Several concepts related to Active Directory are integral to understanding how the VMware Identity Manager service integrates with your Active Directory environment.

The connector, a component of the service, performs the following functions.

Syncs user and group data between Active Directory and the service.

When being used as an identity provider, authenticates users to the service.

The connector is the default identity provider. You can also use third-party identity providers that support the SAML 2.0 protocol. Use a third-party identity provider for an authentication type the connector does not support or for an authentication type the connector does support, if the third-party identity provider is preferable based on your enterprise security policy.


If you use third-party identity providers, you can either configure the connector to sync user and group data or configure Just-in-Time user provisioning. See the Just-in-Time User Provisioning section in VMware Identity Manager Administration for more information.

The VMware Identity Manager service has its own concept of the directory that syncs to Active Directory. This directory uses Active Directory attributes and parameters to define users and groups. You create one or more directories and then sync those directories with your Active Directory deployment. You can create the following directory types in the service.

Active Directory over LDAP. Create this directory type if you plan to connect to a single Active Directory domain environment. For the Active Directory over LDAP directory type, the connector binds to Active Directory using simple bind authentication.

Active Directory, Integrated Windows Authentication. Create this directory type if you plan to connect to a multi-domain or multi-forest Active Directory environment. The connector binds to Active Directory using Integrated Windows Authentication.

The type and number of directories that you create varies depending on your Active Directory environment, such as single domain or multi-domain, and on the type of trust used between domains. In most environments, you create one directory.

The service does not have direct access to Active Directory. Only the connector has direct access to Active Directory. Therefore, you associate each directory created in the service with a connector instance.

When you associate a directory with a connector instance, the connector creates a partition for the associated directory called a worker. A connector instance can have multiple workers associated with it. Each worker acts as an identity provider. You define and configure authentication methods per worker.

The connector syncs user and group data between Active Directory and the service through one or more workers.

You cannot have two workers of the Integrated Windows Authentication type on the same connector instance.

For any Active Directory integrated with the VMware Identity Manager service, security settings such as user password complexity rules and account lockout policies must be set in Active Directory directly. VMware Identity Manager does not override these settings.