Workspaceone Adfs Integration
Workspaceone Adfs Integration
JULY 2023
VMware Workspace ONE Access
Integrating VMware Workspace ONE Access with Active Directory Federation Services
You can find the most up-to-date technical documentation on the VMware website at:
https://docs.vmware.com/
VMware, Inc.
3401 Hillview Ave.
Palo Alto, CA 94304
www.vmware.com
©
Copyright 2019-2023 VMware, Inc. All rights reserved. Copyright and trademark information.
VMware, Inc. 2
Contents
VMware, Inc. 3
Integrating VMware Workspace ONE Access with Active Directory Federation Services
5 Configure the Claims Provider for the VMware Workspace ONE Access Relying
Party Trust 55
6 Configure VMware Workspace ONE Access as the Default Claims Provider for an
AD FS-federated Application 57
7 Troubleshooting 59
Unable to log in to VMware Workspace ONE Access 59
Error: "Contact your administrator" 60
Error: "Cannot update Identity Provider" 60
Error: "404.idp.not.found" 60
Unable to authenticate into Hub portal using AD FS 61
Unable to authenticate into AD FS-federated applications 61
VMware, Inc. 4
Integrating VMware Workspace ONE
Access with Active Directory Federation
Services
Integrating VMware Workspace ONE with Active Directory Federation Services provides
information about integrating Active Directory Federation Services with VMware Workspace
®
ONE Access™. It describes specific use cases and provides instructions on how to configure
Workspace ONE Access and Active Directory Federation Services to support those use cases.
Intended Audience
This information is intended for IT system administrators configuring Workspace ONE Access in
an existing Active Directory Federation Services environment.
Additional Information
n VMware documentation:
n Microsoft documentation:
VMware, Inc. 5
Workspace ONE Access
Configuration Requirements 1
You must meet certain system requirements before beginning the Workspace ONE Access and
Active Directory Federation Services integration.
Components
The following components are required.
Note If your existing deployment syncs users to VMware Workspace ONE Access from
Workspace ONE UEM, the VMware Workspace ONE Access connector is not required. For
new deployments, use the VMware Workspace ONE Access connector to sync users from
Active Directory to VMware Workspace ONE Access.
VMware, Inc. 6
Integrating VMware Workspace ONE Access with Active Directory Federation Services
n VMware Workspace ONE Access using VMware Workspace ONE Access connector (for new
deployments)
Note If your existing deployment syncs users to VMware Workspace ONE Access from
Workspace ONE UEM, you do not need to use the VMware Workspace ONE Access
connector to sync users.
Ensure that you sync the same users to all the environments.
VMware, Inc. 7
Overview of Workspace ONE
Access and Active Directory
Federation Services Integration
2
Integrating Workspace ONE Access with Active Directory Federation Services allows
organizations to manage access to enterprise applications and resources with conditional user
and device access policies.
VMware Workspace ONE Access and VMware Workspace ONE UEM are part of the Workspace
ONE platform. As the identity component of the Workspace ONE platform, VMware Workspace
ONE Access provides enterprise identity integration and web and mobile single sign-on (SSO)
services.
With the flexible identity policies of Workspace ONE Access and Active Directory Federation
Services, either identity provider can authenticate login requests depending on the scenario.
For example, you can configure Workspace ONE Access to authenticate users of mobile
devices, while Active Directory Federation Services continues to authenticate desktop users.
This flexibility gives you the benefits of Workspace ONE Access integration in key areas while
maintaining your existing Active Directory Federation Services workflow in other scenarios.
VMware, Inc. 8
Integrating VMware Workspace ONE Access with Active Directory Federation Services
This guide provides step-by-step instructions on how to configure and test use cases supported
by theWorkspace ONE Access integration with Active Directory Federation Services. To perform
the integration, you integrate Workspace ONE Access, the identity component of the Workspace
ONE platform, with Active Directory Federation Services.
A claim typically consists of an Active Directory user attribute, such as the user principal name
(UPN) or email address. A security token bundles the set of claims about a particular user in the
form of a Security Assertion Markup Language (SAML) assertion.
2 The application or resource service provider (also called the relying party) redirects the
authentication request to the federated identity provider (also called the claims provider).
3 If needed, the user is prompted to enter authentication credentials into the claims provider's
sign-in portal.
4 After authenticating the user's identity, the claims provider issues the security token and
sends it back to the federated relying party.
5 Upon accepting the token as validation of the user's identity, the relying party grants the user
access to the application or resource.
The following table shows the parallels between the terminology used by AD FS and VMware
Workspace ONE Access.
