identity

Symantec VIP Authentication for VMware Identity Manager

Do you want to integrate3rd-party identity provider functionality into theVMware Identity Manager authentication workflow? Then you are in luck! Today’s post explains how toenable Symantec VIP authentication for VMware Identity Manager access.

Symantec VIP Authentication for VMware Identity Manager

VMware Identity Manager is an Identity as a Service (IDaaS) product offered by VMware. Since it is a stand-alone product, it does not require 3rd-party integrations to authenticate end users. However, integrating a 3rd-party authentication solution with VMware Identity Manager might make sense or be necessary in certain cases. That’s where Symantec Validation and Identity Protection (VIP), a centralized site for managing user credentials, comes into the picture. IntegrateSymantec VIPwith VMware Identity Manager to implement single or multi-factor authentication into vIDM via Symantec VIP.

Symantec VIP Authentication for VMware Identity Manager Workflows

Prior to attemptingintegration, it makes sense to review the configuration options. Since there are multiple ways to integrateSymantec VIP withVMware Identity Manager, this post explainstwo common options.

Single-Factor Authentication withSymantec VIP

This method uses Symantec VIP as the onlyauthentication factor for accessing the VMware Identity Managerportal and itsapplications.

The workflow begins when an end-user first opens the VMware Identity Manager portal. VMware Identity Manager redirects the end userto Symantec VIP, which challenges the user for their credentials. Theend user then provides their credentials which Symantec VIP validates. Post-validation, Symantec VIP redirects the end user to tothe VMware Identity Manager portal. Once connectedto the portal, end users access any managed application through single-sign on.

Multi-Factor Authentication withSymantec VIP

This method uses Symantec VIP as the second authentication factor for accessing the VMware Identity Managerportal or specific applications.Multi-factor authentication is ideal for organizations withcomplex security requirements.

The workflow begins when an end-user first opens the VMware Identity Manager portal. VMware Identity Manager then challenges the user for their credentials. In response to the challenge, theend user provides their credentials. Then, after validating the credentials, VMware Identity Manager redirects the end user to Symantec VIP with a SAML request. Since the SAML request contains aNameID, Symantec VIP uses the NameID to issue an authentication challenge. The end user then responds to the challenge, and Symantec VIP validates their response. Once authentication completes, the end-user redirects to the VMware Identity Manager portal. End users can now access any managed application from the portal through single-sign on.

Want to see the workflow in action? Then check out this VMware Identity Manager + Symantec VIPdemo.

Integrate Symantec VIP Authentication for VMware Identity Manager

Once you’ve reviewedthe available workflows, determine if you want to use Symantec VIP for single or multi-factor authentication. Once decided, you’re ready to begin integration! Complete the following steps to get started.

1. Obtain the VMware Identity Manager Service Provider Metadata

  1. Open the VMware Identity Manager Administrative Console.
  2. Navigate to Catalog > Settings.
  3. From the menuon the left, select SAML Metadata.
  4. On the Download SAML Certificate window, click Service Provider(SP) Metadata.
  5. Save the file as sp.xml.

2. Download the VMware Identity Manager Signing Certificate

  1. Open the VMware Identity Manager Administrative Console.
  2. Navigate to Catalog > Settings.
  3. From themenuon the left, selectSAML Metadata.
  4. On the Download SAML Certificate window, click Download.
  5. Save the file as signingCertificate.cer.

3. Configure Symantec VIP Login

  1. Open the VIP Manager Administrative Console.
  2. Navigate to Policies > VIP Login > Edit.
  3. Next to Import Metadata File, click Choose File.
  4. Select sp.xml.
  5. Next to Verification Certificate, click Choose File.
  6. Select signingCertificate.cer.
  7. Click Save.

4. If Configuring Single-Factor Symantec VIP Authentication, Enable VIP PIN and Set a PIN code.

  1. Open Symantec VIP.
  2. Navigate toPolicies> Account >Edit.
  3. Configure the VIP PIN policy settings.
    • Require a minimum number of characters.
    • Set character requirements.
    • Configure anexpiration date for the PIN.
    • Set the number of unique PINs required before the user can reuse a PIN.

