You can integrate NSX with VMware Identity Manager (vIDM), which provides identity management services. The vIDM deployment can be a standalone vIDM host or a vIDM cluster.

Note: The new product name for VMware Identity Manager is VMware Workspace ONE Access.

The vIDM host or all the vIDM cluster components should have a certificate signed by a certificate authority (CA). Otherwise, logging in to vIDM from NSX Manager might not work with certain browsers, such as Microsoft Edge or Internet Explorer 11. For information about installing a CA-signed certificate on vIDM, see the VMware Identity Manager documentation at https://docs.vmware.com/en/VMware-Identity-Manager/index.html.

When you register NSX Manager with vIDM, you specify a redirect URI that points to NSX Manager. You can provide either the fully qualified domain name (FQDN) or the IP address. It is important to remember whether you use the FQDN or the IP address. When you try to log in to NSX Manager through vIDM, you must specify the host name in the URL the same way, that is, if you use the FQDN when registering the manager with vIDM, you must use the FQDN in the URL, and if you use the IP address when registering the manager with vIDM, you must use the IP address in the URL. Otherwise, login will fail.

If NSX API access is needed, one of the following configurations must be true:
  • vIDM has a known CA-signed certificate.
  • vIDM has the connector CA certificate trusted on the vIDM service side.
  • vIDM uses outbound connector mode.
Note: NSX Managers and vIDM must be in the same time zone. The recommended way is to use UTC.

You must configure your DNS servers to have PTR records if you are not using Virtual IP or an external load balancer (this means that the manager is configured using the physical IP or FQDN of the node).

If you configure vIDM to be integrated with an external load balancer, you must enable session persistence on the load balancer to avoid issues such as pages not loading or a user being unexpectedly logged out.

If the vIDM deployment is a vIDM cluster, the vIDM load balancer must be configured for SSL termination and re-encryption.

With vIDM enabled, you can still log in to NSX Manager with a local user account if you use the URL https://<nsx-manager-ip-address>/login.jsp?local=true.

If you use the UserPrincipalName (UPN) to log in to vIDM, authentication to NSX might fail. To avoid this issue, use a different type of credentials, for example, SAMAccountName.

If using NSX Cloud, you can log in to CSM separately using the URL https://<csm-ip-address>/login.jsp?local=true

Prerequisites

  • Verify that you have the certificate thumbprint from the vIDM host or the vIDM load balancer, depending on the type of vIDM deployment (a standalone vIDM host or a vIDM cluster). The command to obtain the thumbprint is the same in both cases. See Obtain the Certificate Thumbprint from a vIDM Host.
  • Verify that NSX Manager is registered as an OAuth client to vIDM. During the registration process, note the client ID and the client secret. For more information, see the VMware Identity Manager documentation at https://docs.vmware.com/en/VMware-Workspace-ONE-Access/3.3/idm-administrator/GUID-AD4B6F91-2D68-48F2-9212-5B69D40A1FAE.html. When you create the client, you only need to do the following:
    • Set Access Type to Service Client Token.
    • Specify a client ID.
    • Expand the Advanced field and click Generate Shared Secret.
    • Click Add.
    NSX Cloud Note: If using NSX Cloud, also verify that CSM is registered as an OAuth client to vIDM.

Procedure

  1. With admin privileges, log in to NSX Manager.
  2. Select System > User Management > Authentication Providers > VMware Identity Manager
  3. Click Edit.
  4. To enable external load balancer integration, click the External Load Balancer Integration toggle.
    Note: If you have Virtual IP (VIP) set up (check System > Appliances > Virtual IP), you cannot use the External Load Balancer Integration even if you enable it. This is because you can either have VIP or the External Load Balancer while configuring vIDM but not both. Disable VIP if you want to use the External Load Balancer. See Configure a Virtual IP (VIP) Address for a Cluster in the NSX Installation Guide for details.
  5. To enable VMware Identity Manager integration, click the VMware Identity Manager Integration toggle.
  6. Provide the following information.
    Parameter Description
    VMware Identity Manager Appliance The fully qualified domain name (FQDN) of the vIDM host or the vIDM load balancer, depending on the type of vIDM deployment (a standalone vIDM host or a vIDM cluster).
    OAuth Client ID The ID that is created when registering NSX Manager to vIDM.
    OAuth Client Secret The secret that is created when registering NSX Manager to vIDM.
    SSL Thumbprint The certificate thumbprint of the vIDM host. It must be an SHA-256 thumbprint.
    NSX Appliance The IP address or fully qualified domain name (FQDN) of NSX Manager. If you are using an NSX Manager cluster, use the load balancer FQDN or cluster VIP FQDN or IP address. If you specify a FQDN, you must access NSX Manager from a browser using the manager's FQDN in the URL, and if you specify an IP address, you must use the IP address in the URL. Alternatively, the vIDM administrator can configure the NSX Manager client so that you can connect using either the FQDN or the IP address.
  7. Click Save.
  8. If using NSX Cloud, repeat steps 1 through 8 from the CSM appliance by logging in to CSM instead of NSX Manager.