Several concepts related to Active Directory are integral to understanding how Directories Management integrates with your Active Directory environments.
The connector, a component of the service, performs the following functions.
Syncs user and group data between Active Directory and the service.
When being used as an identity provider, authenticates users to the service.
The connector is the default identity provider. For the authentication methods the connector supports, see VMware Identity Manager Administration. You can also use third-party identity providers that support the SAML 2.0 protocol. Use a third-party identity provider for an authentication type the connector does not support or for an authentication type the connector does support, if the third-party identity provider is preferable based on your enterprise security policy.Note:
Even if you use third-party identity providers, you must configure the connector to sync user and group data.
The Directories Management service has its own concept of a directory, which uses Active Directory attributes and parameters to define users and groups. You create one or more directories and then sync those directories with your Active Directory deployment. You can create the following directory types in the service.
Active Directory over LDAP. Create this directory type if you plan to connect to a single Active Directory domain environment. For the Active Directory over LDAP directory type, the connector binds to Active Directory using simple bind authentication.
Active Directory, Integrated Windows Authentication. Create this directory type if you plan to connect to a multi-domain or multi-forest Active Directory environment. The connector binds to Active Directory using Integrated Windows Authentication.
The type and number of directories that you create varies depending on your Active Directory environment, such as single domain or multi-domain, and on the type of trust used between domains. In most environments, you create one directory.
The service does not have direct access to Active Directory. Only the connector has direct access to Active Directory. Therefore, you associate each directory created in the service with a connector instance.
When you associate a directory with a connector instance, the connector creates a partition for the associated directory called a worker. A connector instance can have multiple workers associated with it. Each worker acts as an identity provider. You define and configure authentication methods per worker.
The connector syncs user and group data between Active Directory and the service through one or more workers.
You cannot have two workers of the Integrated Windows Authentication type on the same connector instance.