5. Download Symantec VIP Metadata

    1. Open Symantec VIP.
    2. Navigate to Policies > VIP Login.
    3. Configure single or multi-factor Symantec VIP Authentication for VMware Identity Manager:
      • VIP Login Idp (Second Factor Only) -Download metadata xmlto enable multi-factor authentication with Symantec VIP.
      • VIP Login Idp (First and Second Factor) -Download metadata xmlto enable single-factor authentication with Symantec VIP.

6. Add Symantec VIP as a 3rd-party IDP in VMware Identity Manager

    1. Open the VMware Identity Manager Administrative Console.
    2. Navigate to Identity & Access Management > Manage > Identity Providers > Add Identity Provider.
    3. Complete the fields to add an identity provider:
      • Identity Provider Metadata -Copy the SAML metadata from the file saved in Step 5
      • Name ID Format - Appears asurn:oasis:names:tc:SAML:1.1:nameid-format:unspecified.
      • Name ID Value- Select according to your environment.
      • Name ID Policyin SAML Request - Appears as urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified.
      • Authentication Method - Select urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport.

7. Define Policy and Policy Rule

Define the policy and policy rule for single or multi-factor Symantec VIP Authentication.

  • Single-factor -Set the first authenticator in the authentication chain to the defined authentication policy.
  • Multi-factor -Set the second authenticator in the authentication chain to the defined authentication policy.

To learn more about configuring policies, refer to the chapter Managing Access Policiesin the VMware Identity Management Admin Guide.

Learn More

  • VMware Identity Manager Documentation
  • VIP Policy Configuration

The post Symantec VIP Authentication for VMware Identity Manager appeared first on VMware End-User Computing Blog.

Read more..

New Research: Top 10 Identity and Access Management Challenges

As organizations undergo digital transformation, they experience challenges along the way. This is due to the fact that this transformation often requires them to update and/or replace legacy solutions. They also have to implement new ways of securing access from the plethora of devices out there.

We recently fielded a research studywith several hundred respondents worldwide to better understand the top identity and access management challenges that customers are facing.

Below are my top three takeaways from the VMware survey:

Takeaway #1: Most organizations allow end users to access corporate resources other than email from a personal device.

Email is often the first app that many of us think about accessing from our personal devices, but the reality is that we need more than that. The research shows that end users also need access to files and internal websites in order to be productive.

IT professionals should be concerned about the risk of data leakage from users accessing confidential information, whether it be on a file share, Microsoft SharePoint or from internal websites. Since personal devices are often not under management by IT, there is a risk that confidential company information can be copied to personal file services.

[Related: Introducing VMware Identity Manager—Identity Management for the Mobile-Cloud Era]

Takeway #2: BYO is a critical initiative for the majority of organizations.

The majority of organizations have either already developed a bring-your-own (BYO) policy or are in the process of developing one. The reasons for this are clear. Most of us don&#rsquo;t want to go back to the old days, when we could only do work on a corporate device. We want to be able to work anywhere, on any device.

End users also want choice—the choice to pick the device that reflects their work style and personality. Supporting BYO enables organizations to modernize with a flexible, user-friendly approach.

While supporting BYO is user-friendly, organizations need to have a policy that ensures that only the right access is delivered to the right people, on the right device. As we saw in Takeaway #1, most users are doing more than accessing email on their personal devices. It&#rsquo;s not enough to just have a policy—organizations must have the tools in order enable access from any device without compromising IT security.

[Related: VMware Identity Manager—A BYOD Solution Everyone Can Agree On]

Takeway #3: Password management is the top identity and access management challenge.

We&#rsquo;ve all been there before. We waited too long, and our password expired. Or we made a change, and somehow that change didn&#rsquo;t trickle down to all of the various systems we need to access.

Password creation, update and deletion (CRUD) is a real issue with real costs that IT wants to reduce. According to various analysts, password resets handled by the help desk can cost up to $70, and unfortunately for the help desk, a significant percentage of help desk calls have to do with passwords.

