Once vRealize Automation is installed successfully, you as a user should be able to log in to the console. This login is provided by the authentication framework in VMware Identity Manager. Upon logging in successfully, what services do you have access to is defined by the authorization framework from vRealize Automation.
As you may know, vRealize Automation 8.1 – 8.4 versions were installed, configured, managed, and upgraded only through vRealize Suite Lifecycle Manager. It was mandatory to install Lifecycle Manager (vRSLCM), VMware Identity Manager (vIDM), and vRealize Automation to set up a vRealize Automation environment. In the previous releases, VMware Identity Manager installation was mandatory before creating an environment in vRealize Suite Lifecycle Manager. If a VMware Identity Manager instance was not created, then you were automatically directed to install it on the vRealize Suite Lifecycle Manager UI.
Now, starting with vRA 8.4.1 you can either enable or disable the VMware Identity Manager toggle button.
But if you want to use VMware Identity Manager, it is integrated with the vRealize Automation appliance and it can provide you with tenant identity management. During deployment of an environment, Lifecycle Manager deploys and installs a new VMware Identity Manager appliance based on SUSE Linux. VMware Identity Manager is based on the OAuth 2.0 authorization framework.
In case you already have an existing VMware Identity Manager appliance you can import it from the vRealize Easy Installer wizard, and all versions starting 3.3.1 are supported. To import an existing VMware Identity Manager appliance, you need the hostname, root, and admin credentials of the existing VMware Identity Manager appliance.
Architecture of VMware Identity Manager
All the services in the vRA appliance are running as Kubernetes pods. The identity-app pod has a dedicated PostgreSQL database named identity-db for the identity service. This pod has information about the vIDM appliance, because it is very important that the vRA appliance – especially this identity-app pod, knows how do you connect to the vIDM appliance. At the time of installation with Easy Installer, there is a registration entry that is made to this pod, so this pod has information about the IP address of the vIDM appliance, so when the user logs in it know that I have to redirect the requests to my vIDM appliance. In vIDM appliance is where you configure the identity source or you add a directory so that you can integrate vIDM with the Active Directory.
When you as a user who belongs to the VMware domain log in to vRealize Automation following happens:
- The identity service redirects the request to the VMware Identity Manager URL
- The VMware Identity Manager appliance validates the user credentials with Active Directory
- The user can log in to the vRealize Automation console
The URL to access the VMware Identity Manager appliance is set as a VIDM_HOST environment variable during installation. All requests to authorize credentials are forwarded to the VMware Identity Manager appliance. During deployment of a new vIDM appliance, the Default Configuration Admin user is created by default in VMware Identity Manager and this user is used to log in to vRealize Automation for the first time. Use the default password set up by using the Password Configuration option in the vRealize Easy Installer wizard. Default Configuration Admin user is assigned the Super Admin role with full administrator access in VMware Identity Manager.
So let’s see how do we integrate Identity Manager with Active Directory so that you as a user who belongs to Active Directory can log in to vRealize Automation.
Add Active Directory to VMware Identity Manager
Navigate to the vIDM URL (vIDM_FQDN/SAAS/admin) and log in as configadmin specified at the time of installation:
Click the Identity & Access Management tab:
When you integrate your enterprise directory with vIDM to sync users and groups from your enterprise directory to the vIDM service following types of directories are supported:
– Active Directory over LDAP: Create this directory type if you plan to connect to a single Active Directory domain environment. For the Active Directory over LDAP directory type, the connector binds to Active Directory by using simple bind authentication.
– Active Directory, Integrated Windows Authentication: Create this directory type if you plan to connect to a multidomain or multiforest Active Directory environment. The connector binds to Active Directory by using Integrated Windows Authentication.
– OpenLDAP directory: Integrate your enterprise OpenLDAP directory with VMware Identity Manager. You can only integrate a single-domain OpenLDAP directory. VMware Identity Manager supports only those OpenLDAP implementations that support paged search queries.
The system directory is created by default and the configuration admin user is created in the system directory. You can create multiple local directories. You use the Local User Directory option to create a second local directory.
Click Add Directory and select Add Active Directory over LDAP/IWA:
Enter your directory in the Directory Name text box and in the Add Directory wizard, scroll down to configure domain settings (I am leaving it as a LDAP because I have a single domain):
Fill in the pertinent information for your directory. Also, set the Bind user details which is a user with the permissions to view Active Directory. For ease in the lab, I am using an administrator user. However, in production, you will want to create a service account for this purpose.
Click Test Connection. Verify that the Connection is Successful message appears:
Click Save & Next:
When your domain is detected, select the your domain and click Next:
Review the required attributes on the Map User Attributes page and click Next:
Click the plus (+) icon at the top-right corner and specify the groups. After that click on Find Groups and select all the groups with Select All button to select the groups in Active Directory to synchronize to the VMware Identity Manager database and click Next:
Now you don’t want to add any individual users because it is not recommended. With Active Directory you always deal with groups. Click the X to delete any users you have in there (in my case cn=administrator,cn=users,dc=virtualinca,dc=lab user) and click Next:
Click Sync Directory:
Sync is started, and if you want to look what it is doing you can click Sync Log where you can see the groups and users that got added or removed:
Under Directories you can see your successfully created directory:
Click Back to Directories at the top-left corner and click the Users & Groups tab:
You can use the Directory column to differentiate local users from Active Directory users.
To manage your Directory synchronization settings click Sync Settings:
Choose Sync Frequency tab and change your sync frequency settings to once per day at 0:00 hours. After changing it click Save and Sync button:
And your sync frequency will be changed: