Workspace ONE Access is distributed as a virtual appliance in the Open Virtualization Format (OVF) standard. A Workspace ONE Access instance brokers the identity stores and identity providers for SDDC components, such as NSX-T Data Center, to support conditional access and extension to third-party identity providers.

Deployment Model

You consider the deployment model according to the design objectives for the availability and number of users and groups the deployment must support.

In this solution, you deploy a standalone Workspace ONE Access instance for the VMware Cloud Foundation management components that integrates with specific solution components. The standalone Workspace ONE Access instance is deployed in the first cluster in the management domain.

Table 1. Design Decisions on the Deployment of a standalone Workspace ONE Access

Decision ID

Design Decision

Design Justification

Design Implication

IAM-WSA-CFG-001

Deploy a single-node standalone Workspace ONE Access instance in the management domain for a VMware Cloud Foundation instance.

Supports the design objectives for users and groups scalability for Workspace ONE Access without requiring clustering support.

  • A standalone Workspace ONE Access instance is not managed by SDDC Manager.

  • Deployment is performed using Open Virtualization Format (OVF) open standard supported by vSphere.

  • Life cycle management of the standalone Workspace ONE Access instance is performed by using the native command line tools within the appliance.

IAM-WSA-CFG-002

Use the native PostgreSQL database service in the Workspace ONE Access appliance.

  • Supports the design objectives for users and groups scalability in Workspace ONE Access without requiring clustering support.

  • Removes the constraints and operational overhead that an external database requires.

None.

IAM-WSA-CFG-003

Protect the standalone Workspace ONE Access instance using vSphere High Availability.

Supports the design objectives for availability of Workspace ONE Access without requiring human intervention during an ESXi host failure event.

In the event of an ESXi host failure, the services provided by the standalone Workspace ONE Access instance are temporarily unavailable during the restart of the appliance initiated by vSphere High Availability. SDDC components using Workspace ONE Access as an authentication source are interrupted (for example, vRealize Automation to NSX Manager) during the restart of the appliance.

IAM-WSA-CFG-004

Place the standalone Workspace ONE Access instance in a designated virtual machine folder.

Organizes the standalone Workspace ONE Access instance within the management domain vSphere inventory.

You must specify the virtual machine folder placement during or after the deployment.

Table 2. Design Decisions on the Deployment of standalone Workspace ONE Access for Multi-Availability Zones

Decision ID

Design Decision

Design Justification

Design Implication

IAM-WSA-CFG-005

When using more than one availability zone, add the standalone Workspace ONE Access instance to the primary availability zone virtual machine group.

Ensures that, by default, the standalone Workspace ONE Access instance is powered on in the primary availability zone host group.

In the event of a primary availability zone failure, vSphere High Availability will restart the Workspace ONE Access in the secondary availability zone without human intervention.

After stretching the management domain cluster across availability zones in a region, the virtual machine group for the primary availability zone virtual machines must be updated to include the Workspace ONE Access appliance.

Sizing Compute and Storage Resources

Workspace ONE Access supports the ability to scale to support a maximum number of directory synchronized users and groups based on the appliance size and deployment topology.
Table 3. Workspace ONE Access Scale Requirements
Appliance Size Deployment Requirements (Internal PostgreSQL Database and Embedded Connector) Maximum Directory Sync Scale
Extra Small A single node or a three-node cluster (per node):
  • 4 vCPU
  • 8 GB memory
  • 5.2 GB (thin provisioned
  • 100 GB (thick provisioned)
  • 3,000 users
  • 30 groups
Small A single node or a three-node cluster (per node):
  • 6 vCPU
  • 10 GB memory
  • 5.2 GB (thin provisioned
  • 100 GB (thick provisioned)
  • 5,000 users
  • 50 groups
Medium A three-node cluster (per node):
  • 8 vCPU
  • 16 GB memory
  • 5.2 GB (thin provisioned
  • 100 GB (thick provisioned)
  • 10,000 users
  • 100 groups
Large A three-node cluster (per node):
  • 10 vCPU
  • 16 GB memory
  • 5.2 GB (thin provisioned
  • 100 GB (thick provisioned)
  • 25,000 users
  • 250 groups
Extra Large A three-node cluster (per node):
  • 12vCPU
  • 32GB memory
  • 5.2 GB (thin provisioned
  • 100 GB (thick provisioned)
  • 50,000 users
  • 500 groups
Extra Extra Large A three-node cluster (per node):
  • 14 vCPU
  • 48 GB memory
  • 5.2 GB (thin provisioned
  • 100 GB (thick provisioned)
  • 100,000 users
  • 1000 groups
Table 4. Design Decisions on the Sizing of standalone Workspace ONE Access

Decision ID

Design Decision

Design Justification

Design Implication

IAM-WSA-CFG-006

Deploy the standalone Workspace ONE Access instance using the Extra Small virtual appliance configuration.

  • Supports the design objectives for users and groups scalability for Workspace ONE Access.

  • Removes the constraints and operational overhead that a non-managed clustered deployment requires.

None.