begin this process once the wizard displays.

 

 

Add Claim Rules for Relying Party

In order to properly authenticate our users, we need to add Claim Rules for our relying party. Claim Rules control the flow of claims and are responsible for taking one or more incoming claims, applying conditions to these claims, and then producing one or more outgoing claims.  Claim Rules and the Claims Engine are responsible for determining if incoming claims should be passed through as they are received, filtered to meet specific business logic criteria, or transformed into a new set of claims before they are issued as an outgoing claim.  

In short, think of Claim Rules as the logic that inspects, processes, and transforms incoming claims to outgoing claims which determine who and how users are authenticated.  For more detailed documentation, check out the Role of Claim Rules.

In this lab, we'll need to create two types of Claim Rules.  

  1. Send LDAP Attributes as Claims:  Meaning that the outgoing claim will contain LDAP attribute values from our attribute store (Active Directory, in this case) that can be used for authentication.
  2. Send Claims using a Custom Rule:  Will use the claim rule language to generate and transform our claim to handle specific business logic requirements needed to authenticate the user in VMware Identity Manager.

 

 

Return to the Main Console

 

Click the Close (X) button on the Remote Desktop Connection bar to return to the Main Console.

 

Login as a Domain User


Now that we've established trust between AD FS as the Identity Provider and our VMware Identity Manager tenant as the Service Provider and configured our Relying Party Claim Rules to transform and issue the incoming claim to a format that our VMware Identity Manager tenant can process, we now need to attempt to login using the corp.local domain users and validate that our configurations are working.


 

Connect to the Windows 10 VM

 

Double-click the Win10-01a.rdp remote desktop connection shortcut from the Desktop.

 

 

Authenticate as a Domain User in the Browser

 

  1. Open Google Chrome.
  2. Navigate to your VMware Identity Manager tenant URL (https://{yourtenant}.vidmpreview.com).
    NOTE: Replace {yourtenant} with the name of your actual tenant!
  3. Enter holuser for the username, which is one of the corp.local domain users we synced.  This is also the user account that is currently logged into the win10-01a VM that you are connected to.
  4. Uncheck Remember this setting.
  5. Click Next.

NOTE: The authentication may take several seconds to process, please be patient after clicking Next.

 

 

Authenticate as a Domain User in the VMware Workspace ONE App

 

  1. Launch the VMware Workspace ONE app.
  2. Enter your VMware Identity Manager tenant URL (https://{yourtenant}.vidmpreview.com).
    NOTE: Replace {yourtenant} with the name of your actual tenant!
  3. Click Continue.

 

 

Clear Authorization Cookies (IF NEEDED)

 

The authorization cookies last 8 hours after you authenticate to VMware Identity Manager.  If you need to re-authenticate again to test, you can either shorten the re-authentication timers of the Access Policy rules you configured, or you can clear your authorization cookies so that the browser and VMware Workspace ONE app sessions are removed which forces the user to authenticate again.

  1. Open Google Chrome and click the Options button.
  2. Click Settings.

 

Troubleshooting


This section will review a few issues you may experience while attempting to integrate a Third Party IDP with VMware Identity Manager and what troubleshooting steps you can take.


 

Cannot Login to the VMware Identity Manager Tenant

Problem:

When the Access Policies are configured incorrectly, authentication may fail for some or all users.  This can cause even your local accounts to be unable to login to the tenant to resolve the issue.

Solution:

To login to the tenant and bypass the configured Access Policies causing the authentication issue, append ?login to your default login URL:

https://<tenantURL>/SAAS/auth/login?login

 

 

VMware Identity Manager: Error: Cannot Update Identity Provider

Problem:

While adding or editing an Identity Provider and attempting to add or update an authentication method, you see the error “Cannot update Identity Provider”.  This prevents you from adding or editing authentication methods when you click save.

Solution:

The SAML context name must be unique in your VMware Identity Manager tenant, including names used by the default authentication methods.  Rename your SAML context name for the chosen authentication method and click save.

