Enable identity bridging, configure the external host name for the service, and download the Unified Access Gateway service provider metadata file.

This metadata file is uploaded to the Web application configuration page in the VMware Identity Manager service.

Prerequisites

You must have configured the following Identity Bridging Settings on the Unified Access Gateway admin console. You can find these settings under the Advanced Settings section.

  • Identity provider metadata uploaded to Unified Access Gateway.

  • The Kerberos principal name configured and the keytab file uploaded to Unified Access Gateway.

  • The realm name and key distribution center information.

Ensure that TCP/UDP port 88 is open since Unified Access Gateway uses this port for the Kerberos communication with Active Directory.

Procedure

  1. In the admin UI Configure Manually section, click Select.
  2. In the General Settings > Edge Service Settings line, click Show.
  3. Click the Reverse Proxy Settings gearbox icon.
  4. In the Reverse Proxy Settings page, click Add to create a proxy setting.
  5. Set Enable Reverse Proxy Settings to YES, and configure the following edge service settings.

    Option

    Description

    Identifier

    The edge service identifier is set to the web reverse proxy.

    Instance Id

    Unique name for the web reverse proxy instance.

    Proxy Destination URL

    Specify the internal URl for the Web application. Unified Access Gateway must be able to resolve and access this URL.

    Proxy Destination URL Thumbprints

    Enter the URI to match with this proxy setting. A thumbprint is in the format [alg=]xx:xx, where alg can be sha1, the default or md5. The 'xx' are hexadecimal digits. For example, sha=C3 89 A2 19 DC 7A 48 2B 85 1C 81 EC 5E 8F 6A 3C 33 F2 95 C3.

    If you do not configure the thumbprints, the server certificates must be issued by a trusted CA.

    Proxy Pattern

    Enter the matching URI paths that forward to the destination URL. For example, enter as (/|/SAAS(.*)|/hc(.*)|/web(.*)|/catalog-portal(.*)).

    Note: When you configure multiple reverse proxies, provide the hostname in the proxy host pattern

  6. To configure other advanced settings, click More.

    Option

    Description

    Auth Methods

    The default is to use pass-through authentication of the user name and password. The authentication methods you configured in Unified Access Gateway are listed in the drop-down menus. RSA SecurID, RADIUS, and Device Certificate Auth methods are supported.

    Health Check URI Path

    Unified Access Gateway connects to this URI path to check the health of your web application.

    SAML SP

    Required when you configure Unified Access Gateway as an authenticated reverse proxy for VMware Identity Manager. Enter the name of the SAML service provider for the View XML API broker. This name must either match the name of a service provider you configured with Unified Access Gateway or be the special value DEMO. If there are multiple service providers configured with Unified Access Gateway, their names must be unique.

    External URL

    The default value is the Unified Access Gateway host URL, port 443. You can enter another external URL. Enter as https://<host:port>.

