Manual Chapter : Integrating APM with VMware Identity Manager

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 13.1.1, 13.1.0
Manual Chapter

Overview: Processing VDI traffic for VMware Identity Manager

You can configure Access Policy Manager® (APM®) so that when users launch certain VDI resources (VMware View or Citrix applications) from a VMware Identity Manager portal, the traffic from those resources goes through APM.

APM supports processing traffic for VDI resources launched from VMware Identity Manager with this configuration only:

  • An access profile configured for LTM+APM.
  • Form-based SSO.
Note: APM does not support SSL offloading in this configuration.

Task summary

VMware Identity Manager and DNS configuration requirements

To integrate Access Policy Manager® (APM®) with VMware Identity Manager, you need to meet configuration requirements that are external to APM:

  • VMware Identity Manager must be configured to point to no more than one View pod.
  • The FQDN for the virtual server that you configure to process SSL traffic from APM to VMware Identity Manager must be the same as the FQDN for VMware Identity Manager.

Configuring forms-based SSO for VMware Identity Manager

You configure form-based SSO with the settings specified in this procedure to meet Access Policy Manager® (APM®) requirements for integration with VMware Identity Manager.
  1. On the Main tab, select Access > Single Sign-On > Form Based .
    The Form Based screen opens.
  2. Click Create.
    The New SSO Configuration screen opens.
  3. In the Name field, type a name for the SSO configuration.
  4. For Use SSO Template, select None.
    The screen refreshes to display additional settings.
  5. In the Credentials Source area, retain the default values for the settings.
  6. In the SSO Configuration area, for Start URI type this string: /hc/t/*.
  7. For Pass Through, select Enable.
  8. For Form Method, retain the default value POST.
  9. For Form Parameter For User Name, type username.
  10. For Form Parameter for Password, type password.
  11. For Successful Logon Detection Match Type, select By Resulting Redirect URL.
  12. For Successful Logon Detection Match Value, type /SAAS/apps/*.
  13. Click Finished.

Configuring an access profile for VMware Identity Manager

You configure an access profile to support the LTM-APM profile type and with single domain SSO to meet Access Policy Manager® (APM®) requirements for integration with VMware Identity Manager.
  1. On the Main tab, click Access > Profiles / Policies .
    The Access Profiles (Per-Session Policies) screen opens.
  2. Click Create.
    The New Profile screen opens.
  3. In the Name field, type a name for the access profile.
    Note: A access profile name must be unique among all access profile and any per-request policy names.
  4. From the Profile Type list, select LTM-APM or All.
    The LTM-APM profile type supports web access management configuration. The All profile type supports LTM-APM.
    Additional settings display.
  5. In the SSO Across Authentication Domains (Single Domain mode) area:
    1. For SSO Configuration, select the form-based SSO configuration you created for VMWare Identity Manager earlier.
    2. Retain default settings for Domain Cookie (blank) and Cookie Options (with only the Secure check box selected).
  6. In the Language Settings area, add and remove accepted languages, and set the default language.
    A browser uses the highest priority accepted language. If no browser language matches the accepted languages list, the browser uses the default language.
  7. Click Finished.

Configuring an access policy for SSO

To support SSO, you configure an access policy with any type of authentication that Access Policy Manager® (APM®) supports and you cache credentials with SSO Credentials Mapping.
Note: This example uses Active Directory authentication.
  1. On the Main tab, click Access > Profiles / Policies .
    The Access Profiles (Per-Session Policies) screen opens.
  2. In the Per-Session Policy column, click the Edit link for the access profile you want to configure.
    The visual policy editor opens the access policy in a separate screen.
  3. Click the (+) icon anywhere in the access policy to add a new item.
    Note: Only an applicable subset of access policy items is available for selection in the visual policy editor for any access profile type.
    A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
  4. On the Logon tab, select Logon Page and click the Add Item button.
    The Logon Page Agent properties screen opens.
  5. Click Save.
    The properties screen closes and the policy displays.
  6. On a policy branch, click the (+) icon to add an item to the policy.
  7. On the Authentication tab, select AD Auth.
    A properties screen displays.
  8. For Server, select one from the list.
    Active Directory authentication servers are configured in the Access > Authentication area of the Configuration utility.
  9. Click Save.
    The properties screen closes and the policy displays.
  10. On a policy branch, click the (+) icon to add an item to the policy.
  11. On the Assignment tab, select SSO Credential Mapping and click Add Item.
    A properties screen opens.
  12. Click Save.
    The properties screen closes and the policy displays.
Click the Apply Access Policy link to apply and activate your changes to this access policy.