VMware, Inc. 9
Integrating VMware Workspace ONE Access with Active Directory Federation Services
Claims Provider or Issuer Identity Provider (IdP) Partner in a federation that creates
security tokens for users.
The following sections describe the main use cases supported by AD FS integration, including the
specific configuration procedures required to implement each use case. To realize the benefits
of all three use cases, perform an end-to-end setup that includes all the integration procedures
described in this guide.
To implement this use case, perform the procedures described in Chapter 3 Integrating AD FS as
a Federated Identity Provider for VMware Workspace ONE Access.
To implement this use case, perform the procedures described in the following topics:
VMware, Inc. 10
Integrating VMware Workspace ONE Access with Active Directory Federation Services
For example, a device trust flow using Office 365 follows this sequence:
3 AD FS processes the incoming request and routes the user to VMware Workspace ONE
Access as a trusted claims provider.
4 As the identity component of the Workspace ONE platform, VMware Workspace ONE
Access challenges the user for authentication based on user access and device posture
policies.
5 VMware Workspace ONE Access performs authentication steps based on the device posture:
a If the device is managed and compliant with IT requirements, VMware Workspace ONE
Access authenticates the user.
b If the device is unmanaged but compliant with IT requirements, VMware Workspace ONE
Access enrolls the device and authenticates the user.
c If the device is not compliant with IT requirements, VMware Workspace ONE Access
blocks the user from accessing the Office 365 application.
6 Upon successful authentication with VMware Workspace ONE Access, the user is redirected
back to AD FS.
7 AD FS issues the SAML assertion for Office 365 and grants the user access to the application.
VMware, Inc. 11
Integrating VMware Workspace ONE Access with Active Directory Federation Services
To implement this use case, perform the procedures described in the following topics:
Note Alternatively, you can configure Office 365 to authenticate directly with the VMware
Workspace ONE Access service, without using AD FS as an intermediary. For information on
configuring this alternative use case, see the Workspace ONE Access Integration with Office 365
guide.
2 Chapter 4 Integrating VMware Workspace ONE Access as a Federated Identity Provider for
AD FS
3 Chapter 5 Configure the Claims Provider for the VMware Workspace ONE Access Relying
Party Trust
VMware, Inc. 12
Integrating VMware Workspace ONE Access with Active Directory Federation Services
This guide uses the following terminology to refer to the origin of an authentication request:
n An identity provider-initiated (IdP-initiated) flow occurs when the user attempts to log in to
an application from the Hub portal.
n A service provider-initiated (SP-initiated) flow occurs when the user attempts to log into
an application directly from the application's sign-in portal (for example, portal.office.com for
Office 365).
Your configuration can support both IdP-initiated and SP-initiated authentication flows. To
support each type of authentication flow, you must configure certain settings, such as access
policies in VMware Workspace ONE Access.
VMware, Inc. 13
Integrating AD FS as a Federated
Identity Provider for VMware
Workspace ONE Access
3
With AD FS integrated as a trusted identity provider, end users can log in to the Hub portal with
their Active Directory credentials. To complete the integration, configure AD FS as an identity
provider for VMware Workspace ONE Access, and VMware Workspace ONE Access as a relying
party for AD FS.
Integrating AD FS as a federated identity provider for VMware Workspace ONE Access allows
you to implement Workspace ONE Intelligent Hub Login Using AD FS (see Main Use Cases ). This
use case employs the following authentication flow.
2 As the identity component of the Workspace ONE platform, VMware Workspace ONE
Access redirects the authentication request to AD FS.
4 AD FS authenticates the user, and issues a security token containing the LDAP email address
attribute of the user.
5 VMware Workspace ONE Access accepts the SAML-formatted token from AD FS as the
trusted identity provider.
6 VMware Workspace ONE Access grants the user access to the Hub portal.
VMware, Inc. 14
Integrating VMware Workspace ONE Access with Active Directory Federation Services
Procedure
4 Under the SAML Metadata section, next to Service Provider (SP) metadata, click the Copy
URL link to copy the SP metadata URL to the clipboard. Paste and save the URL in a text file
on your computer.
VMware, Inc. 15
Integrating VMware Workspace ONE Access with Active Directory Federation Services
Prerequisites
n Download the federation metadata file for the AD FS server by navigating to the
URL: https://ADFSdomain/FederationMetadata/2007-06/FederationMetadata.xml where
ADFSdomain is replaced with the fully qualified domain name for your AD FS server.
n In the VMware Workspace ONE Access console, configure the access policies that you want
to use for the AD FS identity provider instance. For information about configuring access
policies, see the Managing Workspace ONE Access User Authentication Methods guide.
