VMware Workspace ONE Access Connector (Windows) 20.01 | January 2020 | Build Workspace ONE Access Connector 20.01.0 Installer.exe

See what's new for April 2020

What's in the Release Notes

This release note covers the following topics:

What's New for Workspace ONE Access Releases

April 2020 Release

Updated the third-party identity provider page in admin console with an option to send subject information in SAML

Added functionality to be able to select the option to enable passing Subject, when available, in the SAML request for third-party identity providers.  This feature is disabled by default.

Install Directory Sync, User Auth, and Kerberos Auth services on a Windows server that is running Workspace ONE Access 19.03 connector

The recommendation of the Windows servers for the 20.01.0.1 connectors being separate from your legacy connector servers still stands. But, in situations where it is not possible to procure a new machine, you can install 20.01.0.1 Directory Sync, User Auth, and Kerberos Auth services on a Windows server that is running Workspace ONE Access 19.03 connector and then migrate your legacy connector.  Before you install any of these services on the Windows server, you must increase the CPU and memory on the machine because two versions of the connector will be running until the migration is complete. You need to increase the CPU and memory to meet the needs of both 19.03 and 20.01.0.1 connectors per the Sizing guidelines. After the migration is complete, you can stop the 19.03 connector and uninstall it

Sizing Requirement for the Connector

Support LDAP signing and LDAP channel binding

See the VMware KB article 77158 Support LDAP Signing and LDAP Channel Binding with VMware Workspace ONE Access, Identity Manager.

Note: You do not need to apply the hot fix mentioned in the KB article. The Workspace ONE Access 20.01.0.1 patch release includes the hot-fix mentioned in the KB article. 

  • After installing Workspace ONE Access connector 20.01.0.1, the functionality of Active Directory over IWA will become incompatible with the StartTLS option. When you upgrade follow these high-level steps.
  • Disable StartTLS option in the Active Directory over IWA configuration before upgrading to the 20.01.01 connector
  • DO NOT enable StartTLS option in Active Directory over IWA configuration after installing or upgrading to 20.01.01 connector.

Okta Universal Directory Integration – Connect Workspace ONE Access with Okta to import user accounts into Workspace ONE. Universal directory integration enables the following scenarios with Okta.

  • Cloud-only Okta Universal Directory
  • Contingent / seasonal workers
  • Hybrid directory environments with on premises Active Directory + cloud only users
  • HR mastered users

This integration is based on SCIM, which allows user accounts to be synchronized from Okta to Workspace ONE over an industry standard. Create, update, and delete are supported across users, user attributes, and groups. The existing AirWatch provisioning adapter in Workspace ONE Access can be used to further synchronize these users to Workspace ONE UEM. Once enabled, administrators can offer the full range of Workspace ONE features to these users including the unified catalog, mobile SSO, intelligence, and UEM enrollment. The VMware Workspace ONE SCIM application can be found on the Okta Integration Network (OIN) store.

No migration process is currently in place to migrate an existing Active Directory user over to SCIM, which means existing versus new deployments will benefit differently.

  • A new deployment may take advantage of Universal Directory integration to deploy a single (Okta) connector in order to populate workspace one with a combination of AD and cloud-only users. This leads to an overall simplification of the required connector infrastructure for the combined products.
  • Existing deployments should leave Workspace ONE connectors in place for the purposes of Active Directory users and deploy Universal Directory integration to import cloud only users, be it contingent workers, HR mastered users, or cloud-only users in a hybrid directory environment.

See SCIM Provisioning from Okta to VMware Workspace ONE Access documentation.

VMware Workspace ONE Access formerly VMware Identity Manager

VMware Workspace ONE Access is the new name for what was called VMware Identity Manager. No functionality has been removed as a result of this name change.

  Revised Connector and Connector Management

  • Ability to install connector components individually. The three components are
    • Directory Sync service - Syncs users from Active Directory or LDAP directories to the Workspace ONE Access service.
    • User Auth service - Provides Password (cloud), RSA SecurID (cloud), and RADIUS (cloud) deployments.
    • Kerberos Auth service - Provides Kerberos authentication for internal users.
  • Improved and simplified connector configuration and life cycle management
    • Directory Sync service and the auth method service functional configuration is moved to the Workspace ONE Access service. Configuration for Directory Sync is in the Identity & Access Management > Directories page. Configuration of User Auth and Kerberos Auth methods is in Identity & Access Management > Enterprise Authentication Methods page in the Workspace ONE access console. No configuration details are stored in the connector.
    • You can easily add and remove connectors as needed.
  • Directory Sync-
    • Improved stability and reduced resource needs
    • Directory Sync is now driven from the Workspace ONE Access service. Users can easily add more Directory Sync nodes in the Directory Configuration page in the console for Sync high availability.
    • The ability to perform a dry run of the sync has been removed.
    • Test Directory button is removed. When the directory configuration is saved, the Directory Sync service tests the directory configuration in Active Directory.
    • Two sync options are now available in the UI, sync with safeguards and sync without safeguards. These actions can be performed from either the list of directories in the Identity & Access Management > Directories page, or from a specific directory landing page.
    • When an IWA directory is created, only the domain saved to the database in the directory's Domains tab is shown. The admin must select the refresh button to see all the domains that have two-way trust relationship with the base domain.
    • The directory's Group tab shows the Group DNs that are saved and the mapped groups from the DB. Calls are not automatically made to the Directory Sync service to fetch additional details, such as the number of groups in the container. You must explicitly click the Select button to run the Active Directory query to fetch the number of groups for the specific group DN.
    • Saving the user attribute mapping, user DNs, group DNs, safeguards, and sync schedule configurations is not sent to the Directory Sync service on the connector. These configurations are saved in the Workspace ONE Access service DB because the Directory Sync service is stateless.

