VMware Identity Manager 3.0 Release Notes


VMware Identity Manager 3.0 | 21 September 2017 | Build 6651498

VMware Identity Manager Connector 2017.8.1 | 21 September 2017 | Build 6651504

VMware Identity Manager Desktop 3.0 | 21 September 2017 | Build 6585499

VMware Identity Manager Integration Broker 3.0 | 21 September 2017 | Build 6556344

Release date: September 21, 2017

Updated October 3, 2017

What's in the Release Notes

The release notes cover the following topics:

What's New for VMware Workspace ONE App

  • Improved End-User Experience on Sign-in Screens. The sign-in screens have been improved with additional animations, improved displays on mobile devices, and improved error messages.
  • App Reordering. Users can now rearrange bookmarked applications on their Workspace ONE app portal Bookmarks page.Users start with an alphabetized app view but can move app tiles around to create a custom, personalized view. The new user curated view is saved for future sessions.

    Note: Application reordering capability is available only from the desktop browser view. The reordered apps display on mobile devices but users cannot rearrange them from a mobile device.

  • Enhanced In-App search.  Search applications by description in addition to name and category.

  • Support Horizon HTML Access on Android Devices. Users can now launch Horizon apps in a browser on Android devices from the Workspace ONE app. Available for Android 7 and later.

  • Refresh Token Timeout. Now users do not have to re-login to the Worksapce ONE application every few days if they are regularly using the app. This is enabled through a configuration called “Idle Token Time-toLive (TTL)” that can be set on the OAuth client for the Workspace ONE application. This feature is not limited to the Workspace ONE app and can be used by any other OAuth client of VMware Identity Manager.

What's New for VMware Identity Manager 3.0

  • Secure Certificate Authentication in the DMZ. VMware Identity Manager can now perform certificate authentication in the DMZ without requiring inbound communication to the VMware Identity Manager Connector within the corporate network. This improvement allows organizations to securely perform certificate authentication in the DMZ (before traffic enters their internal networks) while maintaining their Identity Manager Connector in outbound-only mode. In this configuration, VMware Identity Manager handles certificate authentication in the DMZ, but all other types of authentication are handled by the VMware Identity Manager Connector in outbound only mode. This ensures that outside traffic does not enter the internal corporate network. 
  • Support for Multiple Office 365 Tenants from VMware Identity Manager Catalog. VMware Identity Manager now supports multiple Office 365 tenants. Organizations that have multiple tenants from acquisitions or line of business adoption of Office 365 can manage those tenants using one VMware Identity Manager instance, simplifying Office 365 adoption and management.
  • Support for Multiple Apps from the VMware Identity Manager Catalog. VMware Identity Manager now supports adding apps from the Catalog multiple times. Admins can add multiple copies using the templates in the Global Catalog. This simplifies the adoption of multiple instances of web applications such as Salesforce that might be used by different lines of business or for different purposes within the organization.
  • Support for Forced Authentication in SAML. VMware Identity Manager allows applications to request that a user must log in again, even if the user already has a valid session with VMware Identity Manager. This feature allows applications and admins to force users to log in again before performing sensitive actions, such as accessing important data or signing forms that require a high level of authentication assurance. Specifically, VMware Identity Manager now supports the ForceAuthn attribute in SAML and the prompt=login parameter in OpenID Connect.
  • Encrypted SAML Assertions. VMware Identity Manager allows organizations to choose whether to encrypt the SAML assertions sent by the service. Encryption decreases the risk of user data being discovered through a compromised SAML assertion and increases security.
  • Application Sources. If your applications are already federated using an access management system such as ADFS, PingFederate, or Okta, the Application Sources feature can be used to easily bring these applications into the Workspace ONE catalog. You define the external access management system as an application source type, and then add multiple apps of this type to the catalog. The application source definition contains the SAML contract details between VMware Identity Manager and these external access management systems.
  • VMware ThinApp User Access Changes for an Improved User Experience. Users can now view and launch individual applications in the ThinApp package from the Catalog page, bookmark individual apps in the ThinApp package, and search for apps in the ThinApp package.


VMware Identity Manager 3.0 is available in the following languages.

  • English
  • French
  • German
  • Spanish
  • Japanese
  •  Simplified Chinese
  • Korean
  • Taiwan
  • Russian
  • Italian
  • Portuguese (Brazil)
  • Dutch

Compatibility, Installation, and Upgrade

VMware vCenter™ and VMware ESXi™ Compatibility

VMware Identity Manager supports the following versions of vSphere and ESXi.

  • 5.5, 6.0+

Component Compatibility

VMware Product Interoperability Matrix provides details about the compatibility of current and previous versions of VMware products and components, such as VMware vCenter Server, VMware ThinApp, and Horizon 7.

Browser Compatibility for the VMware Identity Manager Administration Console

The following Web browsers can be used to view the administration console:

  • Mozilla Firefox 40 or later for Windows and Mac systems
  • Google Chrome 42.0 or later for Windows and Mac systems
  • Internet Explorer 11 for Windows systems
  • Safari 6.2.8 or later for Mac systems

For other system requirements, see the  Installing and Configuring VMware Identity Manager guide.

