Opening: This is a quick and rough guide to enabling “Password (cloud deployment)” in Omnissa Access as Omnissa documentation does not cover this in detail.
Outcome: This procedure will allow a customer admin to change from direct Password authentication via Omnissa Access Connector(s) to indirect Password (Cloud Deployment) authentication via Omnissa Access Connector(s).
Assumptions:
Omnissa Access tenant exists
Omnissa Access admin login capable
Logic Flow: Step 1 - Within the Omnissa Access admin console, navigate to Identity & Access Management > (Manage) > Identity Providers. Does Omnissa Access Built-in Identity Provider exist?
* Yes, continue on to step 2.
* No.
* Create a new “Built-in” IDP by clicking the ADD IDENTITY PROVIDER button in the upper right.
Step 2 - Is there a Connector assigned to the Built-in IDP?
* Yes, continue on to step 3.
* No
* Go into Identity & Access Management > Identity Providers > Built-in (or whatever it might be renamed to). You should see a box in the Connectors section to select (and then add) your connector(s).
* After selecting your connector, click
Add Connector.
* Repeat these three steps for each connector you wish to add.
Step 3 - Does the Password (Cloud Deployment) box now appear under Connector Authentication Methods within the Built-in IDP?
* Yes, continue on to step 4.
* No, troubleshoot Step 2.
NOTE: You may need to click the SAVE button and return back to the Built-in IDP screen in order to see a box. If one does not appear, ensure your connector(s) are properly added and show with a red X (which allows for deletion).
* Open a support ticket with VMware Support if necessary.
Step 4 - Is the Password (Cloud Deployment) box checked?
* Yes, continue on to step 5.
* No, check the Password (Cloud Deployment) box.
* Click the SAVE button at the bottom of the Built-in IDP screen.
Within the Omnissa Access admin console, navigate to Identity & Access Management > (Manage) > Policies and open the default_access_policy_set.
Edit the default_access_policy_set and navigate to step "2 Configuration” within the EDIT POLICY wizard. Open each policy rule one at a time.
Does the policy rule show “Password” as the authentication type in the “then the user may authenticate using” drop-down box?
If NO, then continue on to the next policy rule.
If YES, then modify the policy rule to replace Password with Password (cloud deployment) and click SAVE.
If no more policy rules, click NEXT and SAVE on the EDIT POLICY wizard.
Step 6 - Do the Password (Cloud Deployment) modifications now work locally and remotely?
* Yes. You are finished.
* No. Troubleshoot policy modifications in step 8. If necessary open a support ticket with VMware Support.
Resources:
- Configuring Authentication Methods in Omnissa Access
- Managing Connector-Based Authentication Methods in Omnissa Access
- Managing Authentication Methods in the Omnissa Access Identity Providers
- Managing Access Policies in the Omnissa Access Service
Notes on Creating (or recreating) the Built-in IdP: This is assuming the default “Built-in” IdP was deleted or not created from the start. iIn this event, one can just create a new “Built-in” IDP by clicking the ADD IDENTITY PROVIDER button in the upper right and selecting the option in the menu to create a built-in IdP.
Go into Identity & Access Management > Identity Providers > Built-in (or whatever it might be renamed to).You should see a box in the Connectors section to select (and then add) your connector(s). Do so.
Once you finish adding your connector(s), you will see “Password (cloud deployment)” show in the Connectors Authentication Methods section.Check it and click SAVE
Now go back to Identity & Access Management > Policies and edit your default_authentication_policy and swap out “Password” for “Password (Cloud Deployment)” for ALL policy rules which use “Password”. Save each rule.
Edit each policy rule and change out "Password" for “Password (cloud deployment)”. Click Save on each Policy Rule until all are correctly modified.