IT must look at ways to reduce the impact of password CRUD issues in their organization. This is why it&#rsquo;s so important to have solutions in place that eliminate the help desk call—the main source of cost in the equation. Having self-service tools that are easy to use and integrate with existing systems can alleviate much of the pain here.

[Related: Why the Future of the Digital Workspace Hinges on Identity Management]

Take the Next Step

Click here for the full results.

With these challenges in mind, I encourage you to learn more about what other organizations are experiencing by taking a look at the full summary of the research.

Also, take a look at VMware Workspace ONE, the simple and secure enterprise platform that delivers and manages any app on any smartphone, tablet or laptop. It enables organizations to put employees in the driver&#rsquo;s seat to choose their own devices. IT is empowered with the management capabilities necessary to enable secure delivery of applications to those devices with consumer-grade simplicity.

The post New Research: Top 10 Identity and Access Management Challenges appeared first on VMware End-User Computing Blog.

Read more..

Azure AD Join with VMware Workspace ONE

Secure, timely support for remote Windows users can be tricky.

Imagine your top remote sales rep breaks her laptop before an onsite meeting with a vital client. Does she have time to wait for IT to grab a new laptop, Domain Join it for secure access to corporate resources and then ship it out? Even if there is time, she&#rsquo;ll worry about her meeting, and you&#rsquo;ll get plenty of requests for updates.

Instead, imagine that your rep simply stops by a nearby store for a new laptop. She self-enrolls into your Azure Active Directory (AD) domain using the Windows 10 Getting Started wizard. Her device is automatically protected with VMware Workspace ONE enterprise mobility management (EMM) policies.

When you combine Azure AD Domain Join with the best-in-class Windows 10 management of Workspace ONE, you can ensure security and control over end-user access to resources—even from devices that never touch your internal corporate network.

Azure AD Join automatically protects Windows 10 with Workspace ONE EMM policies.

Secure Azure AD Join with Workspace ONE

Workspace ONE integrates with Azure AD Join to protect remote Windows 10 machines with enterprise mobility policies powered by VMware AirWatch. When an end user follows the Windows 10 setup wizard to join his or her device to your Azure AD instance, Azure AD can automatically enroll the device into Workspace ONE for management.

If you have devices that won&#rsquo;t consistently contact your corporate network, or if you have temporary users such as students or contractors, offering Azure AD Join to your users gives them the following benefits:

  • Easy access to their corporate resources through device enrollment into Workspace ONE;
  • Enterprise-class device security through Workspace ONE EMM;
  • User settings that follow them as they log into different domain-joined devices;
  • Strong but simple authentication with support for biometrics, such as face recognition using Windows Hello for Business and
  • Access to the Windows Store for Business using work or school accounts.

You can find full details on the benefits and prerequisites of Azure AD Join on Microsoft&#rsquo;s site.

Users can choose to Azure AD Join their device from the Windows 10 Getting Started Wizard.

Use Cases for Azure AD Join

Azure AD Join makes Windows 10 management easier than traditional AD Domain Join when you&#rsquo;re working with devices that may not connect to your corporate network or with temporary users (for more information, see this article outlining the pros and cons of Azure AD Join). Common use cases include the following:

  • Remote device registration: Some organizations ship Windows 10 devices to remote employees. If you set up Azure AD domain join, your users can easily join their devices to your domain as part of the Windows 10 setup wizard.
  • Temporary domain membership: If your organization employs temporary workers, such as contractors, or temporary users, such as students, you may choose to domain join them through Azure AD to take advantage of the self-service domain join as part of Windows 10 setup.

Workspace ONE, Azure AD and Office 365

Workspace ONE provides the industry-leading EMM you need to keep your devices and users safe. Learn more about how Workspace ONE protects valuable resources such as Microsoft Office 365, while providing end users with consumer-level ease of use. Visitvmware.com/products/workspace-one, or contact your VMware account representative for more details.

The post Azure AD Join with VMware Workspace ONE appeared first on VMware End-User Computing Blog.

Read more..

Unify and Simplify Access Control with VMware Workspace ONE

The New Perimeter for Securing Access from any User or Device

Over the last decade, the workforce experienced a phenomenal transformation. This shift, commonly called digital transformation, made it more difficult than ever before to enable secure access to corporate resources. Changes in workstyles, devices and apps—and how end users expect to interact with productivity tools—exacerbated the problem.