Upgrading to VMware Identity Manager 3.0

To upgrade to 3.0, see Upgrading to VMware Identity Manager. During the upgrade, all services are stopped, so plan the upgrade with the expected downtime in mind.

Note:  If you integrate Citrix published resources with VMware Identity Manager, upgrade to Integration Broker 3.0. VMware Identity Manager 3.0 and VMware Identity Manager Connector 2017.8.1 are not compatible with older versions of the Integration Broker.

When Horizon is configured in VMware Identity Manager and VMware Identity Manager is set up in a cluster, when you upgrade VMware Identity Manager, you must reconfigure Horizon in the service as follows.

  1. In the primary VMware Identity Manager connector, remove all the Horizon pods and add them back. Save and Sync.
  2. In the replica connectors, remove all the Horizon pods and add them back. Save.

Upgrading from 2016.11.1 Connector

Before you upgrade from the 2016.11.1 connector to the latest connector. See KB article 2149179 Upgrading from VMware Identity Manager Connector 2016.11.1

NEW Upgrading from VMware Identity Manager 2.7.1

To upgrade VMware Identity Manager 2.7.1 to 3.0, you must first upgrade to 2.9.2.x. See KB article 2151825 Upgrading from VMware Identity Manager 2.7.1 to VMware Identity Manager 3.0.

Transport Layer Security (TLS) 1.0 is disabled by default in VMware Identity Manager 2.6 and later

Beginning with VMware Identity Manager 2.6, TLS 1.0 is disabled. We recommend that you update products configurations to use TLS 1.1 or 1.2.

External product issues are known to occur when TLS 1.0 is disabled. If your implementation of Horizon, Horizon Air, Citrix, or the load balancer in VMware Identity Manager has a dependency on TLS 1.0, or if you are using Office 365 active flow, follow the instructions in KB 2144805 to enable TLS 1.0.

Windows 2008 R2, 2012, and Windows 7 operating systems do not have TLS1.1 and 1.2 available by default. This can cause issues when connecting to VMware Identity Manager 2.8. See the Microsoft article Update to enable TLS 1.1 and TLS 1.2 as a default secure protocols.

Java Upgrades for VMware Identity Manager on Windows

Automatic update of  Java (Java Update) on Windows is not supported with VMware Identity Manager because when the older version of java is removed, the certificates stored in the JAVA_HOME/lib/security/cacerts are also removed. Two options to update Java in the VMware Identity Manager environment on Windows.

  • If the Java update is through the VMware Identity Manager installer, restore the CA certificate through the installer at opt\vmware\horizon\workspace\install\cacerts.sav to JAVA_HOME\lib\security\cacerts.  Restart the Windows machine.
  • To update Java manually, back up the CA certificates in JAVA_HOME/lib/security/cacerts. After the update is complete, restore the CA certificates to the newer java directory, JAVA_home/lib/security/cacerts. You must also update the JAVA_HOME environment variable to the new java path. Restart of the Windows machine is not required.

Note: the Java Unlimited Strength (JCE) policy files are a prerequisite in Windows. When you do a Java update, you might need to re-install JCE.


The VMware Identity Manager 3.0 documentation is in the VMware Workspace ONE doc center.

Known Issues

  • When creating Workspace identity provider, the IDP name that is configured is not saved. 

    When a new Workspace identity provider is configured and given a unique name, the IDP is saved with the name Workspace _IDP2, not the unique name that was configured.

    Edit the identity provider configuration and change the IdP name. Save the changes. The IdP is updated with the new name.

  • In the Workspace ONE apps portal, when users request a ThinApp package, request link does not change to Pending

    In the Workspace ONE apps portal, when users request a ThinApp package, request link does not change to Pending.

    Users must log in to their portal again. Then the Pending state displays for the ThinApp package.

  • Profile sync dry run results do not include a link for more details

    The user profile page does not include a link that shows the complete details and the add/delete/update results.

    No workaround.

  • When upgrading to the latest Identity Manager Desktop Client, the shortcut of Identity Manager Desktop is not removed.

    When a newer version of the Identity Manager Desktop Client is installed, a shortcut link is added to the All Programs view, but the older version, called Identity Manager Desktop is not removed.

    Users can delete the Identity Manager Desktop shortcut from the desktop

  • Icon is Missing When Exporting an application from the Catalog

    When an application is exported from the VMware Identity Manager Catalog, the zip file does not contain the icon for the app.

    Go to the application's Details page in the Catalog and upload the icon.

  • When installing the certificate to terminate SSL on a load balancer in a Windows environment, the VMware Identity Manager service does not come up.

    When a cert is generated using the command openssl s_client-connect xx.xx.xx.xxx - showcerts and then save the cert in the admin console, the service stops. When restarted the certficate is not installed.

    A manual restart of the VMware Identity Manager service is required when installing a certificate to support SSL  terminate on a load balancer.

  • Directory Sync Does Not Remove All Expected Groups From the Service.

    When running a directory sync to remove a large number of groups, for example more than 50% of the groups, the sync stops before all groups are removed.

    Start the directory sync again.

  • Unable to launch an application from the browser.

    Users might see the following error while launching applications directly from a browser, "Unable to process your request. Close this screen and try again."

    Launch the app directly from the Workspace ONE portal.