You can integrate NSX with VMware Identity Manager (vIDM), which provides identity management services. The vIDM deployment can be a standalone vIDM host or a vIDM cluster.
Note: The new product name for VMware Identity Manager is VMware Workspace ONE Access.
The vIDM host or all the vIDM cluster components should have a certificate signed by a certificate authority (CA). Otherwise, logging in to vIDM from NSX Manager might not work with certain browsers, such as Microsoft Edge or Internet Explorer 11. For information about installing a CA-signed certificate on vIDM, see the VMware Identity Manager documentation at https://docs.vmware.com/en/VMware-Identity-Manager/index.html.
When you register NSX Manager with vIDM, you specify a redirect URI that points to NSX Manager. You can provide either the fully qualified domain name (FQDN) or the IP address. It is important to remember whether you use the FQDN or the IP address. When you try to log in to NSX Manager through vIDM, you must specify the host name in the URL the same way, that is, if you use the FQDN when registering the manager with vIDM, you must use the FQDN in the URL, and if you use the IP address when registering the manager with vIDM, you must use the IP address in the URL. Otherwise, login will fail.
- vIDM has a known CA-signed certificate.
- vIDM has the connector CA certificate trusted on the vIDM service side.
- vIDM uses outbound connector mode.
You must configure your DNS servers to have PTR records if you are not using Virtual IP or an external load balancer (this means that the manager is configured using the physical IP or FQDN of the node).
If you configure vIDM to be integrated with an external load balancer, you must enable session persistence on the load balancer to avoid issues such as pages not loading or a user being unexpectedly logged out.
If the vIDM deployment is a vIDM cluster, the vIDM load balancer must be configured for SSL termination and re-encryption.
With vIDM enabled, you can still log in to NSX Manager with a local user account if you use the URL https://<nsx-manager-ip-address>/login.jsp?local=true
.
If you use the UserPrincipalName (UPN) to log in to vIDM, authentication to NSX might fail. To avoid this issue, use a different type of credentials, for example, SAMAccountName.
If using NSX Cloud, you can log in to CSM separately using the URL https://<csm-ip-address>/login.jsp?local=true
Prerequisites
- Verify that you have the certificate thumbprint from the vIDM host or the vIDM load balancer, depending on the type of vIDM deployment (a standalone vIDM host or a vIDM cluster). The command to obtain the thumbprint is the same in both cases. See Obtain the Certificate Thumbprint from a vIDM Host.
- Verify that NSX Manager is registered as an OAuth client to vIDM. During the registration process, note the client ID and the client secret. For more information, see the VMware Identity Manager documentation at https://docs.vmware.com/en/VMware-Workspace-ONE-Access/3.3/idm-administrator/GUID-AD4B6F91-2D68-48F2-9212-5B69D40A1FAE.html. When you create the client, you only need to do the following:
- Set Access Type to Service Client Token.
- Specify a client ID.
- Expand the Advanced field and click Generate Shared Secret.
- Click Add.
NSX Cloud Note: If using NSX Cloud, also verify that CSM is registered as an OAuth client to vIDM.