Procedure
1 Log in to the VMware Workspace ONE Access console with full administrator privileges.
VMware, Inc. 16
Integrating VMware Workspace ONE Access with Active Directory Federation Services
Setting Description
Identity Provider Name Enter a short descriptive name for the AD FS identity provider instance.
SAML Metadata a To establish trust with AD FS, add the federation metadata here. In the
text box, copy and paste the contents of the AD FS federation metadata
file that you obtained previously.
b Click Process IdP Metadata. The Name ID format mappings are
automatically imported from the AD FS metadata.
Users Select the VMware Workspace ONE Access directories of the users that can
authenticate using AD FS.
Network The existing network ranges configured in the service are listed. Select the
network ranges for the users, based on their IP addresses, that you want to
direct to AD FS for authentication.
Authentication Methods To add an authentication method that you want AD FS to use, click
the green plus sign and enter the name of the method. Then select the
SAML authentication context class that supports the method. Configure the
following authentication methods.
n Forms-based authentication: For SAML Context, select
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport.
n Kerberos-based authentication: For SAML Context, select
urn:federation:authentication:windows
Single Sign-Out Configuration Do not enable. Single sign-out configuration is not required for the AD FS
identity provider instance.
SAML Signing Certificate To display the VMware Workspace ONE Access service provider metadata
in a browser window, click Service Provider (SP) Metadata. Copy and save
the URL. You need this URL later when you configure the Federation Service
Properties in AD FS.
5 Click Add.
What to do next
VMware, Inc. 17
Integrating VMware Workspace ONE Access with Active Directory Federation Services
For more information about configuring access policies and policy rules, see the Managing
Workspace ONE Access User Authentication Methods guide.
Prerequisites
Procedure
1 Log in to the VMware Workspace ONE Access console with full administrator privileges.
3 Select the access policy that you want to modify and click Edit.
VMware, Inc. 18
Integrating VMware Workspace ONE Access with Active Directory Federation Services
4 Click Next.
5 On the Configuration page, click Add Policy Rule and create a rule for Windows 10 devices.
b Click Save.
The new policy rule appears as Kerberos-based authentication+1 in the rules list.
6 In the rules list, reorder the rules such that Kerberos-based authentication+1 appears at the
top of the list as the first rule to apply. To move the rule in the list, drag the handle at the left
of the rule name.
VMware, Inc. 19
Integrating VMware Workspace ONE Access with Active Directory Federation Services
Results
You are now finished with configuring AD FS as a trusted identity provider for VMware
Workspace ONE Access. Next, you must configure VMware Workspace ONE Access as a trusted
relying party for AD FS.
What to do next
Perform the procedures described in Configuring VMware Workspace ONE Access as a Relying
Party for AD FS.
Prerequisites
Procedure
2 (AD FS 3.0) In the left pane, expand the Trust Relationships folder.
VMware, Inc. 20
Integrating VMware Workspace ONE Access with Active Directory Federation Services
3 In the left pane, click Relying Party Trusts to highlight it. Then right-click Relying Party Trusts
and select Add Relying Party Trust from the menu.
VMware, Inc. 21
Integrating VMware Workspace ONE Access with Active Directory Federation Services
5 On the Select Data Source page, select Import data about the relying party published online
or on a local network. In the text box, paste the URL of the VMware Workspace ONE Access
service provider metadata file that you obtained earlier. Then click Next.
6 On the Specify Display Name page, in the Display name text box, enter a name for the
VMware Workspace ONE Access service. In the Notes text box, enter a description of this
relying party trust. Then click Next.
In AD FS 3.0, the Multi-factor Authentication page appears. The Workspace ONE Intelligent
Hub integration does not require multi-factor authentication. Click Next.
7 Configure the appropriate setting to allow all users access to Workspace ONE Intelligent Hub
after VMware Workspace ONE Access receives the valid claims.
n (AD FS 4.0) On the Choose Access Control Policy page, select Permit everyone. Then
click Next.
n (AD FS 3.0) On the Choose Issuance Authorization Rules page, select Permit all users to
access this relying party. Then click Next.
8 On the Ready to Add Trust page, review your changes and then click Next.
9 On the Finish page, select the option to edit the claim rules or issuance policy after you close
the wizard.
n (AD FS 4.0) Select the Configure claims issuance policy for this application check box
and then click Close.
n (AD FS 3.0) Select the Open the Edit Claim Rules dialog for this relying party trust when
the wizard closes check box and then click Close.
The Edit Claim Issuance Policy window (AD FS 4.0) or Edit Claim Rules window (AD FS 3.0)
appears.
