1.5

ManualsBrandsVMware ManualsApplicationsHorizon Application Manager

Table Of Contents

Installing Application Manager

IdP Discovery

You configure the IdP Discovery feature using the Application Manager Administrator Web interface. See

Application Manager Administration Help. The IdP Discovery feature works in conjunction with Connector

Authentication mode. IdP Discovery refers to the discovery of identity providers. The Connector acts as an

identity provider. Therefore, even though users access a URL directly to Application Manager, such as

https://MyOrg.MyDomain.com, when IdP Discovery is properly configured, it finds (discovers) and redirects

users to the specific Connector instance. With a single URL, you can provide all users access to the User Web

Interface.

For the IdP Discovery feature to function, you must configure IP address ranges in Application Manager. When

you have multiple Connector instances, the order in which the corresponding Connector records are listed in

Application Manager is important if the IP ranges overlap. In such cases, the first Connector record to include

an IP address is given precedence.

CAUTION When you remove or reset a Connector instance, you must remove the corresponding Connector

record from the list of Connector records accessible with the Application Manager Administrator Web

interface.

The IdP Discovery feature typically applies when users attempt to access Application Manager from inside

the enterprise network and when they are on the same domain as the Active Directory instance.

When users within the specified IP address ranges access the provided URL, their request is processed in

Connector Authentication mode and the request is redirected to the Connector. Assuming that Kerberos is

configured, a SAML assertion generated by the Connector is used for authentication and users are granted

access to the User Web interface without being prompted for their username and password. If Kerberos is not

configured, users must provide their username and password on the Connector login page to gain access.

When users outside the specified IP address range use the provided URL, their request is processed in Service

Authentication mode, if you have it enabled, requiring them to provide their username and password on the

Application Manager login page to gain access.

You can configure your Application Manager deployment with IdP Discovery in a variety of ways, one of

which is summarized in the example that follows.

External RSA SecurID

and Internal Kerberos

Authentication Example

of IdP Discovery

This is one possible way to configure IdP Discovery and SecurID in the same

Application Manager deployment. For an overview of configuring RSA

SecurID with the Connector, see Installing and Configuring the Connector. For

this deployment, you configure two Connector instances, both in Connector

Authentication mode.

Internal - First Connector instance in Connector Authentication mode: You

do not configure SecurID for this Connector instance. In Application

Manager, you configure IP address ranges to include users within the

enterprise network.

External - Second Connector instance in Connector Authentication mode:

You configure SecurID for this Connector instance. In Application

Manager, you configure a single IP address range that includes all possible

users. Therefore, you set the IP address range from 0.0.0.0 to

255.255.255.255.

The result of this configuration is that users attempting to access the User Portal

are authenticated in Connector Authentication mode. Users inside the

enterprise network are authenticated by Kerberos or username/password

authentication. Users outside the enterprise network are authenticated by

SecurID authentication.

Chapter 2 Introduction to Application Manager

VMware, Inc. 17