VMware Identity Manager integration in AirWatch 8.3
In AirWatch 8.3, the requirements for integrating with VMware Identity Manager are greatly simplified to allow for easier configuration, expanded functionality, and more efficient performance. Administrators that are looking to integrate directory authentication to their applications can do so with username and password authentication. Administrators that would like to add single sign-on (SSO) to the iOS and web catalog can do so by leveraging AirWatch as a Kerberos key distribution center (KDC).
Simplified requirements and network architecture
In AirWatch 8.3, integration with VMware Identity Manager no longer requires the separate VMware Identity Manager Connector server in the DMZ. Instead, it leverages the AirWatch API to push directory user and group information directly to the VMware Identity Manager instance. For AirWatch SaaS deployments, the connection between AirWatch and Active Directory is established and secured through the use of the AirWatch Cloud Connecter (ACC), as shown in the image below.
Configuring VMware Identity Manager in the AirWatch Console
VMware Identity Manager can be configured in the AirWatch Console under System Settings > Enterprise Integration. First, you must configure the instance that Airwatch connects to by specifying the VMware Identity Manager tenant URL, administrator username, and password.
In addition to the basic connection settings, you must configure how user attributes are synced between AirWatch and VMware Identity Manager. AirWatch will pre-configure a default mapping between AirWatch user attributes and Active Directory user attributes, but these can be overridden if desired. Additionally, certain attributes can be designated as Required in VMware Identity Manager. Users will not be synced from AirWatch if they do not contain all required attributes.
Once the settings have been configured in the AirWatch console, you can select the Sync Now button to begin the sync. After the initial setup, syncs will take place at intervals specified by the AirWatch Scheduler.
iOS SSO using Kerberos
In AirWatch 8.3, the AirWatch server can be leveraged directly as a Certificate Authority (CA) when using iOS SSO rather than integrating with a 3rd party CA. The AirWatch CA is SCEP-based and embeds to OCSP URL in each certificate to support handling revocation. 3rd party CAs can be leveraged for this functionality as well, but require additional configuration.
As VMware Identity Manager can be leveraged as a Kerberos KDC, SSO for iOS applications can be performed using only Identity Manager and AirWatch (generally utilizing ACC in the AirWatch configuration). The process flow for iOS SSO is as follows:
- Device is enrolled in AirWatch. The AirWatch CA (or a 3rd party CA) generates a certificate and it is provisioned to the device via a credentials profile.
- Device requests for authentication with a SaaS application. The SaaS application redirects the device to authenticate against VMware Identity Manager.
- The device is redirected to VMware Identity Manager which validates the Access Policy to confirm the device is not blocked.
- A Kerberos challenge is issued to the device through the built-in KDC Kerberos Adapter.
- The KDC confirms the authentication and validates with the OSCP Server (hosted by the AirWatch CA) that the certificate has not been revoked.
- If Kerberos authentication is successful, VMware Identity Manager grants access to the SaaS application via a SAML response.
- The user is granted access to the application.
Troubleshooting common issues
- User is present in AirWatch, but is not syncing to VMware Identity Manager.
- Verify that the user record in AirWatch contains all required attributes. Additionally, note that syncs are scheduled at intervals and may take some time to fully complete.
- You are unable to complete the configuration wizard.
- Verify that the administrator username and password are correct in the tenant configuration, it is possible that AirWatch is unable to authenticate with VMware Identity Manager. Additionally, verify if the directory services configuration is incorrectly overridden at a lower organization group, or if it is not properly configured at all at the current organization group.
- When using the AirWatch CA, certain users are not authenticating properly.
- The AirWatch CA uses the SCEP protocol, so you can troubleshoot with the same strategies. Make sure that affected users' certificates are not expired, revoked, and that the user/device is compliant.