VMware, Inc. 22
Integrating VMware Workspace ONE Access with Active Directory Federation Services
What to do next
You must configure two claim rules for VMware Workspace ONE Access as the relying party. The
first rule directs AD FS to look up the LDAP email address attribute for the requesting user and to
send this attribute as the claim. The second rule transforms this claim into the SAML-based email
address attribute expected by VMware Workspace ONE Access.
Prerequisites
VMware, Inc. 23
Integrating VMware Workspace ONE Access with Active Directory Federation Services
Procedure
1 If needed, open the Edit Claim Issuance Policy window (AD FS 4.0) or Edit Claim Rules
window (AD FS 3.0) on the AD FS server by performing the following steps.
b (AD FS 3.0) In the left pane, expand the Trust Relationships folder.
d In the center pane, select the relying party trust that you created for VMware Workspace
ONE Access.
e In the right pane, click Edit Claim Issuance Policy (AD FS 4.0) or Edit Claim Rules (AD FS
3.0) .
VMware, Inc. 24
Integrating VMware Workspace ONE Access with Active Directory Federation Services
2 In the Edit Claim Issuance Policy window (AD FS 4.0) or Edit Claim Rules window (AD FS 3.0),
select the Issuance Transform Rules tab.
4 For Claim rule template, select Send LDAP Attributes as Claims. Then click Next.
Setting Description
Claim rule name Enter a descriptive name for the rule (for example, Get E-Mail Address
Attribute).
VMware, Inc. 25
Integrating VMware Workspace ONE Access with Active Directory Federation Services
6 Click Finish.
7 Verify that the email address attribute rule appears in the list of claim rules.
Next, you add a second rule that transforms the email address attribute in the outgoing claim
to the SAML-based format expected by VMware Workspace ONE Access.
9 For Claim rule template, select Send Claims Using a Custom Rule. Then click Next.
n For Claim rule name, enter a descriptive name for the rule (for example, Transform
E-Mail Address).
n In the Custom rule text box, enter the following script, where {AccessTenant} at the end
of the script is replaced with the fully qualified domain name (FQDN) of the VMware
Workspace ONE Access service. This script uses the required syntax for custom rules.
issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
Issuer =
c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType,
Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] =
"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/
spnamequalifier"]
= "{AccessTenant}");
VMware, Inc. 26
Integrating VMware Workspace ONE Access with Active Directory Federation Services
11 Click Finish.
12 Verify that both new rules appear in the rules list, with the custom transformation rule
appearing in the second position. Click Apply, and then click OK.
Results
This procedure concludes the integration of AD FS as a federated identity provider for VMware
Workspace ONE Access.
What to do next
VMware, Inc. 27
Integrating VMware Workspace ONE Access with Active Directory Federation Services
Prerequisites
Procedure
2 Enter the Active Directory credentials of a test user, and verify that the user can successfully
access the Hub portal based on those credentials.
Note If the test login fails, you can reaccess the VMware Workspace ONE Access console
by navigating to https://{Accesstenant}/SAAS/login/0, where {Accesstenant} is the fully
qualified domain name of the VMware Workspace ONE Access tenant.
VMware, Inc. 28
Integrating VMware Workspace
ONE Access as a Federated
Identity Provider for AD FS
4
To perform the integration, you first configure VMware Workspace ONE Access as a federated
identity provider (or claims provider) for AD FS. Then you configure AD FS as a service provider
for VMware Workspace ONE Access.
Integrating VMware Workspace ONE Access as a federated identity provider allows you to
implement the Mobile Device Trust and Unified Application Catalog use cases (see Main Use
Cases ).
Procedure
1 Log in to the VMware Workspace ONE Access console with full administrator privileges.
VMware, Inc. 29
Integrating VMware Workspace ONE Access with Active Directory Federation Services
4 Under the SAML Metadata section, click the Identity Provider (IdP) metadata link to open a
new window displaying the contents of the SAML metadata .xml file. Right-click in the window
and select Save as to save the contents to a .xml file on your computer.
What to do next
Prerequisites
n Verify the federation between AD FS and the application that you want to authenticate
through the VMware Workspace ONE Access service. Verify that AD FS successfully
authenticates users logging into the application through a web browser.
VMware, Inc. 30
Integrating VMware Workspace ONE Access with Active Directory Federation Services
Procedure
2 (AD FS 3.0) In the left pane, expand the Trust Relationships folder.
3 In the left pane, click Claims Provider Trusts to highlight it. Then right-click Claims Provider
Trusts and select Add Claims Provider Trust from the menu.