In the past, in order for end users to be productive, all work-related tasks had to be done from a company-purchased Windows desktop or laptop with a locked down corporate image. Today, end users work on multiple devices, with various form factors and operating systems. Many of these devices are not managed by IT, so IT cannot trust the device.

With the diversity of devices, end users now need access to Software-as-a-Service (SaaS) apps, native mobile apps, Windows apps and internal web apps, along with legacy and virtualized apps. In fact, we&#rsquo;re at a point where there are more non-Windows apps than Windows apps. With the proliferation of SaaS apps, more and more application resources move outside the walls of the corporate network, and into the cloud.

The workforce has also changed. In the past, organizations only thought of employees and how those users accessed corporate resources. But organizations now need to think about contingent staff, business partners and in some cases even customers.

In 2015, contingent workers on average made up 18% of the total workforce, yet that number is expected to increase to 40% in 2020.

IT needs to think about how to enable secure access to corporate resources for end users not bound by an employee handbook. More than ever before, IT needs to transform how they think about access control and evolve how they solve for these fundamental shifts in the way people work.

IT Needs a New Access Control Layer

Click here to download.

At VMware, we invest a lot of time and effort into thinking about how to enable diverse workstyles that span a broad range of devices and apps. Existing systems for securing access to corporate resources focus on legacy controls: network access control lists, domain membership and only trusting devices with a corporate image. We believe the industry needs to evolve to focus on controlling access based on a new access control layer.

This access control layer is designed to look at the whole picture:

  • Who are you?
  • What do you have access to?
  • Under what conditions will I allow that access?
  • Do I trust the device you&#rsquo;re on?
  • Should I ask for more information?
  • Can I give you limited access to resources?

By looking at the whole picture, IT has peace of mind knowing that access control decisions will be made at the perimeter. Only authorized users will access corporate resources under the conditions that IT has set. This access control layer works across device ownership models, whether the device is corporate-owned, shared or personal.

The VMware Solution to Unify Access Control

At VMware, we have taken to heart this new approach with VMware Workspace ONE. Workspace ONE is a single solution that brings together application access management, unified endpoint management and real-time application delivery into the industry&#rsquo;s only solution for delivering secure digital workspaces to any user on any device.

[Related: Breaking News! New VMware Workspace ONE & AirWatch Product Innovations]

In order to unify access control, we focus on four core areas:

  • Contextual access control: With Workspace ONE we realize that access control decisions must be dynamic, based on context. We built a powerful access control engine based on data across users, devices, applications and network location. That information is then used to make contextual decisions on what a user can access and under what conditions. Based on context, IT can also decide to elevate security (perhaps by asking for a second factor of authentication) or management (by asking the end user to enroll in additional management).
  • Complete visibility into device posture: We take access control decisions to new heights when we combine our access control engine with the information that is delivered by VMware AirWatch. AirWatch, the market-leading enterprise mobility management solution that is part of Workspace ONE, enables us to understand the posture of a device. For example, we can look at whether or not a device has a management profile, a device passcode, the right OS version, application whitelisting and whether it has been jailbroken/rooted.
  • Step-up authentication: Because we baked in VMware Verify, a two-factor authentication (2FA) solution in Workspace ONE, organizations can configure 2FA to all corporate applications or more commonly, to specific applications containing sensitive corporate information. As an example, that means that IT can require 2FA when an end user launches Salesforce on a mobile device from an untrusted network. And with new support for mobile-push authentication to an Apple Watch, that second factor is just a touch away!

[Related: Introducing VMware Verify Two-Factor Authentication]

  • Support for any app and any device: It&#rsquo;s imperative for users to access all of the apps they need to be productive, on the device of their choice. This is critical as end users receive new devices over the holidays, or students start using new devices to start the school year. This also includes having a single portal to access the various app types they need to do their job. That is also why with our latest release, we announced the new VMware Unified Access Gateway that will now support legacy apps that use Kerberos and HTTP headers.