 

 

VMware Identity Manager: 404.idp.not.found / federationArtifact.not.found Federation Artifact not found

Problem:

When attempting to login to VMware Identity Manager, an error message is displayed with "404.idp.not.found", "federationArtifact.not.found Federation Artifact not found", or another error that indicates that an Identity Provider or Federation Artifact could not be found to authenticate the users .  This occurs when no Access Policies are setup to handle authenticating the network range, device type, user group, or attempted authentication methods or if the Claim Rules for the relying party are misconfigured.

Solution:

 

 

AD FS Error: Contact your Administrator

Problem:

When users attempt to authenticate using claims-based authentication to AD FS, they see a login page that says "Error: Contact your administrator".  This occurs because AD FS cannot properly authenticate the claim.

Problem:

 

 

AD FS: Failed Authentication Requests and Viewing Logs

 

 

Problem:

When users attempt to authenticate using claims-based authentication to AD FS from VMware Identity Manager, they are being redirected to AD FS for their credentials appropriately but then receive an error that they could not be authenticated.  AD FS may be configured incorrectly, causing issues with consuming incoming claims, generating outgoing claims, or other issues that would cause authentication to fail.

Solution:

Both solutions will allow you to see traces of your authentication attempts.  Failures and issues are typically noted with the severity levels of Error or Critical, so try inspecting your logs to see what is causing your authentication to fail.  Typical authenticate issues could be:

 

Instructions for Taking Additional Lab Modules


 

If you are interested in taking additional modules for this lab, please click the END button in the VMware Learning Platform and then relaunch the lab.

Since each module in this lab takes advantage of configuring VMware Identity Manager and the VMware Identity Manager Connector for different use cases, the quickest way to start with a clean infrastructure to complete the next module is to restart the lab.  Once you restart, navigate to the next module using the Table of Contents as shown in the Lab Guidance section.


Conclusion


VMware Identity Manager can leverage AD FS as a third party identity provider to securely authenticate users via a claims-based access control authorization model.  Consider how leveraging your existing AD FS deployment with VMware Identity Manager can be used to provide single-sign on access to systems and applications across your organization without re-creating your established authentication policies.

Additional AD FS documentation can be found through Microsoft’s documentation.


Module 4 - VMware Identity Manager REST API

Introduction


The VMware Identity Manager REST API allows you to automate a wide variety of administrative tasks.  In this lab, we will review some sample actions you can perform using the REST API and how to properly authenticate using oAuth.  The goal is to create a new local user account in Identity Manager, create a weblink application, and then update this application to be entitled to our created user.  

At the end, we should be able to login to our Workspace ONE console using our generated user and launch our weblink application successfully.


Login to the Workspace ONE UEM Console


To perform most of the lab, you will need to login to the Workspace ONE UEM Admin Console.


 

Launch Chrome Browser

 

Double-click the Chrome Browser on the lab desktop.

 

 

Authenticate to the Workspace ONE UEM Admin Console

 

The default home page for the browser is https://labs.awmdm.com. Enter your Workspace ONE UEM Admin Account information and click the Login button.

NOTE - If you see a Captcha, please be aware that it is case sensitive!

  1. Enter your Username. This is your email address that you have associated with your VMware Learning Platform (VLP) account.
  2. Enter VMware1! for the Password field.
  3. Click the Login button.

NOTE - Due to lab restrictions, you may need to wait here for a minute or so while the Hands On Lab contacts the Workspace ONE UEM Hands On Labs server.

 

 

Accept the End User License Agreement

 

NOTE - The following steps of logging into the Administration Console will only need to be done during the initial login to the console.

You will be presented with the Workspace ONE UEM Terms of Use. Click the Accept button.

 

 

Address the Initial Security Settings

 

After accepting the Terms of Use, you will be presented with a Security Settings pop-up.  The Password Recovery Question is in case you forget your admin password and the Security PIN is to protect certain administrative functionality in the console.  

