The Identity Manager is integrated directly into the vRealize Automation appliance and provides tenant identity management. The vIDM service synchronizes directly with the Rainpole Active Directory domain. Important users and groups are synced with the Identity Manager. Authentication always takes place against the Active Directory domain, but searches are made against the local Active Directory mirror on the vRealize Automation appliance.

Tenant authentication is based on VMware Identity Manager that is integrated in vRealize Automation. Authentication takes place against the Active Directoy domain but searches are made against the local Active Directory mirror on the vRealize Automation appliance.

VMware Identity Manager Proxies Authentication Between Active Directory and vRealize Automation

Active Directory Authentication Decision

Decision ID

Design Decision

Design Justification

Design Implication

SDDC-CMP-047

Choose Active Directory with Integrated Windows Authentication as the Directory Service connection option.

Rainpole uses a single-forest, multiple-domain Active Directory environment.

Integrated Windows Authentication supports establishing trust relationships in a multi-domain or multi-forest Active Directory environment.

Requires that the vRealize Automation appliances are joined to the Active Directory domain.

By default the vRealize Automation appliance is initially configured with 18 GB of memory, which is enough to support a small Active Directory environment. An Active Directory environment is considered small if it fewer than 25,000 users in the organizational unit (OU) have to be synced. An Active Directory environment with more than 25,000 users is considered large and needs additional memory and CPU. See the vRealize Automation sizing guidelines for details.

The connector is a component of the vRealize Automation service and performs the synchronization of users and groups between Active Directory and the vRealize Automation service. In addition, the connector is the default identity provider and authenticates users to the service.

Connector Configuration Decision

Decision ID

Design Decision

Design Justification

Design Implication

SDDC-CMP-048

To support Directories Service high availability, configure a second connector that corresponds to the second vRealize Automation appliance.

This design supports high availability by installing two vRealize Automation appliances and using load-balanced NSX Edge instances. Adding the second connector to the second vRealize Automation appliance ensures redundancy and improves performance by load balancing authentication requests.

This design simplifies the deployment while leveraging robust built-in HA capabilities. This design uses NSX for vSphere load balancing.