Internationalization

VMware Workspace ONE Access is available in the following languages.

  • English
  • French
  • German
  • Spanish
  • Japanese
  • Simplified Chinese
  • Korean
  • Taiwan
  • Russian
  • Italian
  • Portuguese (Brazil)
  • Dutch

Compatibility, Installation, and Upgrade

Component Compatibility

Windows Server Supported

  • Windows Server 2008 R2
  • Windows Server 2012
  • Windows Server 2012 R2
  • Windows Server 2016
  • Windows Server 2019

Web Browser Supported

  • Mozilla Firefox, latest version
  • Google Chrome 42.0 or later
  • Internet Explorer 11
  • Safari 6.2.8 or later
  • Microsoft Edge, latest version

Database Supported

  • MS SQL 2012, 2014, 2016, 2017

Directory Server Supported

  • Active Directory - Single AD domain, multiple domains in a single AD forest, or multiple domains across multiple AD forests.
  • OpenLDAP - 2.4.42
  • Oracle LDAP - Directory Server Enterprise Edition 11g, Release 1 (11.1.1.7.0)
  • IBM Tivoli Directory Server 6.3.1

VMware Product Interoperability Matrix provides details about the compatibility of current and previous versions of VMware products and components, such as VMware vCenter Server, VMware ThinApp, and Horizon 7.

For system requirements, see the VMware Workspace ONE Access Installation guides for 20.01 on the Workspace ONE Access documentation center.

VMware Workspace ONE Access Connector 20.01.0.0 (Windows)

The VMware Workspace ONE Access connector is an on-premises component of VMware Workspace ONE Access that integrates with your on-premises infrastructure. The connector is a collection of enterprise services that can be installed individually or together on windows servers. The following service components can be installed.

  • Directory Sync service to sync users from your enterprise directories
  • User Auth service that includes Password (cloud), RSA SecurID (cloud), and RADIUS (cloud)
  • Kerberos Auth service for Kerberos authentication

Migrating to Workspace ONE Access 20.01 Connectors

When you upgrade to Workspace ONE Access, to use the new Workspace ONE Access 20.01 connectors, you install one or more 20.01 connectors and then migrate your existing directories and authentication methods from the 19.03 connectors to the new connectors.

The Windows servers for the 20.01 connectors must be separate from your legacy connector servers. During the migration process, you will switch between using the older connectors and the new connectors to test the migration. The 19.03 legacy connector servers must be running during the migration process. Do not uninstall the 19.03 connectors until the migration is complete.

See the Connector Migration Guide in the Workspace ONE Access Documentation Center.

Before You Migrate

  • Make sure that all legacy connectors to migrate are at 19.03.
  • Before migrating RSA SecurID Authentication to the 20.01 connector, you must clear the Node Secret on the RSA Security console.

April Patch Release Changes for Upgrade

A new installer is available for Workspace ONE Access connector for Windows. Use the installer to Upgrade from version 20.01 to 20.01.0.1

Remember that after installing Workspace ONE Access connector 20.01.0.1, the functionality of Active Directory over IWA will become incompatible with the StartTLS option. When you upgrade follow these high-level steps.

  1. Disable StartTLS option in the Active Directory over IWA configuration before upgrading to the 20.01.01 connector
  2. DO NOT enable StartTLS option in Active Directory over IWA configuration after installing or upgrading to 20.01.01 connector.

Virtual Applications

The Workspace ONE Access 20.01 connector does not support Virtual Apps (Citrix, Horizon, Horizon Cloud, and ThinApp integrations). If your environment includes Virtual Apps or you plan to use Virtual Apps in the future, do not migrate to Workspace ONE Access 20.01 connectors.

To use virtual apps with Workspace ONE Access 20.01, you must use VMware Identity Manager connector version 19.03.

  • VMware Identity Manager Integration Broker 19.03 | April 2019 | Build  13221855 works only with VMware Identity Manager connector version 19.03.

To use VMware ThinApp with Workspace ONE Access 20.01,  you must use VMware Identity Manager Linux-based connector appliance version 2018.8.1.  If you use ThinApp packages do not upgrade to the 19.03 or the 20.01 version of VMware Workspace ONE Access connector.

  • VMware Identity Manager Desktop 3.2 | March 2018 | Build 7952055 is used with ThinApp packages

Documentation

The VMware Workspace ONE Access 20.01 documentation is in the VMware Workspace ONE Access Documentation Center.

Resolved Issues from the April Patch Release

  • HW-108342 - A Workspace ONE Access type of identity provider that is associated with Legacy Connectors cannot be deleted. However, a Workspace ONE Access type of identity provider that is associated with 20.01 or 20.01.0.1 connectors can be deleted.
  • HW-113389 - Fixed an issue that completes the logout process after login via Kerberos authentication method.
  • HW-113635 - Workspace ONE Access Connector installer “Configuration File” screen now has a clickable “Next” button
  • HW-113793, HW-115494 - Workspace ONE Access Connector works as expected when an outbound HTTP proxy is configured.
  • HW-113896 - Workspace ONE Access Connector can sync users from Oracle Directory Server Enterprise Edition where VLV pagination is used.
  • HW-114221 - The 19.03 connectors were able to connect to SAAS service using websocket through outbound proxy. This fix bring that feature to 20.01 connectors.
  • HW-114250 - When a directory is deleted, any associated third-party identity provider will not be deleted as part of directory deletion. This is done to keep the flexibility for the third-party identity provider to be reused again with another directory. The third-party identity provider can be deleted manually, if desired.

 

check-circle-line exclamation-circle-line close-line
Scroll to top icon