  1. You may need to scroll down to see the Password Recovery Questions and Security PIN sections.
  2. Select a question from the Password Recovery Question drop-down (default selected question is ok here).
  3. Enter VMware1! in the Password Recovery Answer field.
  4. Enter VMware1! in the Confirm Password Recovery Answer field.
  5. Enter 1234 in the Security PIN field.
  6. Enter 1234 in the Confirm Security PIN field.
  7. Click the Save button when finished.

 

 

Close the Welcome Message

 

After completing the Security Settings, you will be presented with the Workspace ONE UEM Console Highlights pop-up.

  1. Click on the Don't show this message on login check box.
  2. Close the pop-up by clicking on the X in the upper-right corner.

 

Login to the VMware Identity Manager Console


A temporary VMware Identity Manager tenant has been generated for you to use throughout this lab.  The VMware Identity Manager tenant URL and login details were uploaded to the Content section in the Workspace ONE UEM Console at the start of the lab.


 

Accessing Your Tenant Details in the Workspace ONE UEM Console

 

In the Workspace ONE UEM Console:

  1. Click Content.
  2. Expand Content Locker.
  3. Click List View.
  4. Find the text file named vIDM Tenant Details for your@email.shown.here.txt and click the toggle button beside it to select the file.
  5. Click Download.

 

 

Login to Your VMware Identity Manager Tenant

You will now login to your VMware Identity Manager tenant for the following steps.

 

Open Postman


We will be utilizing a REST client named Postman to setup and send API requests to VMware Identity Manager through the course of this lab.


 

Open Postman

 

Double-click the Postman icon from the desktop.

NOTE - Postman may take several seconds to launch after double-clicking the icon.  Please wait a moment for the application to launch.

 

 

Note Your VMware Identity Manager Domain Name

The vIDM Tenant Details text file available from the Workspace ONE UEM Console contains a field titled Tenant URL.  

Make note of this field, as further instructions in the lab will request that you substitute your VMware Identity Manager FQDN (Fully Qualified Domain name) to direct the API request to your tenant instance, which will be the Tenant URL field (ie: https://yourtenantname.vidmpreview.com).

 

Request an oAuth SessionToken


 

  1. Select POST as the Verb.
  2. Enter https://{your_tenant_fqdn}/SAAS/API/1.0/REST/auth/system/login for the Request URL.
    NOTE - Remember to replace {your_tenant_fqdn} with your VMware Identity Manager Tenant Fully Qualified Domain name (FQDN).
  3. Click the Headers tab.
  4. Enter Content-Type into the Key field.
  5. Enter application/json into the Value field.
  6. Enter Accept into the Key field.
  7. Enter application/json into the Value field.

 

Setup the Request Body

 

  1. Click the Body tab.
  2. Select Raw.
  3. Enter the below JSON data for the Body.
    {"username":"Administrator", "password":"VMware1!","issueToken":"true"}
  4. Click Send.

 

 

 

View the API Response

 

  1. Scroll down to view the response.
  2. Click the Pretty formatting option.
  3. Ensure Word Warp is enabled to make the response easier to read.
  4. In the response, you will see a sessionToken field.  This is the oAuth key we will use to authenticate to the API for the remainder of this lab.  Highlight the text (NOT the quotation marks) and right-click.
  5. Click Copy.

 

 

Save the SessionToken Value

 

  1. Click the Windows button.
  2. Type Notepad to search.
  3. Click Notepad from the list of results.

 

Create a Local User in Identity Manager


With a successful authentication returning a valid sessionToken, let's apply this to make an authenticated request to our VMware Identity Manager tenant and create a local user with the API.


 

Setup the Request Headers

 

  1. Select POST as the verb.
  2. Enter https://{your_tenant_fqdn}/SAAS/jersey/manager/api/scim/Users for the Request URL.
    NOTE - Remember to replace {your_tenant_fqdn} with your VMware Identity Manager Tenant Fully Qualified Domain name (FQDN).
  3. Click the Headers tab.
  4. Enter Authorization for the Key.
  5. Enter HZN for the Value.  
    NOTE - Include the extra space after "HZN"! We will be pasting the sessionToken after HZN and should appear as HZN {sessionToken}, otherwise the request will fail!
  6. Click Paste to insert the copied sessionToken.

