In the VMware Workspace ONE Access™ service, formerly known as VMware Identity Manager, you can manage the following types of authentication services.

  • User Auth service. User Auth service provides Password (cloud deployment), RSA SecurID (cloud deployment), and RADIUS (cloud deployment) authentication methods associated to the Workspace ONE Access service from a built-in identity provider.
  • Kerberos Auth service. Kerberos Auth service provides the connector-based Kerberos authentication for internal users managed from the Workspace ONE Access identity provider.
  • Cloud-based authentication methods managed from the Workspace ONE Access service and associated to a built-in identity provider.
  • Authentication managed by third-party identity providers.

To set up the authentication methods from the User Auth service or the Kerberos Auth service, you install a Workspace ONE Access connector on a Windows server and select the authentication services to install.

You can install both authentication services on one connector or the authentication services can be installed on separate connectors. To determine if more than one connector is required, review the sizing requirements in the Workspace ONE Access Connector Installation guide.

To use the User Auth services authentication methods, directories are configured in the Workspace ONE Access service to sync users from your enterprise directory to the directory in the service.

To install the authentication services, see the Installing Workspace ONE Access Connector guide. The connector is an on-premises component of the Workspace ONE Access service.

The following are the connector-based authentication methods that are enabled and configured from the Enterprise Authentication Methods page in the Workspace ONE Access console.

Authentication Methods Description

Password (cloud deployment)

For password (cloud) authentication, users are synced from your enterprise directory and are authenticated directly against your enterprise directory.

You can select the option to set up password authentication when you configure the directory. You can also set up password authentication later from the Enterprise Authentication Methods page in the Workspace ONE Access console.

RSA SecurID (cloud deployment) To use the RSA SecurID (cloud deployment) authentication method with Workspace ONE Access, the Workspace ONE Access server is configured as the authentication agent in the RSA SecurID server. RSA SecurID authentication requires users to use a token-based authentication system. RSA SecurID is an authentication method for users accessing Workspace ONE Access from outside the enterprise network.

RADIUS (cloud deployment)

RADIUS (cloud deployment) authentication provides two-factor authentication options. You set up a RADIUS server that is accessible to the User Auth service on the connector. When users sign in with their user name and passcode, an access request is submitted to the RADIUS server for authentication.
Kerberos Auth Kerberos authentication provides users who are successfully signed in to their Active Directory domain, access to their apps portal without additional prompts for their credentials. Kerberos authentication uses Integrated Windows Authentication (IWA).

The following are the authentication methods associated to the Workspace ONE Access service. These authentication methods and do not require a Workspace ONE Access connector.

Authentication Method Description

Certificate (cloud deployment)

Certificate-based authentication can be configured to allow clients to authenticate with certificates on their desktop and mobile devices or to use a smart card adapter for authentication.

Certificate-based authentication is based on what the user has and what the person knows. An X.509 certificate uses the public key infrastructure standard to verify that a public key contained within the certificate belongs to the user.

Mobile SSO (for Android) Mobile SSO for Android is a certificate proxy authentication used for single sign-in authentication for Workspace ONE UEM-managed Android devices. A proxy service is set up between the Workspace ONE Access service and Workspace ONE UEM to retrieve the certificate from Workspace ONE UEM for authentication.
Mobile SSO (for iOS) Mobile SSO for iOS authentication is used for single sign-in authentication on Workspace ONE UEM-managed iOS devices. Mobile SSO for iOS authentication uses a Key Distribution Center (KDC) that is part of the Workspace ONE Access service.
Password (AirWatch Connector) The AirWatch Cloud Connector can be integrated with the Workspace ONE Access service for user password authentication. You configure the Workspace ONE Access service to sync users from the Workspace ONE UEM directory.

VMware Verify

VMware Verify can be used as the second authentication method when two-factor authentication is required. The first authentication method is user name and password, and the second authentication method is a VMware Verify requested approval or code.

After the authentication methods are configured, you create access policy rules that specify the authentication methods to be used by device type. Users are authenticated based on the authentication methods, the default access policy rules, network ranges, and the identity provider instance you configure. See Managing Access Policies in Workspace ONE Access That Apply to Users.