When you initially deploy the VMware Identity Manager service, it uses your existing Active Directory infrastructure for user authentication and management. You can integrate the service with other authentication solutions such as Kerberos or RSA SecurID.

The identity provider instance can be the VMware Identity Manager connector instance, third-party identity provider instances, or a combination of both.

The VMware Identity Manager connector is the initial identity provider for the service. This instance is created as an in-network federation authority that communicates with the service using SAML 2.0 assertions. Username and password authentication to Active Directory is the authentication method when you initially deploy the connector service. The default access policy is configured to manage Web browser and native app client types within all network ranges.

The following authentication methods are supported. You can enable and configure these authentication methods from the administration console.

Authentication Types



Without any configuration after Active Directory is configured, VMware Identity Manager supports Active Directory password authentication. This method authenticates users directly against Active Directory.


Kerberos authentication provides domain users with single sign-on access to their apps portal, eliminating the requirement for domain users to sign in to their apps portal again after they log in to the enterprise network. The VMware Identity Manager validates user desktop credentials using Kerberos tickets distributed by the key distribution center (KDC).


Certificate-based authentication can be configured to allow clients to authenticate with certificates on their desktop and mobile devices or to use a smart card adapter for authentication.

Certificate-based authentication is based on what the user has and what the person knows. A X.509 certificate uses the public key infrastructure standard to verify that a public key contained within the certificate belongs to the user.


When RSA SecurID authentication is configured, VMware Identity Manager is configured as the authentication agent in the RSA SecurID server. RSA SecurID authentication requires users to use a token-based authentication system. RSA SecurID is a recommended authentication method for users accessing VMware Identity Manager from outside the enterprise network.


RADIUS authentication provides two-factor authentication options. You set up the RADIUS server that is accessible to the VMware Identity Manager service. When users sign in with their user name and passcode, an access request is submitted to the RADIUS server for authentication.

RSA Adaptive Authentication

RSA authentication provides a stronger multi-factor authentication than only user name and password authentication against Active Directory. When RSA Adaptive Authentication is enabled, the risk indicators specified in the risk policy set up in the RSA Policy Management application and the VMware Identity Manager service configuration of adaptive authentication are used to determine the required authentication prompts.