    UnSecure Pattern

    Enter the known VMware Identity Manager redirection pattern. For example: (/|/catalog-portal(.*)|/|/SAAS/|/SAAS|/SAAS/API/1.0/GET/image(.*)|/SAAS/horizon/css(.*)|/SAAS/horizon/angular(.*)|/SAAS/horizon/js(.*)|/SAAS/horizon/js-lib(.*)|/SAAS/auth/login(.*)|/SAAS/jersey/manager/api/branding|/SAAS/horizon/images/(.*)|/SAAS/jersey/manager/api/images/(.*)|/hc/(.*)/authenticate/(.*)|/hc/static/(.*)|/SAAS/auth/saml/response|/SAAS/auth/authenticatedUserDispatcher|/web(.*)|/SAAS/apps/|/SAAS/horizon/portal/(.*)|/SAAS/horizon/fonts(.*)|/SAAS/API/1.0/POST/sso(.*)|/SAAS/API/1.0/REST/system/info(.*)|/SAAS/API/1.0/REST/auth/cert(.*)|/SAAS/API/1.0/REST/oauth2/activate(.*)|/SAAS/API/1.0/GET/user/devices/register(.*)|/SAAS/API/1.0/oauth2/token(.*)|/SAAS/API/1.0/REST/oauth2/session(.*)|/SAAS/API/1.0/REST/user/resources(.*)|/hc/t/(.*)/(.*)/authenticate(.*)|/SAAS/API/1.0/REST/auth/logout(.*)|/SAAS/auth/saml/response(.*)|/SAAS/(.*)/(.*)auth/login(.*)|/SAAS/API/1.0/GET/apps/launch(.*)|/SAAS/API/1.0/REST/user/applications(.*)|/SAAS/auth/federation/sso(.*)|/SAAS/auth/oauth2/authorize(.*)|/hc/prepareSaml/failure(.*)|/SAAS/auth/oauthtoken(.*)|/SAAS/API/1.0/GET/metadata/idp.xml|/SAAS/auth/saml/artifact/resolve(.*)|/hc/(.*)/authAdapter(.*)|/hc/authenticate/(.*)|/SAAS/auth/logout|/SAAS/common.js|/SAAS/auth/launchInput(.*)|/SAAS/launchUsersApplication.do(.*)|/hc/API/1.0/REST/thinapp/download(.*)|/hc/t/(.*)/(.*)/logout(.*)|/SAAS/auth/wsfed/services(.*)|/SAAS/auth/wsfed/active/logon(.*)))

    Auth Cookie

    Enter the authentication cookie name. For example: HZN

    Login Redirect URL

    If the user logs out of the portal, enter the redirect URL to log back in. For example: /SAAS/auth/login?dest=%s

    Proxy Host Pattern

    External hostname used to check the incoming host to see whether it matches the pattern for that particular instance. Host pattern is optional, when configuring Web reverse proxy instances.

    Trusted Certificates

    Add a trusted certificate to this edge service. Click '+' to select a certificate in PEM format and add to the trust store. Click '-' to remove a certificate from the trust store. By default, the alias name is the filename of the PEM certificate. Edit the alias text box to provide a different name.

    Response Security Headers

    Click '+' to add a header. Enter the name of the security header. Enter the value. Click '-' to remove a header. Edit an existing security header to update the name and the value of the header.

    Important:

    The header names and values are saved only after you click Save. Some standard security headers are present by default. The headers configured are added to the Unified Access Gateway response to client only if the corresponding headers are absent in the response from the configured back-end server.

    Note:

    Modify security response headers with caution. Modifying these parameters might impact the secure functioning of Unified Access Gateway .

    Host Entries

    Enter the details to be added in /etc/hosts file. Each entry should include an IP, a hostname, and an optional hostname alias in that order, separated by a space. For example, 10.192.168.1 example1.com, 10.192.168.2 example2.com example-alias. Click the '+" sign to add multiple host entries.

    Important:

    The host entries are saved only after you click Save.

  7. In the Enable Identity Bridging section, change NO to YES.
  8. Configure the following Identity Bridging settings.

    Option

    Description

    Authentication Types

    Select SAML.

    SAML Attributes

    List of SAML attributes that is passed as request headers. This option is visible only when Enable Identity Bridging is set to Yes and Authentication Types is set to SAML. Click '+' to a SAML attribute as part of the header.

    Identity Provider

    From the drop-down menu, select the identity provider.

    Keytab

    In the drop-down menu, select the configured keytab for this reverse proxy.

    Target Service Principal Name

    Enter the Kerberos service principal name. Each principal is always fully qualified with the name of the realm. For example, myco_hostname@MYCOMPANY. Type the realm name in uppercase. If you do not add a name to the text box, the service principal name is derived from the host name of the proxy destination URL.

    Service Landing Page

    Enter the page that users are redirected to in the identity provider after the assertion is validated. The default setting is /.

    User Header Name

    For header-based authentication, enter the name of the HTTP header that includes the user ID derived from the assertion.

  9. In the Download SP Metadata section, click Download.

    Save the service provider metadata file.

  10. Click Save.

What to do next

Add the Unified Access Gateway service provider metadata file to the Web application configuration page in the VMware Identity Manager service.