Using VMware Access and Imprivata ConfirmID for remote Access as MFA solution

Lately a lot has been written about the EOL of VMware Verify.

But… what if you are already used to Imprivata and maybe have the Confirm ID for remote access licenses around? Can we use this instead? Yes you can! How? By connecting to Imprivata with RADIUS.

Is this new? Nope… they even call this the legacy experience. But sometimes legacy is just what you might need so he ho, let’s go!

Of course: As an alternative to this you can use the VMware Authenticator or Intelligent HUB MFA.

A couple of months ago I blogged about how to implement the Authenticator App:

The VMware Authenticator App is GA! (debruinonline.net)

The User Login Experience:

First the enrollment:

1. User logs in to the desktop in the Office or remotely with another MFA solution (the EOL

Verify maybe?)

2. User gets prompted to enroll ImprivataID within the session

3. User installs the app from the App store

4. Registers Imprivata ID

The actual login:

When the default access policy is changed to RADIUS,

5. User browses to VMware Access

6. Enters credentials and ImprivataID (or receives a push notification)

7. Select’s the virtual desktop or app they want to start

8. The horizon client will Single sign on in to the remote session

The Technical Flow:

The follow assumptions in this flow are used

- Workspace One Access SAAS (although this should not matter)

- Horizon on Premise in Workspace One mode

- Users are Active Directory managed

1. User browses to VMware Access and login

2. Access will initiate validation trough the VMware Access Connector

3. Windows credentials validated (either WIA or LDAPS)

4. Radius request to Imprivata

5. Depending the input a connection will be made to Imprivata Cloud services (or the entered code

will be validated, more about this later on)

6. A push notification will be send to the mobile phone of the end user

7. At this stage the user is logged in and the desktop or remote app will be selected. The Horizon

Client will initiate a connection Unified Access Gateway

8. Unified Access Gateway will reverse Proxy the connection to the VMware Horizon Connection

Server

9. The connection server will request and validate the access token since the VMware Horizon

Connection Servers are in an SP/IDP relationship (Workspace One mode).

10. Cause no password is supplied to the connection server (cause SAML has no password) the

connection server will request a SSO certificate to the Enrollment Server. We do want SSO

right?

11. The Enrollment server will request a user certificate at the designated Active Directory

Certificate Server (usually installed on the enrollment server itself but not required)

12. The certificate is presented to the OS the endpoint

13. The user certificate is validated to Active Directory

14. The Horizon client initiated a session to Unified Access Gateway

15. Unified Access Gateway sets up the session protocol to the endpoint

16. And when the user is logged in the Imprivata Onesign Agent will log the user in so Imprivata can

do it’s SSON magic when needed for the legacy app’s

How do I configure this?

First things first… check if you have the license in Imprivata

Check for the Confirm ID for Remote Access:

Now we confirmed the licenses check if the cloud connection has been made

When you get this one… you need to set this up.. Hook up with your Imprivata services associate. He or she will get you the provisioning codes.

A little quicker way to see if this is configured is to check the connection on the main dashboard (top right) if Cloud Connection is not there it's not configured.

Cool, let’s setup the RADIUS connection!

We need to let Imprivata trust the RADIUS requests from the connectors.

Go to Applications and Remote access integrations

Select “add new integration” in the “VMware” box (you actually click any box since its just RADIUS but when configured the Vendor will be shown.. since we use this with VMware Access even I get a little OCD when it says another vendor 😉)

Anyone who used RADIUS before should recognize the below fields

1. Enter a display name (I used the name of the Access connector)

2. The FQDN or IP address of the Access connector)

3. Make up or generate a unique Encryption key and note it down

When done click save!

Repeat above steps for the second Access connector if you have one.

Now switch to the VMware Access management Console

Go to

1. Integrations

2. Connection Authentication Methods

3. tick NEW

4. Select RADIUS

Select the Access connectors who will be used for the RADIUS

Next is a scrolling window so depending your screen size the content you see might vary. Mind the fields I marked:

1. Number of times the user can try again

2. Custom message as a hint to the user what to type in, I entered “enter PUSH or ImprivataID”

this is kind of a strange message but hang on! I will explain later!