 

 

Setup the Request Body

 

  1. Click the Body tab.
  2. Select Raw.
  3. Enter the below JSON data for the Body.
    {"schemas": [ "urn:scim:schemas:core:1.0" ], "userName": "apiuser", "name": { "givenName": "API", "familyName": "User" }, "emails": [ { "value": "apiuser@test.com" } ], "password": "VMware1!" }
  4. Click Send.

 

 

View the Response

 

  1. Scroll down to view the response.
  2. Confirm that the Status shows 201 Created.  This confirms the user was created.
  3. Review the response of the API request to confirm that the created user details match the values provided in our Request Body from the previous step.  Locate the apiuser data and then find the id field and highlight the text (NOT the quotation marks) and right-click.
  4. Click Copy.

 

 

Save the ID of the Created User

 

  1. Click the Notepad icon from the Task bar.
  2. Enter Created User ID: into the Notepad file beneath your sessionToken.
  3. Right-click and click Paste.

When asked for your Created User ID in future steps, refer to the pasted value here in your Notepad file.

 

 

View the Created User in the Identity Manager Administrator Console

 

Back in the VMware Identity Manager Administrator Console,

  1. Click Users & Groups.
  2. Click the User,API entry.

 

 

Confirm the User Details

 

  1. Scroll through the User Details and confirm they match the values entered from our API request.
  2. Click Back to User List.

 

List Users in Identity Manager


In addition to creating users, you can also query the list of users from Identity Manager.


 

List Users in Identity Manager

 

Our Request URL will remain the same from the previous exercise, https://{your_tenant_fqdn}/SAAS/jersey/manager/api/scim/Users.

  1. Select GET for the verb.
  2. Click Send.
  3. Scroll down to view the response.
  4. Observe the results returned by the query,

Feel free to scroll through the response to confirm the other details of the returned users.

 

Create a Weblink Application in Identity Manager


You can also manage applications in Identity Manager using the API.  Let's explore how to create a weblink type application using the APIs.


 

Setup the Request Headers

 

  1. Select POST as the verb.
  2. Enter https://{your_tenant_fqdn}/SAAS/jersey/manager/api/catalogitems for the request URL.
    NOTE - Remember to replace {your_tenant_fqdn} with your VMware Identity Manager Tenant Fully Qualified Domain name (FQDN).
  3. Click the Headers tab.
  4. Change the Content-Type Header Value to application/vnd.vmware.horizon.manager.catalog.webapplink+json.
  5. Change the Accept Header Value to application/vnd.vmware.horizon.manager.catalog.webapplink+json.

 

 

Setup the Request Body

 

  1. Click the Body tab.
  2. Select Raw.
  3. Leave the Formatting as Text.  Typically you would choose application/json or application/xml, depending on what format you were working in, but changing this to application/json will update the Content-Type header we just updated back to application/json, which will cause the request to fail.  The formatting selection here is only for Postman to assist you in setting up the request correctly, the Text formatting option has no impact on the API request itself.
  4. For the Body, enter the below JSON data.
    { "catalogItemType": "WebAppLink", "uuid": "85c040cf-b389-41a0-9efe-c7ca64f985c4", "packageVersion": "1.0", "name": "API Generated Weblink", "productVersion": null, "description": "Web Link Generated by API Lab", "authInfo": { "type": "WebAppLink", "targetUrl" : "https://www.vmware.com" } }
  5. Click Send.

 

 

View the API Response

 

  1. Scroll down to see the response.
  2. Confirm the status shows 201 Created, confirming the application was created.
  3. Click the Body tab.
  4. Find the uuid value in the response, it should match the uuid we provided in our request body (85c040cf-b389-41a0-9efe-c7ca64f985c4).  Highlight this value (NOT including the quotation marks) and right-click.
  5. Click Copy.

