VMware Identity Manager is integrated in the vRealize Automation appliance, and provides tenant identity management.

The VMware Identity Manager synchronizes with the Rainpole Active Directory domain. Important users and groups are synchronized with VMware Identity Manager. Authentication uses the Active Directory domain, but searches are made against the local Active Directory mirror on the vRealize Automation appliance.

Figure 1. VMware Identity Manager Proxies Authentication Between Active Directory and vRealize Automation


Tenant authentication is based on VMware Identity Manager that is integrated in vRealize Automation. Authentication takes place against the Active Directoy domain but searches are made against the local Active Directory mirror on the vRealize Automation appliance.

Table 1. Design Decisions on Active Directory Authentication for Tenants in vRealize Automation

Decision ID

Design Decision

Design Justification

Design Implication

SDDC-CMP-045

Use Active Directory with Integrated Windows Authentication as the Directory Service connection option.

Rainpole uses a single-forest, multiple-domain Active Directory environment.

Integrated Windows Authentication supports establishing trust relationships in a multi-domain or multi-forest Active Directory environment.

The vRealize Automation appliances must be joined to the Active Directory domain.

By default, the vRealize Automation appliance is configured with 18 GB of memory, which is enough to support a small Active Directory environment. An Active Directory environment is considered small if fewer than 25,000 users in the organizational unit (OU) have to be synchronized. An Active Directory environment with more than 25,000 users is considered large and needs additional memory and CPU. For more information on sizing your vRealize Automation deployment, see the vRealize Automation documentation.

The connector is a component of the vRealize Automation service and performs the synchronization of users and groups between Active Directory and the vRealize Automation service. In addition, the connector is the default identity provider and authenticates users to the service.

Table 2. Design Decisions on Connector Configuration in vRealize Automation

Decision ID

Design Decision

Design Justification

Design Implication

SDDC-CMP-046

To support Directories Service high availability, configure second and third connectors that correspond to the second and third vRealize Automation appliances.

This design supports high availability by installing three vRealize Automation appliances and using load-balanced NSX Edge instances. Adding the second and third connectors to the first vRealize Automation appliance provides redundancy and improves performance by load balancing authentication requests.

You must use an implementation in NSX load balancing.