Creating a pool for VMware Identity Manager

You create a pool to specify the VMware Identity Manager to integrate with Access Policy Manager® (APM®).
  1. On the Main tab, click Local Traffic > Pools .
    The Pool List screen opens.
  2. Click Create.
    The New Pool screen opens.
  3. In the Name field, type a unique name for the pool.
  4. In the Resources area, using the New Members setting, add the VMware Identity Manager that you want to include in the pool:
    1. Type an IP address in the Address field, or select a node address from the Node List.
    2. In the Service Port field, type 443, which is the default; otherwise, type the port number configured for your VMware Identity Manager.
    3. Click Add.
  5. Click Finished.
The new pool appears in the Pools list.

Configuring an HTTPS virtual server

Before you start, you need to have configured a connectivity profile in Access Policy Manager® (APM®). (Default settings are acceptable.)
You create this virtual server for SSL traffic from APM to VMware Identity Manager.
Note: This is one of two virtual servers that you must configure to process traffic for VMware Identity Manager. Use the same destination IP address for each one.
  1. On the Main tab, click Local Traffic > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click the Create button.
    The New Virtual Server screen opens.
  3. In the Name field, type a unique name for the virtual server.
  4. In the Destination Address field, type the IP address for a host virtual server.
    This field accepts an address in CIDR format (IP address/prefix). However, when you type the complete IP address for a host, you do not need to type a prefix after the address.
  5. In the Service Port field, type 443 or select HTTPS from the list.
  6. From the HTTP Profile list, select http.
  7. For the SSL Profile (Client) setting, in the Available box, select a profile name, and using the Move button, move the name to the Selected box.
  8. For the SSL Profile (Server) setting, select pcoip-default-serverssl.
  9. From the Source Address Translation list, select Auto Map.
  10. In the Access Policy area, from the Access Profile list, select the access profile that you configured earlier.
  11. From the Connectivity Profile list, select the connectivity profile.
  12. From the VDI Profile list, select a VDI profile.
    You can select the default profile, vdi.
  13. Locate the Resources area of the screen and from the Default Persistence Profile list, select one of these profiles:
    • cookie - This is the default cookie persistence profile. Cookie persistence is recommended.
    • source_addr - This is the default source address translation persistence profile. Select it only when the cookie persistence type is not available.
  14. For Default Pool, select the pool you configured earlier.
  15. Click Finished.

Configuring a UDP virtual server for PCoIP traffic

Before you start, you must have configured a virtual server to process HTTPS traffic. You need to know the destination IP address of that virtual server.
You create this virtual server to support a PC over IP (PCoIP) data channel for View Client traffic.
  1. On the Main tab, click Local Traffic > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click the Create button.
    The New Virtual Server screen opens.
  3. In the Name field, type a unique name for the virtual server.
  4. In the Destination Address field, type the IP address.
    Note: Type the same IP address as for the virtual server that processes HTTPS traffic
  5. In the Service Port field, type 4172.
  6. From the Protocol list, select UDP.
  7. From the Source Address Translation list, select Auto Map.
  8. In the Access Policy area, from the VDI Profile list, select a VDI profile.
    You can select the default profile, vdi.
  9. Click Finished.

VMware clients and APM integration with VMware Identity Manager

For launching VMware View resources from VMware Identity Manager, Access Policy Manager® (APM®) supports the VMware Horizon View client on the desktop and on mobile platforms (iOS and Android) for Blast and PCoIP protocols.

Note: APM does not support the Horizon HTML5 client for launching VMware View resources from VMware Identity Manager.