Configure Access Policies in VMware Identity Manager

Now that we've created our Third Party IDP for AD FS in VMware Identity Manager, we need to use the Authentication Methods we created in our Access Policies to authenticate our domain users with our Third Party IDP authentication methods rather than using the default access policy rules for authenticating our domain users through the Password (AirWatch Connector) method.

1. Edit the Access Policy

  1. Click Identity & Access Management
  2. Click Policies
  3. Click the default_access_policy_set to edit it

2. Remove Current Policy Rules and Create A New Policy Rule

We will start with a blank slate for our Policy Rules for the purposes of this lab in order to clearly highlight which policy rules will be handling the AD FS authentication methods.

  1. Click the Configuration tab.
  2. Click the X on the default policy rule for the Web Browser device type to remove it.
  3. Click the X on the default policy rule for the Workspace ONE App device type to remove it.
  4. Click Add Policy Rule.

3. Create Policy Rule for Local Users

This policy rule will be used to allow our local (System Domain) users to login using their local passwords.

  1. Select ALL RANGES for the network range
  2. Select All Device Types for the content origin
  3. Select Authenticate using... as the action
  4. Set the authentication method as Password (Local Directory)

3.1. Save the Policy Rule

  1. Scroll down to find the Save button.
  2. Click Save.

4. Add New Policy Rule

Click Add Policy Rule to add another Policy Rule.

5. Create a Policy Rule for Domain Users

This policy rule will be used to allow our Domain (corp.local) users to login by leveraging the AD FS authentication methods we setup earlier as part of our 3rd Party Identity Provider configuration.

  1. Select ALL RANGES for the network range
  2. Select All Device Types for the content origin
  3. Enter "[email protected]" into the user groups search field
  4. Click the [email protected] result to select the group.

5.1. Configure the Authentication Methods for the Policy Rule

  1. Scroll down to find the additional configuration options
  2. Select Authenticate using... as the action
  3. Set the 1st authentication method as SAML Kerberos
  4. Set the fallback authentication method as Windows Authentication
  5. Click Add fallback method
  6. Set the 2nd fallback authentication method as SAML Password
  7. Click Save

This Policy Rule will first attempt to authenticate our users via Kerberos with AD FS.  Should that fail or be inapplicable, Windows Authentication will be attempted.  Lastly, if all other methods have failed or been inapplicable, Password authentication will be attempted.

6. Re-Order the Policy Rules

We need our policy rule that will handle AD FS authentication for our domain users to be processed first, otherwise our All Users policy that we configured for Password (Local Directory) will attempt to apply for our domain users instead of our intended policy.

  1. Click and drag the handle for the policy rule we just created for AD FS to the top of the list.
    NOTE - This will be the rule with the Authentication columned listed as SAML Kerberos+2
  2. Click Next.

7. Save the Updated Policy Rules

Click Save.

0 Comments

Add your comment

E-Mail me when someone replies to this comment

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.