4 Click Start.
VMware, Inc. 31
Integrating VMware Workspace ONE Access with Active Directory Federation Services
5 On the Select Data Source page, import the IdP metadata file that you downloaded from
VMware Workspace ONE Access.
b Click Browse, and navigate to the VMware Workspace ONE Access IdP metadata file. To
import the metadata file, click Open.
6 On the Specify Display Name page, in the Display name text box, enter a name for the
VMware Workspace ONE Access relying party. Use a name that is recognizable to users who
might need to select VMware Workspace ONE Access as the authentication option during
the login process. Then click Next.
7 On the Ready to Add Trust page, review your changes and then click Next.
8 On the Finish page, select the Open the Edit Claim Rules dialog for this claims provider trust
when the wizard closes check box. Then click Close.
VMware, Inc. 32
Integrating VMware Workspace ONE Access with Active Directory Federation Services
What to do next
VMware Workspace ONE Access sends the Name ID user attribute as an authentication claim
to AD FS. This attribute takes the form domain\samAccountName in the SAML assertion
issued by VMware Workspace ONE Access. However, AD FS expects instead a value of type
WindowsAccountName formatted as domain\user. AD FS also expects to see Active Directory
named as the issuer of this value.
The solution is to configure a claim rule that transforms the Name ID attribute into
WindowsAccountName format and changes the named issuer from VMware Workspace ONE
Access to Active Directory. AD FS can then recognize and consume the incoming claim from
VMware Workspace ONE Access.
VMware, Inc. 33
Integrating VMware Workspace ONE Access with Active Directory Federation Services
Prerequisites
Procedure
1 If needed, open the Edit Claim Rules window on the AD FS server by performing the following
steps.
b (AD FS 3.0) In the left pane, expand the Trust Relationships folder.
d In the center pane, select the claims provider trust that you created for VMware
Workspace ONE Access.
VMware, Inc. 34
Integrating VMware Workspace ONE Access with Active Directory Federation Services
VMware, Inc. 35
Integrating VMware Workspace ONE Access with Active Directory Federation Services
3 For Claim rule template, select Send Claims Using a Custom Rule. Then click Next.
The Configure Rule page appears. You can now create a rule that transforms the incoming
Name ID attribute into the WindowsAccountName value formatted as domain\user. The rule
also names Active Directory as the issuer of this value.
a For Claim rule name, enter a descriptive name for the rule.
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] ==
"urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"]
VMware, Inc. 36
Integrating VMware Workspace ONE Access with Active Directory Federation Services
5 Click Finish.
VMware, Inc. 37
Integrating VMware Workspace ONE Access with Active Directory Federation Services
6 In the Edit Claim Rules window, verify that the custom rule you created appears in the list.
What to do next
VMware, Inc. 38
Integrating VMware Workspace ONE Access with Active Directory Federation Services
Prerequisites
Download the federation metadata file for the AD FS server by navigating to the URL:
https://{ADFSdomain}/FederationMetadata/2007-06/FederationMetadata.xml where
{ADFSdomain} is replaced with the fully qualified domain name (FQDN) your AD FS server.
Procedure
1 Log in to the VMware Workspace ONE Access console with full administrator privileges.
3 Click Settings.
6 On the Definition page of the ADFS Application Source wizard, click Next.
VMware, Inc. 39
Integrating VMware Workspace ONE Access with Active Directory Federation Services
b In the URL/XML text box, copy and paste the contents of the federation metadata file
that you downloaded previously from the AD FS server.
8 Click Next.
9 On the Access Policies page, select the access policy that you want to use for the AD FS
application source.
For more information about access policies, see the Managing Workspace ONE Access User
Authentication Methods guide.
10 Click Next, review your selections, and click Save.
Saving the setup at this stage allows VMware Workspace ONE Access to import
configuration settings from the AD FS metadata.
11 On the Application Sources page, click ADFS again. Then click Next.
Some settings on the Configuration page now contain values imported from the AD FS
metadata.
VMware, Inc. 40
Integrating VMware Workspace ONE Access with Active Directory Federation Services
12 On the Configuration page, modify the following settings. Accept the default values for all
other settings.
13 Expand the Advanced Properties section and configure the following settings.
14 Click Next, and click Next again to advance to the Summary page. Then click Save.
What to do next
Prerequisites
Procedure
1 Log in to the VMware Workspace ONE Access console with full administrator privileges.
VMware, Inc. 41
Integrating VMware Workspace ONE Access with Active Directory Federation Services
What to do next
Use the following procedure to test the SP-initiated authentication flow with an AD FS-federated
application. For more information about authentication flows, see IdP-initiated and SP-Initiated
Authentication Flows.
