1.5
Table Of Contents
- Installing Application Manager
- Contents
- Installing and Configuring Application Manager
- Introduction to Application Manager
- Security Considerations and System Requirements for Application Manager
- Preparing to Install Application Manager
- Installing Application Manager
- Configuring Application Manager with the Operator Setup Wizard
- Making Additional Application Manager Configurations
- Troubleshooting Application Manager
- Index
Table 2-3. Connector Authentication Mode: URL Examples (Continued)
Target URL Example Information
https://ConnectorHost.MyDomain/authenticate/ Use this URL for troubleshooting and
testing purposes if Kerberos is
configured. Replace ConnectorHost
and
MyDomain with the appropriate
values.
Specific Applications https://
MyOrg.MyDomain.com/SAAS/API/1.0/GET/federatio
n/request?i=IDP#&s=SP#
When your deployment is
production ready, provide this URL
to users to give them one-click access
to a specific application. Replace the
placeholders. For example, replace
SP# with the ID number for a specific
application. The application ID
numbers are available from the
Application Manager User
application catalog.
For deployments where Kerberos is configured, the Connector validates user desktop credentials using
Kerberos tickets distributed by the key distribution center (KDC).
In Connector Authentication mode, the Connector acts as a federation server within your network, creating
an in-network federation authority that communicates with Application Manager using SAML 2.0 assertions.
The Connector authenticates the user with Active Directory within the enterprise network (using existing
network security).
A troubleshooting-related aspect of Connector Authentication mode is that users can still be authenticated
even when Kerberos fails. In fact, users can still be authenticated when Kerberos is not configured. In such
cases, an Application Manager redirect takes place causing the Connector to present users with a login page.
This Connector-supplied login page prompts users to provide their usernames and passwords again for access
to Application Manager. The Connector then validates users against Active Directory.
Connector Authentication Mode and RSA SecurID
After you install the Connector in Connector Authentication mode, you can configure SecurID to provide
additional security. For an overview of using RSA SecurID with the Connector, see Installing and Configuring
the Connector.
You can configure SecurID with or without Kerberos. However, the most common use case is to use SecurID
to authenticate users outside the enterprise network, while Kerberos authentication is not available outside
the network. See “IdP Discovery,” on page 17 for more information about configuring two Connector
instances, one instance for users inside the enterprise network and the other for users outside the network.
RSA SecurID with Result
Kerberos configured Kerberos authentication takes precedence. Users are only prompted for their
SecurID passcode if Kerberos authentication fails.
username-password verification as
part of Connector Authentication
mode
SecurID takes precedence and username password verification is disabled. Users
are prompted for their SecurID passcode. They are never prompted for their Active
Directory credentials.
For various reasons, both intentional and unintentional, Kerberos authentication might not function. For
example, you might intentionally prevent specific users from accessing the enterprise network. Also, non-
Windows machines do not support Kerberos authentication. When Kerberos and SecurID are both configured,
but Kerberos authentication fails, users are prompted for their SecurID passcode.
Installing Application Manager
16 VMware, Inc.