We will be using the uuid of the created weblink application

 

 

Copy the uuid of the Created Application

 

  1. Click the Notepad icon from the Task bar.
  2. Type Created Application UUID: and right-click at the end of the text.
  3. Click Paste to insert the uuid.

In later steps when prompted to use the created application uuid, refer to the value you've pasted here.

 

Entitle the Local User to the Weblink App


Our created Weblink application currently has no entitled users, meaning no one can currently access our created application.  We can update the entitlement of this application to include our created local user from earlier, allowing them to access the application in Identity Manager.


 

Setup the Request Headers

 

  1. Select POST as the Verb.
  2. Enter https://{your_tenant_fqdn}/SAAS/jersey/manager/api/entitlements/definitions for the Request URL.
    NOTE - Remember to replace {your_tenant_fqdn} with your VMware Identity Manager Tenant Fully Qualified Domain name (FQDN).
  3. Click the Headers tab.
  4. For the Content-Type Header Value, enter application/vnd.vmware.horizon.manager.entitlements.definition.bulk+json.
  5. For the Accept Header Value, enter application/vnd.vmware.horizon.manager.bulk.sync.response+json.

 

 

Setup the Request Body

 

  1. Click the Body tab.
  2. Select Raw.
  3. Leave the Formatting as Text.  Same as before, we don't want to change this as Postman will automatically update the Content-Type Header to reflect this field, and changing this back to application/json will cause the request to fail.
  4. Enter the below JSON data for the Body.
    { "returnPayloadOnError" : true, "operations" : [ { "method" : "POST", "data" : { "catalogItemId" : "{YOUR_WEBLINK_UUID}", "subjectType" : "USERS", "subjectId" : "{YOUR_CREATED_USER_ID}", "activationPolicy" : "AUTOMATIC" } }], "_links" : { } }
  5. Replace the {YOUR_WEBLINK_UUID} text with the Created Application UUID value from your Notepad file.  DO NOT remove the surrounding quotation marks!
  6. Replace the {YOUR_CREATED_USER_ID} text with the Created User ID value from your Notepad file.  DO NOT remove the surrounding quotation marks!
  7. Click Send.

 

 

View the API Response

 

  1. Scroll down to view the API response.
  2. Ensure the Status shows 200 OK, confirming that the bulk operations request was completed successfully.
  3. Click the Body tab.
  4. Ensure the code field from the operations array shows 201.  This shows that our operation to update the catalogItemId with our subjectId was successful.  If we had included multiple operations in our JSON body, you would see a status response for each operation noting the result.

 

 

Confirm the Application Entitlement in the Identity Manager Administrator Console

 

Return to the Identity Manager Administrator Console.

  1. Click Catalog.
  2. Click the checkbox next to API Generated Weblink to select it.
  3. Click Assign.

 

 

 

  1. Confirm that the API User is already included in the list of Users and that the Deployment Type is set to Automatic.  This entitlement was added based on the specifications we included in our JSON Body with the API request.
  2. Click Close.

 

 

We will now login to the Workspace ONE portal as our created user to confirm that we see the created application and that it launches successfully.

 

Instructions for Taking Additional Lab Modules


 

If you are interested in taking additional modules for this lab, please click the END button in the VMware Learning Platform and then relaunch the lab.

Since each module in this lab takes advantage of configuring VMware Identity Manager and the VMware Identity Manager Connector for different use cases, the quickest way to start with a clean infrastructure to complete the next module is to restart the lab.  Once you restart, navigate to the next module using the Table of Contents as shown in the Lab Guidance section.


Conclusion


In this lab, you've learned how the IDM API can be used to automate a variety of administrative tasks.  For additional API documentation, be sure to check out the VMware Identity Manager API Reference page: https://code.vmware.com/apis/57/idm?h=Identity#/.


Conclusion

Thank you for participating in the VMware Hands-on Labs. Be sure to visit http://hol.vmware.com/ to continue your lab experience online.

Lab SKU: HOL-1957-02-UEM

Version: 20190125-142135