VMware Identity Manager for Linux 3.3.1 | October 2019 | Build 14635482
VMware Identity Manager (Windows) 3.3.1 | October 2019 | Build VMware Identity Manager Connector 2019.9.1.0 Installer.exe
Release date: October 17, 2019
Updated: December 8, 2020
NEW 12/08/2020 This release has been determined to be impacted by CVE-2020-4006. Fixes and workarounds are available to address this vulnerability. For more information, see VMSA-2020-0027.
What's in the Release NotesThe release notes cover the following topics:
- Products that can upgrade to VMware Identity Manager 3.3.1
- What's New in 3.3.1
- Compatibility, Installation, and Upgrade
- Known Issues
VMware vRealize Products such as vRealize Automation, vRealize Suite Lifecycle Manager (vRSLCM), vRealize Operations, vRealize Business, vRealize Log insight, and vRealize Network Insight for Authentication and SSO
The vRealize products that are deployed and managed through vRSLCM only can consume VMware Identity Manager 3.3.1.
vRSLCM will now handle a brand-new installation of VMware Identity Manager 3.3.1 or upgrade to 3.3.1 from an earlier version of Identity Manager.
- VMware NSX-T Data Center for Authentication and SSO
- NSX-T can be deployed with VMware Identity Manager 3.3.1 or upgraded to 3.3.1 from an earlier version.
Enhancements to the IDP hostname validation
The IDP hostname is validated to make sure that it is a valid fully qualified domain name.
- Administrators can control the visibility of “Change to a different domain” on login page
- End users will not see the option to “Change to a different domain” on the login pages if the administrator toggles a checkbox.
- Extended support for a group membership matching logic to a SAML attribute which is a string array
- Allows multiple users groups to be sent over in the SAML assertion. This offer support for "usergroups" that is sent as an array with a multi-value attribute, as part of the SAML assertion.
- Support for RADIUS auth per directory
- Allows to configure RADIUS authentication per directory.
- Rest API to revoke refresh tokens
- OAuth2 refresh tokens are long-lived. This API now allows for a way for a user to revoke a refresh token or an admin to revoke the refresh token on behalf of the user through this API.
VMware Identity Manager 3.3 is available in the following languages.
- Simplified Chinese
- Portuguese (Brazil)
VMware vCenter™ and VMware ESXi™ Compatibility
VMware Identity Manager appliance supports the following versions of vSphere and ESXi.
- 6.5 U3, 6.7 U2, 6. U3
Windows Server Supported
- Windows Server 2008 R2
- Windows Server 2012
- Windows Server 2012 R2
- Windows Server 2016
Web Browser Supported
- Mozilla Firefox, latest version
- Google Chrome 42.0 or later
- Internet Explorer 11
- Safari 6.2.8 or later
- Microsoft Edge, latest version
- Postgres 9.6.15
- MS SQL 2012, 2014, and 2016
Directory Server Supported
- Active Directory - Single AD domain, multiple domains in a single AD forest, or multiple domains across multiple AD forests.
- OpenLDAP - 2.4.42
- Oracle LDAP - Directory Server Enterprise Edition 11g, Release 1 (126.96.36.199.0)
- IBM Tivoli LDAP - IBM Security Directory Server 6.3.1
VMware Product Interoperability Matrix provides details about the compatibility of current and previous versions of VMware products and components, such as VMware vCenter Server, VMware ThinApp, and Horizon 7.
Verified VMware Identity Manager integration with Citrix Virtual Apps & Desktops (previously XenApp & XenDesktop) versions 7 1808 and 7.18. Tested use case was with the end users doing internal and external launches (via Netscaler) of their entitled Citrix resources from the Workspace ONE portal.
For other system requirements, see the VMware Identity Manager Installation guides for 3.3 on the VMware Identity Manager Documentation center.
Upgrading to VMware Identity Manager Service 3.3 (Linux)
To upgrade to VMware Identity Manager for Linux 3.3.1, see Upgrading VMware Identity Manager 3.3.1 (Linux) on the VMware Identity Manager Documentation center. During the upgrade, all services are stopped, so if only one connector is configured plan the upgrade with the expected downtime in mind.
You must upgrade to VMware Identity Manager version 3.3 and then upgrade to VMware Identity Manager 3.3.1.
Important: Before you start the upgrade to 3.3.1, edit the /etc/init.d/horizon-workspace script. Replace the line
# Should-Start: $named $remote_fs $time hzn-sysconfig elasticsearch thinapprepo
# Should-Start: $named $remote_fs $time hzn-sysconfig thinapprepo
Save the file and proceed with the upgrade.
Note: When you upgrade to VMware Identity Manager 3.3.1 for Linux, if you see the following error message and the upgrade is aborted, follow these steps to update the certificate. After the certificate is updated, restart the upgrade.
"Certificate auth configuration update required for tenant <tenantName> prior to upgrade. Pre-update check failed, aborting upgrade."
- Log in to the VMware Identity Manager console.
- Navigate to Identity & Access Management > Setup.
- In the Connectors page, click the link in the Worker column
- Click the Auth Adapters tab, then click CertificateAuthAdapter.
- In the Uploaded CA Certificates section, click the red X next to the certificate to remove it.
- In the Root and intermediate CA Certificates section, click Select File to re-add the certificate.
- Click Save.
VMware Identity Manager Connector 3.3.1 (Windows)
A new installer is available for VMware Identity Manager Connector for Windows. Use the installer to upgrade from VMware Enterprise System Connector or to install the VMware Identity Manager Connector.
VMware Identity Manager Connector (Linux)
You cannot upgrade from VMware Identity Manager Connector for Linux 3.3.0 (2018.8;1.0) to 3.3.1.
The VMware Identity Manager 3.3 documentation is in the VMware Identity Manager Documentation center. The 3.3.1 upgrade guide can be found under VMware Identity Manager 3.3 in the Installation & Architecture section.
- User portal is not enabled in clustered setup
In case of Clustered Setup, the catalog is not enabled by default. To access the catalog in a clustered setup, the API needs to be called using the load balancer hostname.
Use the API Listed to Enable Catalog. API Details "GET https://$HOSTNAME/SAAS/jersey/manager/api/commoncatalog/enable Authorization : HZN
- Unable to add an IWA AD, if an LDAP AD(different domain) is already associated with the given connector
When we add an IWA directory, the /etc/hosts file is modified in case the domain is different than the server domain. Subsequent to that if another IWA directory is created, creation fails. You will need to edit the /etc/hosts file to create IWA the next time.
Need to manually edit the host file entries. See KB article 67773 at https:// ikb.vmware.com/s/article/67773.
- Errors seen in Horizon logs when database failover happens
When a database failover happens, EH cache-related errors are seen in horizon.log. Restarting the server resolves the error.
Restart service of the old master database node.