Enable identity bridging, configure the external host name for the service, and download the Unified Access Gateway service provider metadata file.

About this task

This metadata file is uploaded to the Web application configuration page in the VMware Identity Manager service.

Prerequisites

You must have configured the following Identity Bridging Settings on Unified Access Gateway admin console. You can find these settings under the Advanced Settings section.

  • Identity provider metadata uploaded to Unified Access Gateway.

  • The Kerberos principal name configured and the keytab file uploaded to Unified Access Gateway.

  • The realm name and key distribution center information.

Procedure

  1. In the admin UI Configure Manually section, click Select.
  2. In the General Settings > Edge Service Settings line, click Show.
  3. Click the Reverse Proxy Settings gearbox icon.
  4. In the Reverse Proxy Settings page, click Add to create a new proxy setting.
  5. Set Enable Reverse Proxy Settings to YES, and configure the following edge service settings.

    Option

    Description

    Identifier

    The edge service identifier is set to Web reverse proxy.

    Instance Id

    Unique name for the Web reverse proxy instance.

    Proxy Destination URL

    Specify the internal URl for the Web application. Unified Access Gateway must be able to resolve and access this URL.

    Proxy Destination URL Thumbprints

    Enter the URI to match with this proxy setting. A thumbprint is in the format [alg=]xx:xx, where alg can be sha1, the default or md5. The 'xx' are hexadecimal digits. For example, sha=C3 89 A2 19 DC 7A 48 2B 85 1C 81 EC 5E 8F 6A 3C 33 F2 95 C3

    If you do not configure the thumbprints, the server certificates must be issued by a trusted CA.

    Proxy Pattern

    (Optional) Specify a host pattern. The host pattern tells Unified Access Gateway when to forward traffic using this proxy setting if the proxy pattern is not unique. This is decided using the URL used by the client's Web browser. For example, enter as (/|/SAAS(.*)|/hc(.*)|/web(.*)|/catalog-portal(.*)).

  6. In the Enable Identity Bridging section, change NO to YES.
  7. Configure the following Identity Bridging settings.

    Option

    Description

    Authentication Types

    Select SAML.

    Identity Provider

    Select the identity provider to use from the drop down menu.

    Keytab

    In the drop-down menu, select the configured keytab for this reverse proxy.

    Target Service Principal Name

    Enter the Kerberos service principal name. Each principal is always fully qualified with the name of the realm. For example, myco_hostname@MYCOMPANY. Type the realm name in uppercase. If you do not add a name to the text box, the service principal name is derived from the host name of the proxy destination URL.

    Service Landing Page

    Enter the page that users are redirected to in the identity provider after the assertion is validated. The default setting is /.

    User Header Name

    For header-based authentication, enter the name of the HTTP header that includes the user ID derived from the assertion.

  8. In the Download SP Metadata section, click Download.

    Save the service provider metadata file.

  9. Click Save.

What to do next

Add the Unified Access Gateway service provider metadata file to the Web application configuration page in the VMware Identity Manager service.