3. Make sure “Enable direct authentication to RADIUS server” is set to NO

4. Server timeout minimum to 30 seconds.. Users may need some to time approve the push or

enter the ImprivataID

5. Enter the FQDN or IP Address of your first Imprivata Appliance

6. Enter 1813 for the accounting port

7. Set the authentication type to PAP.

8. Enter the shared secret you noted down earlier

Scroll down to enter the rest (only if you have multiple Radius :

1. Enable secondary

2. Number of times the user can try to this RADIUS server (I suggest to keep it the same)

3. Make sure “Enable direct authentication to RADIUS server” is set to NO

4. Server timeout minimum to 30 seconds.. Users still may need some to time approve the push or enter the ImprivataID

5. Enter the FQDN or IP Address of your second Imprivata Appliance

6. Enter 1813 for the accounting port

7. Set the authentication type to PAP.

8. Enter the shared secret you noted down earlier when creating the second RADIUS client in Imprivata

Now the VMware Access Connectors and Imprivata Appliances trust each other and when configured both Access Connectors and Appliances high available to!

Little remark: the connection from the Connectors to the Appliances is active passive.. so will always try the first one and when it fails will switch over to the secondary.

Are we done now? Nope! Couple of steps left

Were going bounce al little between VMware Access and Imprivata

VMware Access:

Before you can use this in your Access Policy’s you need to enable this RADIUS connector method in your IDP. So edit the IDP en check the BOX behind RADIUS.

Imprivata:

Hop to Users and then Workflow Policy

Edit the Remote access workflow, in select authentication methods only enable ImprivataID

Next Enter the follow fields

1. Enter a fancy descriptive name

2. Username and password (so when the user want’s enroll ImprivataID at least username and

password are requested)

3. In the Imprivata Agent Only

4. We need to associate the user policy. You actually don’t need to create a separate user policy for

its settings.

You can if you want to use ImprivataID as an alternative to let’s say the Proximity Card MFA but that’s out of scope here OR you only want to allow a limited set of users to allow to use this ConfirmID for remote access, maybe limited licenses? Then you can create an alternate user policy and assign selected users.

I choose the default user policy since this the only one I got in my Lab. Besides some fiddle diddle policies…

At this stage the next step might depends on your migration strategy, think this trough you don’t want to lockout the external users. Since this is my Lab I don’t care about that.

Enroll ImprivataID to the user:

First ask the user to install the ImprivataID app on their mobile device from the app store of their respective platform, like the Apple store or Google Play Store.

Next let them log in to a client with Imprivata Agent installed (In this case a virtual desktop)

Depending on the setting you configured the user will get a popup to register the verification method

In this case I do in manually, right click the Imprivata Agent in the taskbar and click “Enroll Authentication Methods”

The user will be requested for its credentials

Click Enroll Imprivata ID

the user just needs to enter the SerialNumber and Token Code shown in the ImprivataID App when installed and click “ submit

And that’s it!

Now lets enable this kitten for the login!

VMware Access:

Now enable RADIUS in the desired Access policy

To the test!

Open a browser to VMware Access and enter credentials:

and now finally the answer to the kind of strange message entered earlier😊)

In the next field you can manually enter the ImprivataID (just a type over the ID shown in the App on the mobile phone) OR just type in PUSH to receive the PUSH notification on your phone.

And you are in!

Conclusion:

- It works and it’s fast!

- In this example I used “ConfirmID for remote access” but any radius solution can be

configured. This blog might give you a start in the right direction.

- The only thing I don’t like is the manual entry of “push” to receive a push notification.

This is a VMware Access limitation tough. There are customizations available for example

when you use ConfirmID for remote access on the Citrix ADC with rewrites, so you get a nice

little menu.. Not possible on Access besides the little custom message.

Any questions or remarks? Please don't hesitate to contact me!