Update March 2018: I added an additional blogpost with some more vIDM related troubleshooting, when rolling out from Lifecycle Manager
VMware products always contain a local account directory of some kind. vSphere for example has its local SSO (these days hosted by the Platform Services Controller component), and every appliance has a root account and usually a dedicated top-level admin account.
But to get the most from your environment, Single-Sign on is a must, and often an enterprise requirement. Almost every VMware product can, and has historically had the ability to integrate with external directory sources. In most cases we are talking about Microsoft Active Directory.
Most products have the ability to directly talk with AD domain controllers, though some will outsource this function to a dedicated component. Both vSphere and vRealize Automation use a version of the VMware SSO for this purpose.
The Workspace One Suite, on the other hand, leans heavily on the VMware Identity Manager. (vIDM)
The vRealize Suite Lifecycle Manager (
vRSLCM ) also uses the vIDM to handle the connection with Active Directory. Therefore you must install vIDM as part of your vRSLCM deployment.
Thankfully, vRSLCM makes this process extremely simple for you. After all – deploying VMware products is exactly what vRSLCM is good at!
It is useful to read up on the basic concepts of the VMware Identity Manager product. https://docs.vmware.com/en/VMware-Identity-Manager/index.html
vRSLCM should be up and running. You are able to login to it using the default admin@localhost account.
You must have the vIDM OVA file at hand. In this post I am using the latest version at the time of this writing. “identity-manager-184.108.40.206-10084102_OVF10.ova”
Also make sure that vRSLCM supports the version of vIDM you are deploying. The GUI will always confirm this for you. As of this writing version 2.9.2, 3.2.0, 220.127.116.11, 3.3.0 are supported.
Make sure you also check out the latest vRSLCM release notes also and search for notes on vIDM in particular. Latest release notes as of this post: https://docs.vmware.com/en/vRealize-Suite/2018/rn/VMware-vRealize-Suite-Lifecycle-Manager-20-Release-Notes.html
You need to set up some constructs in AD.
First you need a security group that will be used to sync with vIDM. You can assign vRLSCM roles to the group itself, or the members of this group.
The can create different AD groups that represent the 4 different vRLSSCM roles and map that way.
Or you can map users to roles manually inside vRLSSCM itself. I recommend the former as it gives you more centralized control in AD.
The possible roles are:
You also need to create a ‘default’ admin user account, known as the ‘Suite Administrator’ or ‘Uber Admin’ . This is used by the vIDM integration to set up the initial admin role mapping. This may also be used when rolling out other products that integrate with vIDM.
You also need an LDAP bind account. This account is only used to read AD, and it must have permission to add vIDM to the domain as a computer. (every new account in AD is able to do this 10 times by default).
Make sure that ALL user accounts that will be used by
vRSLCM have a valid firstname, lastname, and email address field. Otherwide vIDM will not sync them! This includes the
‘Suite Administrator’ account!
vIDM uses the Security group as a filter to determine which users to sync, Make sure the ‘suite administrator’ account is a member of your
vRSLCM admin security group.
Also make sure that in vRSLCM you have a Datacenter set up, and your vCenter connected. vRSLCM will need to have at least one successful vCenter server inventory collection. As I said before, I do not describe adding a vCenter server to vRSLCM in this post.
Make sure that you have DNS (forward and reverse) set up for your vIDM appliance.
Preparing for Deploying of vIDM Appliance using vRLSCM
There are different ways to import OVA’s and ISO’s into the vRLSCM appliance library. In this example I copied the exact versions of the OVAs I wanted into the /data folder of the appliance, and had it discover the binaries locally.
Once binaries have been discovered, vIDM will be listed along with any others.
Next we set up our AD config, this is what vIDM will use to add our AD as a new directory.
Above you will see the information the config needs. Use ADSIEdit as a quick way to copy-paste the ldap strings you need.
We can now start our vIDM deployment workflow.
Deploying the vIDM appliance
We select ‘Install New Identity manager’ and select the version that we want. This must be the version we have loaded the binaries for.
We now enter the vIDM deployment worlflow and must go through some steps. This is very similar to deploying any of the vRealize products using vRSLCM
After accepting the EULA, we fill in the information needed for OVA deployment. This is the usual VM and appliance information you might expect.
vIDM uses 3 different accounts for the appliance.
The summery page gives you an overview of all the settings you used. It is useful to save this.
Now the worflow starts and you can follow its progress on the Requests page
You can follow the deployment in vCenter
Its possible that something does wrong during the workflow. At most points the workflow can be restarted at the position it stopped. Usually workflows will fail because of a mis configuration of a specific setting.
If, for example, you misspell the LDAP bind acount, then vIDM will not be able to create the Directory mapping. This results in the following error:
During these parts of the workflow, you can log into vIDM itself using the admin account, to check yourself if certain config has been created.
If needed, you can manually do the step in vIDM itself, using the same AD config parameters you gave vRSLCM, to confirm the settings work.
Once vIDM is able to connect to AD, it will attempt to sync users. If the user account does NOT have a valid email entry, the sync will fail.
That also includes the ‘Suite Administrator’ or ‘Uber admin’ account. If it fails to sync this account, then it cannot register vRSLCM to vIDM, and you will get the following error.
in vIDM, make sure the accounts you need are being synced correctly!
Once vIDM can sync the ‘Suite Administrator’ account correctly, it will register
vRSLCM with vIDM and the vRSLCM workflow should complete successfully.
In vRSLCM , you are now able to assign roles to user accounts in your security group, or to the security group itself. Note that the ‘suite administrator’ account has been given the default admin role, same as admin@localhost
When you log out of vRSLCM, and want to log back in, you can now choose to be re-directed to the vIDM login page, which will authenticate you for
Also notice that, if you visit the vIDM page, using the context of the same user account, you will see that vRSLCM is listed as a an application that you may access