Prerequisites
Procedure
1 Open a private browsing session (a good practice when testing federated authentication) on
your computer browser.
2 Navigate to the login portal for an AD FS-federated application (for example, https://
login.microsoftonline.com for Office 365).
Verify that the application portal redirects you to the AD FS Home Realm Discovery page,
which presents VMware Workspace ONE Access as an authentication option.
VMware, Inc. 42
Integrating VMware Workspace ONE Access with Active Directory Federation Services
Note The VMware Workspace ONE Access authentication option uses the Display Name
that you specified during the Claims Provider configuration. For more information, see Add
VMware Workspace ONE Access as a Claims Provider for AD FS.
Verify that AD FS redirects you to the Workspace ONE Intelligent Hub login page.
VMware, Inc. 43
Integrating VMware Workspace ONE Access with Active Directory Federation Services
Verify that VMware Workspace ONE Access successfully authenticates you into the
application portal.
What to do next
VMware, Inc. 44
Integrating VMware Workspace ONE Access with Active Directory Federation Services
For more information about authentication flows, see IdP-initiated and SP-Initiated Authentication
Flows.
Without the RelayState parameter enabled, users can click an AD FS-federated application in the
Hub portal and authenticate into AD FS through VMware Workspace ONE Access. However, they
are not further redirected to the application portal.
3 AD FS accepts the authentication response and redirects the user to the application portal
specified by the RelayState value.
For more information about IdP-initiated authentication flows, see IdP-initiated and SP-Initiated
Authentication Flows. For more information about RelayState support in AD FS, see the following
links:
n https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-
R2-and-2008/jj127245(v=ws.10)
n http://www.expta.com/2014/11/how-to-enable-relaystate-in-adfs-20-and.html
n https://s4erka.wordpress.com/2018/01/24/relaystate-support-for-adfs-2016-in-the-mixed-
mode-adfs-farm/
Prerequisites
VMware, Inc. 45
Integrating VMware Workspace ONE Access with Active Directory Federation Services
Procedure
What to do next
Prerequisites
Procedure
2 (AD FS 3.0) In the left pane, expand the Trust Relationships folder.
VMware, Inc. 46
Integrating VMware Workspace ONE Access with Active Directory Federation Services
4 In the Relying Party Trusts list, locate the name of the AD FS-federated application that you
want to add to the catalog. Note the relying party identifier that appears in the Identifier
column for the application.
What to do next
Prerequisites
Procedure
1 Log in to the VMware Workspace ONE Access console with full administrator privileges.
VMware, Inc. 47
Integrating VMware Workspace ONE Access with Active Directory Federation Services
3 Click New.
4 On the New SaaS Application Definition page, enter the following information.
Option Description
Category (Optional) To add the application to a category, select it from the drop-
down menu.
5 Click Next.
Option Description
Target URL Enter the URL of the application in this format: RPID={AppIdentifier},
where {AppIdentifier} is replaced with the application's relying party
identifier that you obtained previously from the AD FS Management console.
VMware, Inc. 48
Integrating VMware Workspace ONE Access with Active Directory Federation Services
7 Click Next.
8 On the Access Policies page, select the access policy that you want to use for the application,
and then click Next.
For more information about access policies, see the Managing Workspace ONE Access User
Authentication Methods guide .
9 Review your selections and click Save, or click Save & Assign to assign the application to
users and groups.
If you do not assign the application to any users and groups now, you can do so later by
selecting the application on the Catalog > Web Apps page and clicking Assign.
11 Repeat this procedure for each application that you want to add to the Workspace ONE
Intelligent Hub catalog.
What to do next
Using a test user account, navigate to your organization's Hub portal. From the application
catalog, issue an IdP-initiated authentication request by opening the target AD FS-federated
application. Verify that you are successfully redirected to the application's login portal.
For more information about IdP-initiated authentication flows, see IdP-initiated and SP-Initiated
Authentication Flows.
VMware, Inc. 49
Integrating VMware Workspace ONE Access with Active Directory Federation Services
to authenticate desktop users and route mobile users to VMware Workspace ONE Access for
authentication.
Use the following procedure to implement Mobile Device Trust (see Main Use Cases ). With
this use case, you gain the unique mobile device management features provided by VMware
Workspace ONE Access with Workspace ONE UEM. Desktop users can continue to use the
existing AD FS authentication workflow to which they are accustomed.
This use case applies to users who log in directly to an AD FS-federated application through
the application portal (for example, portal.office.com for Office 365). When a user starts an
SP-initiated flow in this way, AD FS routes the authentication request to the appropriate identity
provider based on the user's device type.
n If the user logs in from a desktop computer, AD FS handles the authentication request as the
identity provider. The login experience remains unchanged for desktop users, as they sign in
to the application using their familiar AD FS credentials.
n If the user logs in from a mobile device, AD FS forwards the authentication request to
VMware Workspace ONE Access as the trusted identity provider (or claims provider).
