Typically, when you initially configure Directories Management, you use the connectors supplied with your existing vRealize Automation infrastructure to create an Active Directory connection for user ID and password based authentication and management. Alternatively, you can integrate Directories Management with other authentication solutions such as Kerberos or RSA SecurID.

The identity provider instance can be the Directories Management connector instance, third-party identity provider instances, or a combination of both.

The identity provider instance that you use with the Directories Management service creates an in-network federation authority that communicates with the service using SAML 2.0 assertions.

When you initially deploy the Directories Management service, the connector is the initial identity provider for the service. Your existing Active Directory infrastructure is used for user authentication and management.

The following authentication methods are supported. You configure these authentication methods from the administration console.

Table 1. User Authentication Types Supported by Directories Management

Authentication Types


Password (on-premise deployment)

Without any configuration after Active Directory is configured, Directories Management supports Active Directory password authentication. This method authenticates users directly against Active Directory.

Kerberos for desktops

Kerberos authentication provides domain users with single sign-in access to their apps portal. Users do not need to sign in again after they sign in to the network.

Certificate (on-premise deployment)

Certificate-based authentication can be configured to allow clients to authenticate with certificates on their desktop and mobile devices or to use a smart card adapter for authentication.

Certificate-based authentication is based on what the user has and what the person knows. An X.509 certificate uses the public key infrastructure standard to verify that a public key contained within the certificate belongs to the user.

RSA SecurID (on-premise deployment)

When RSA SecurID authentication is configured, Directories Management is configured as the authentication agent in the RSA SecurID server. RSA SecurID authentication requires users to use a token-based authentication system. RSA SecurID is an authentication method for users accessing Directories Management from outside the enterprise network.

RADIUS (on-premise deployment)

RADIUS authentication provides two-factor authentication options. You set up the RADIUS server that is accessible to the Directories Management service. When users sign in with their user name and passcode, an access request is submitted to the RADIUS server for authentication.

RSA Adaptive Authentication (on-premise deployment)

RSA authentication provides a stronger multi-factor authentication than only user name and password authentication against Active Directory. When RSA Adaptive Authentication is enabled, the risk indicators specified in the risk policy set up in the RSA Policy Management application. The Directories Management service configuration of adaptive authentication is used to determine the required authentication prompts.

Mobile SSO (for iOS)

Mobile SSO for iOS authentication is used for single sign-on authentication for AirWatch-managed iOS devices. Mobile SSO (for iOS) authentication uses a Key Distribution Center (KDC) that is part of the Directories Management service. You must initiate the KDC service in the VMware Identity Manager service before you enable this authentication method.

Mobile SSO (for Android)

Mobile SSO for Android authentication is used for single sign-on authentication for AirWatch-managed Android devices. A proxy service is set up between the Directories Management service and AirWatch to retrieve the certificate from AirWatch for authentication.

Password (AirWatch Connector)

The AirWatch Cloud Connector can be integrated with the Directories Management service for user password authentication. You configure the Directories Managementservice to sync users from the AirWatch directory.

Users are authenticated based on the authentication methods, the default access policy rules, network ranges, and the identity provider instance you configure. After the authentication methods are configured, you create access policy rules that specify the authentication methods to be used by device type.