When we bring all of these pieces together, IT benefits from a single, powerful solution that enables secure access to digital workspaces. They have a single access control layer for enabling and configuring access, with the controls necessary to make contextual decisions based on a broad range of criteria.

End users also get a seamless, award-winningexperience that drives adoption. The end result is that IT can provide a consumer simple experience without sacrificing security and control.

To learn more about Workspace ONE, check out the links below:

  • Workspace ONE product page
  • Workspace ONE Hands On Lab

Because you liked this blog:

  • New! VMware 2016 State of the Digital Workspace Report
  • VMware Wins for Third Time at Global Mobile Awards
  • Challenges & Benefits of Digital Workspace Transformation: Q&A with VMware&#rsquo;s Shankar Iyer

The post Unify and Simplify Access Control with VMware Workspace ONE appeared first on VMware End-User Computing Blog.

Read more..

Три экрана и облако: идентификация в мире девайсов

Чарльз Бэррэт, главный архитектор бизнес-решений EUC Strategic Accounts в VMware, рассказывает о проблемах, с которыми сталкиваются компании при внедрении современных решений для управления идентификацией.

Расскажу немного о своей ежедневной рутине. Я просыпаюсь, вхожу на кухню, включаю чайник и беру свой iPhone — просмотреть почту, накопившуюся за ночь. Проводив детей в школу, по дороге на работу я начинаю отвечать на все накопившиеся письма с помощью своего iPad. Таким образом, я получаю доступ к панели управления и к приложениям из разных ресурсов. Затем уже на рабочем месте я пользуюсь стационарным ПК. Когда день подходит к концу, «умные» сенсоры в доме реагируют на мое возвращение и регулируют температуру и свет, чтобы создать для меня комфортную обстановку.

Только представьте, сколько различных моделей взаимодействия я использую в течение дня, и вы поймете, с какими трудностями сталкиваются компании в вопросах идентификации. Всего лишь с тремя устройствами я прошел через множество путей аутентификации доступа — от отпечатка пальца до PIN и паролей. Я использовал несколько приложений, пересек несколько границ безопасности, работал из разных мест, создавал и обновлял данные. Что более важно, я ожидаю, что пользовательский доступ к данным, находящимся на разных устройствах и приложениях станет еще проще с возможностью единой идентификации, и при этом будет полностью безопасным. Умножьте эти условия на несколько тысяч сотрудников, и у вас появится возможность значительно повысить их производительность.

Пока что даже сам термин «идентификация» имеет несколько значений, которые зависят от контекста. Пользователи под этим словом обычно подразумевают пароли, ID и идентификационную защиту. Для ИТ-департаментов оно обозначает техническое обеспечение процесса идентификации, менеджмент паролей, логинов и приходящих и уходящих кадров. Идентификация — это больше, чем просто регистрационные данные и пользовательский аккаунт. Это бесшовное подключение пользователей к контенту с использованием единого набора учетных данных через любые приложения, охватывающее множество физических и логических границ.

Безусловно, это серьезное испытание для бизнеса. Возьмите, к примеру, образовательный сектор: для вузов с более 10 тыс. студентов начало и окончание каждого года — это очень сложное время с технической точки зрения. Каждый студент приходит с собственными девайсами и рассчитывает использовать учебные сервисы на них так же, как и на университетских ПК. Для ИТ-департамента организация такой работы важна, поскольку она может существенно облегчить жизнь студентам. Однако это далеко не простая задача, она требует серьезного анализа и уверенности в том, что, при соответствии нуждам пользователя все сервисы остаются достаточно защищенными для противостояния кибератакам.

Задачей идентификации всегда были попытки защитить контроль доступа и обеспечить соответствие нормативным требованиям. Часто решения были разработаны в виде разнородных технологий с низким уровнем адаптивности и интеграции. Как и следовало ожидать, это привело к высокой стоимости владения такими решениями, которые, тем не менее, приносили мало пользы.

Read more..

Go Que Newsroom Categories

Fatal error: Allowed memory size of 67108864 bytes exhausted (tried to allocate 20 bytes)
in /home/content/36/8658336/html/goquecom/wp-includes/wp-db.php on line 2022

Query Monitor