This module will guide you through on how to setup Identity Bridging to provide Single Sign On (SSO) to legacy Web Application using Kerberos Constrained Delegation (KCD).

Unified Access Gateway in identity bridging mode acts as the service provider that passes user authentication to the configured legacy applications. VMware Identity Manager acts as an identity provider and provides SSO into SAML applications. When users access legacy applications that require KCD or header-based authentication, Identity Manager authenticates the user. A SAML assertion with the user's information is sent to the Unified Access Gateway. Unified Access Gateway uses this authentication to allow users to access the application.

During the lab you will:

  • Deploy an UAG Appliance with two NICs, one facing internet and the second one dedicated to Management and Backend access, in addition to that the Web Reverse Proxy configuration to access the Intranet will be automatically configured during deployment.
  • Configure Internet Information Server (IIS) to support Kerberos Authentication
  • Configure Kerberos Delegation on the Service Account
  • Configure Identity Bridging on Unified Access Gateway
  • Configuring WebApp (SAML) on VMware Identity Manager
  • Test external access to an internal Web Application using SSO through Identity Bridging (SAML -> Kerberos)


This manual covers Unified Access Gateway 3.4 integrated with VMware Identity Manager 3.2.0, both hosted on vSphere 6.5 U1.

1. Prerequisites

All of the following pre-requisites are already installed for this Module, the following information is just for your reference.

To configure Identity Bridging in Unified Access Gateway, you must use specific versions of VMware products.

  • vSphere ESX host with a vCenter Server.
  • PowerShell script runs on Windows 8.1 or later machines or Windows Server 2008 R2 or later.
  • The Windows machine running the script must have VMware OVF Tool command installed.
  • You must install OVF Tool 4.3 or later from
  • Download the following Virtual Appliance image from VMWare.
    • VMware Unified Access Gateway (UAG) OVA file e.g. .euc-access-point-3.X.X.X-XXXXXXXXXXX.ova.
    • VMware Identity Manager (vIDM) OVA file e.g. .euc-identity-manager-3.2.X.X-XXXXXXXXXXX.ova.
  • For both Appliance refer to VMware Product Interoperability Matrixes to determine the version to download.
  • Download the correct UAG PowerShell script, it's name uagdeploy-VERSION.ZIP file and extract the files into a folder on your Windows machine. The scripts are host here
  • Network access from the UAG Backend services NIC to the internal website used on the reverse proxy.


Add your comment

E-Mail me when someone replies to this comment

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.