VMware Workspace ONE Access validates the user's credentials, and Workspace ONE UEM
manages the user's access to the application based on the device posture policies in effect.
Note The following procedure uses an AD FS Web Theme to run the HRD page, which contains
the mobile redirect code. If your Relying Party contains only a single Claims Provider, the HRD
page (and thus code) does not run.
For more information about SP-initiated authentication flows, see IdP-initiated and SP-Initiated
Authentication Flows.
Prerequisites
Procedure
mkdir c:\myscripts
VMware, Inc. 50
Integrating VMware Workspace ONE Access with Active Directory Federation Services
The Export cmdlet creates an onload.js file in the c:\myscripts\script folder. To specify
the authentication option based on the type of user device, you modify this JavaScript file.
Placeholder Value Replacement Value for AD FS 4.0 Replacement Value for AD FS 3.0
{AccessTenant} Fully qualified domain name (FQDN) FQDN of the VMware Workspace ONE Access
of the VMware Workspace ONE service
Access service
VMware, Inc. 51
Integrating VMware Workspace ONE Access with Active Directory Federation Services
This code designates the VMware Workspace ONE Access service as the authentication
option for users logging in from a mobile device. It designates AD FS as the authentication
option for users logging in from all other devices. It also instructs AD FS to route
authentication requests automatically without prompting the user for action.
Note Beginning with iOS 13 on Apple iPad devices, the default user agent is macOS instead
of iPad. All services that rely on user agent information to determine the type of device must
be updated. This JavaScript code includes the extra logic to account for Apple's current iOS
products, including iPadOS. Apple can change the behavior of the 'ADDITIONAL LOGIC for
iPadOS and iOS 13 iPad DEVICES" in future releases. If the behavior is changed, this code
script might need to be modified to reflect the change.
6 Put the updated onload.js file in the c:\myscripts\script folder, overwriting the old file.
Next, you customize the AD FS login page by creating a AD FS web theme that references
the updated onload.js file.
Set-AdfsRelyingPartyWebTheme
-TargetRelyingPartyName "Microsoft Office 365 Identity Platform"
-SourceWebThemeName "WS1ACCESS"
VMware, Inc. 52
Integrating VMware Workspace ONE Access with Active Directory Federation Services
Restart-Service adfssrv
Note If you want to revert to the default AD FS web theme, enter this cmdlet:
VMware, Inc. 53
Integrating VMware Workspace ONE Access with Active Directory Federation Services
VMware, Inc. 54
Configure the Claims Provider
for the VMware Workspace ONE
Access Relying Party Trust
5
When setting up an end-to-end integration to cover all main use cases, you must specify Active
Directory as the sole claims provider for the VMware Workspace ONE Access relying party trust.
This claims provider configuration is required to prevent an authentication loop from occurring
between AD FS and VMware Workspace ONE Access.
Use the following procedure to specify Active Directory as the sole claims provider for the
VMware Workspace ONE Access relying party trust. After you complete the configuration,
authentication requests will follow this flow:
4 Since Active Directory is the sole claims provider specified for the relying party trust, the flow
concludes with AD FS as the final authentication authority.
For more information about setting up an end-to-end integration, see Main Use Cases .
Prerequisites
n Chapter 4 Integrating VMware Workspace ONE Access as a Federated Identity Provider for
AD FS
Procedure
VMware, Inc. 55
Integrating VMware Workspace ONE Access with Active Directory Federation Services
Replace {WORKSPACE ONE ACCESS RELYING PARTY} with the name of the relying party
trust that you configured for VMware Workspace ONE Access. Use the name as it appears in
the AD FS Management console.
VMware, Inc. 56
Configure VMware Workspace
ONE Access as the Default Claims
Provider for an AD FS-federated
6
Application
This optional topic explains how to configure VMware Workspace ONE Access as the default
claims provider for an AD FS-federated application.
Note Do not perform the following procedure if you want to implement the Mobile Device
Management use case. Instead, perform the procedure described in Redirect Mobile Users to
VMware Workspace ONE Access for Authentication.
Prerequisites
Procedure
n Replace {RP_app} with the name of the relying party trust corresponding to the target
application.
n Replace {WORKSPACE ONE ACCESS CLAIMS PROVIDER} with the name of the claims
provider trust that you configured for VMware Workspace ONE Access.
Use the names of the relying party trust and claims provider trust as they appear in the AD
FS Management console.
