By adding and configuring identity provider instances for your VMware Identity Manager deployment, you can provide high availability, support additional user authentication methods, and add flexibility in the way you manage the user authentication process based on user IP address ranges.

Before you begin

  • Configure the network ranges that you want to direct to this identity provider instance for authentication. See Add or Edit a Network Range.

  • Access to the third-party metadata document. This can be either the URL to the metadata or the actual metadata.

Procedure

  1. In the admin console Identity & Access Management tab select Manage > Identity Providers.
  2. Click Add Identity Provider and select Create Third Party IDP. edit the identity provider instance settings.
  3. Edit the identity provider instance settings.

    Form Item

    Description

    Identity Provider Name

    Enter a name for this identity provider instance.

    SAML Metadata

    Add the third-party IdPs XML-based metadata document to establish trust with the identity provider.

    1. Enter the SAML metadata URL or the xml content into the text box.

    2. Click Process IdP Metadata. The NameID formats supported by the IdP are extracted from the metadata and added to the Name ID Format table.

    3. In the Name ID value column, select the user attribute in the service to map to the ID formats displayed. You can add custom third-party name ID formats and map them to the user attribute values in the service.

    4. (Optional) Select the NameIDPolicy response identifier string format.

    Just-in-Time Provisioning

    Configure just-in-time provisioning to create users in the identity manager service dynamically when they first log in. A JIT directory is created and the attributes in the SAML assertion are used to create the user in the service. See Just-in-Time User Provisioning.

    Users

    Select the directories of the users who can authenticate using this identity provider.

    Network

    The existing network ranges configured in the service are listed.

    Select the network ranges for the users based on their IP addresses, that you want to direct to this identity provider instance for authentication.

    Authentication Methods

    Add the authentication methods supported by the third-party identity provider. Select the SAML authentication context class that supports the authentication method.

    Single Sign-Out Configuration

    Enable single sign-out to log users out of their identity provider session when they sign out. If single sign-out is not enabled, when users sign out, their identity provider session is still active.

    (Optional) If the identity provider supports the SAML single logout profile, enable single sign-out and leave the Redirect URL text box blank. If the identity provider does not support the SAML single logout profile, enable single sign-out and enter the sign-out URL of the identity provider where users are redirected to when they sign out from VMware Identity Manager.

    If you configured the redirect URL and if you want users to return to the VMware Identity Manager sign-in page after being redirected to the identity provider sign-out URL, enter the parameter name used by the identity provider redirect URL.

    SAML Signing Certificate

    Click Service Provider (SP) Metadata to see URL to VMware Identity Manager SAML service provider metadata URL. Copy and save the URL. This URL is configured when you edit the SAML assertion in the third-party identity provider to map VMware Identity Manager users.

    IdP Hostname

    If the Hostname text box displays, enter the host name where the identity provider is redirected to for authentication. If you are using a non-standard port other than 443, you can set the host name as Hostname:Port. For example, myco.example.com:8443.

  4. Click Add.

What to do next

  • Add the authentication method of the identity provider to the services default policy. See Apply Authentication Methods to Policy Rules.

  • Edit the third-party identity provider's configuration to add the SAML Signing Certificate URL that you saved.