If you have an existing Workspace ONE UEM deployment, you can integrate VMware Identity Manager with it. You deploy the VMware Identity Manager virtual appliance in the DMZ. In this model, user and group sync from your enterprise directory, and user authentication, are handled by Workspace ONE UEM.

Note that integrating VMware Identity Manager with resources such as Horizon 7 or Citrix-published resources is not supported in this model. Only integration with Web applications and native mobile applications is supported.

Figure 1. Deployment with AirWatch Cloud Connector

Using AirWatch

Note: If you plan to configure Android SSO, enable SSL pass-through on port 5262 at the load balancer in front of VMware Identity Manager.
Note: If you plan to configure certificate authentication on the embedded connector, enable SSL pass-through on the load balancer for the port configured as the certificate authentication SSL pass-through port. The default port is 7443.


You must have the following components:

  • A Workspace ONE UEM (formerly known as AirWatch) server deployment
  • An AirWatch Cloud Connector instance deployed on premises and integrated with your enterprise directory

Port Requirements

The following ports are required to be opened at the load balancer or firewall for the VMware Identity Manager server:
  • Inbound 443 (HTTPS)
  • Inbound 88 (TCP/UDP) - iOS SSO only
  • Inbound 5262 (HTTPS) - Android SSO only
  • Inbound CertAuthSSLPassthroughPort (HTTPS) - Certificate authentication configured on embedded VMware Identity Manager connector only. The default port is 7443.

For Workspace ONE UEM deployment requirements, see the Workspace ONE UEM documentation.

Supported Authentication Methods

This deployment model supports the following authentication methods. These methods are available through the VMware Identity Manager Built-in identity provider.

  • Password (AirWatch Connector)
  • Mobile SSO (for iOS)
  • Mobile SSO (for Android)
  • Device Compliance (with AirWatch)
  • Certificate - uses the embedded VMware Identity Manager connector
  • VMware Verify

In addition, inbound SAML through a third-party identity provider is also available.

Supported Directory Integrations

You integrate your enterprise directory with Workspace ONE UEM. See the Workspace ONE UEM documentation for the types of directories supported.

Supported Resources

You can integrate the following types of resources with VMware Identity Manager in this deployment model:

  • Web applications
  • Native mobile applications

You cannot integrate the following resources with VMware Identity Manager in this deployment model:

  • Horizon 7, Horizon 6, or View desktop and application pools
  • Citrix-published resources
  • ThinApp packaged applications
  • VMware Horizon® Cloud Service™ applications and desktops

Additional Information