VMware, Inc. 57
Integrating VMware Workspace ONE Access with Active Directory Federation Services
Results
Since VMware Workspace ONE Access is the sole claims provider specified in the cmdlet,
all authentication requests for the designated relying party trust are redirected to VMware
Workspace ONE Access. This configuration eliminates the user’s choice to authenticate with the
AD FS authentication policies.
What to do next
For information about more customization options on the AD FS sign-in page, see the following
link: https://technet.microsoft.com/en-us/library/dn280950.aspx
VMware, Inc. 58
Troubleshooting
7
To troubleshoot issues you might encounter with the VMware Workspace ONE Access and AD
FS integration, look up symptoms and error messages.
For more help with investigating and troubleshooting login issues, see the following resources.
n The VMware Workspace ONE Access Audit Events report. This report lists the events related
to user logins, including the authentication methods used to log in. To run this report, log in to
the VMware Workspace ONE Access console with full administrator privileges. Then navigate
to Dashboard > Reports > Audit Events, and click Show.
n Error: "404.idp.not.found"
Problem
You cannot log in to VMware Workspace ONE Access from the login page.
Cause
Solution
VMware, Inc. 59
Integrating VMware Workspace ONE Access with Active Directory Federation Services
Problem
User is unable to log in and receives the error Contact your administrator.
Cause
When integrating with AD FS, the VMware Workspace ONE Access signing certificate URL was
specified as a URL or as XML information.
When AD FS is configured with the VMware Workspace ONE Access signing certificate URL, the
XML file is downloaded for every user login request. If the XML download fails once, this blocks
further login attempts and breaks the IDP integration.
Solution
u Download the VMware Workspace ONE Access signing certificate XML file, and copy and
paste the content directly into the appropriate AD FS certificate page.
Problem
In the VMware Workspace ONE Access console, after editing the AD FS identity provider to add
or update an authentication method, you receive the error Cannot update Identity Provider.
Cause
When adding or updating a SAML context rule, the SAML context name must be unique in your
VMware Workspace ONE Access tenant. Authentication methods for the AD FS identity provider
are not deleted when you click Save.
Solution
u Provide a new authentication method name. This name must be unique in your tenant.
Note Authentication methods you add here can be deleted only through the REST API. To
avoid issues with repetitive authentication methods, use a consistent naming convention to
remember the last authentication method that you created. For example, use a date in the
authentication method name: Password092116.
Error: "404.idp.not.found"
Problem
When attempting a login to the Hub portal using AD FS as the identity provider, the user
encounters the error 404.idp.not.found.
VMware, Inc. 60
Integrating VMware Workspace ONE Access with Active Directory Federation Services
Cause
When testing, the name of the authentication method is not removed from an access policy
rule when changing the rule’s configuration. This error occurs when the policy selects an old
authentication method or an authentication method of a disabled identity provider. The error also
occurs when the AirWatch Cloud Connection password authentication method is selected but
not enabled in VMware Workspace ONE Access and the AirWatch pages.
Solution
u In the access policy rule, select an authentication method that is active and current.
Problem
When logging in, users cannot advance past the Workspace ONE Intelligent Hub sign-in page.
Cause
The VMware Workspace ONE Access relying party trust does not have Active Directory
designated as its sole claims provider. The missing claims provider designation results in an
authentication loop between AD FS and VMware Workspace ONE Access.
Solution
u Perform the procedures described in Chapter 5 Configure the Claims Provider for the
VMware Workspace ONE Access Relying Party Trust.
Problem
You cannot authenticate into AD FS-federated applications using VMware Workspace ONE
Access as the identity provider.
Cause
n The value or format provided in the claim issued by VMware Workspace ONE Access does
not match the value or format expected by AD FS.
n The RelayState parameter is not enabled, or the relying party identifier is not configured for
the application.
VMware, Inc. 61
Integrating VMware Workspace ONE Access with Active Directory Federation Services
Solution
n A successful IdP-initiated login indicates that trust and authentication endpoints have
been configured correctly in both AD FS and VMware Workspace ONE Access. Proceed
to step 2.
n If the IdP-initiated login fails, check and redo all the configuration procedures described in
Chapter 4 Integrating VMware Workspace ONE Access as a Federated Identity Provider
for AD FS.
Most errors indicate a mismatch between the value or format provided by VMware
Workspace ONE Access and what is expected by the AD FS server. Check and redo the
procedure described in Configure Claim Rules for the Claims Provider Trust.
VMware, Inc. 62
Integrating VMware Workspace ONE Access with Active Directory Federation Services
VMware, Inc. 63