Integrating VMware Workspace ONE

Access with Active Directory Federation

Services

JULY 2023
VMware Workspace ONE Access
Integrating VMware Workspace ONE Access with Active Directory Federation Services

You can find the most up-to-date technical documentation on the VMware website at:

https://docs.vmware.com/

VMware, Inc.
3401 Hillview Ave.
Palo Alto, CA 94304
www.vmware.com

©
Copyright 2019-2023 VMware, Inc. All rights reserved. Copyright and trademark information.

VMware, Inc. 2
 Contents

Integrating VMware Workspace ONE Access with Active Directory Federation

Services 5

1 Workspace ONE Access Configuration Requirements 6

2 Overview of Workspace ONE Access and Active Directory Federation Services

Integration 8
About Active Directory Federation Services and Claims-Based Authentication 9
Main Use Cases 10
IdP-initiated and SP-Initiated Authentication Flows 12

3 Integrating AD FS as a Federated Identity Provider for VMware Workspace ONE

Access 14
Obtain the VMware Workspace ONE Access SP Metadata 15
Configuring AD FS as a Trusted Identity Provider for VMware Workspace ONE Access 16
Add AD FS as an Identity Provider in the Service 16
Add AD FS Authentication Methods to Access Policy Rules 18
Configuring VMware Workspace ONE Access as a Relying Party for AD FS 20
Add VMware Workspace ONE Access as a Relying Party for AD FS 20
Configure Claim Rules for the Relying Party Trust 23
Test the Workspace ONE Intelligent Hub Login with AD FS Authentication 27

4 Integrating VMware Workspace ONE Access as a Federated Identity Provider for

AD FS 29
Creating a VMware Workspace ONE Access Claims Provider Trust in AD FS 29
Download the VMware Workspace ONE Access IdP Metadata 29
Add VMware Workspace ONE Access as a Claims Provider for AD FS 30
Configure Claim Rules for the Claims Provider Trust 33
Configuring AD FS as a Service Provider for VMware Workspace ONE Access 38
Add AD FS as an Application Source in VMware Workspace ONE Access 39
Assign the AD FS Application Source to All Users 41
Test the VMware Workspace ONE Access Authentication 42
Integrating AD FS-federated Applications With Workspace ONE Intelligent Hub 45
Enable the RelayState Parameter in AD FS 45
Obtain the Relying Party Identifier for an AD FS-federated Application 46
Add an AD FS-federated Application to the Workspace ONE Intelligent Hub Catalog 47
Redirect Mobile Users to VMware Workspace ONE Access for Authentication 49

VMware, Inc. 3
Integrating VMware Workspace ONE Access with Active Directory Federation Services

5 Configure the Claims Provider for the VMware Workspace ONE Access Relying
Party Trust 55

6 Configure VMware Workspace ONE Access as the Default Claims Provider for an
AD FS-federated Application 57

7 Troubleshooting 59
Unable to log in to VMware Workspace ONE Access 59
Error: "Contact your administrator" 60
Error: "Cannot update Identity Provider" 60
Error: "404.idp.not.found" 60
Unable to authenticate into Hub portal using AD FS 61
Unable to authenticate into AD FS-federated applications 61

VMware, Inc. 4
Integrating VMware Workspace ONE
Access with Active Directory Federation
Services

Integrating VMware Workspace ONE with Active Directory Federation Services provides
information about integrating Active Directory Federation Services with VMware Workspace
®
ONE Access™. It describes specific use cases and provides instructions on how to configure
Workspace ONE Access and Active Directory Federation Services to support those use cases.

Intended Audience
This information is intended for IT system administrators configuring Workspace ONE Access in
an existing Active Directory Federation Services environment.

Additional Information
n VMware documentation:

n VMware Workspace ONE

n VMware Workspace ONE Access

n VMware Workspace ONE UEM

n Microsoft documentation:

n Microsoft Active Directory Federation Services

VMware, Inc. 5
Workspace ONE Access
Configuration Requirements 1
You must meet certain system requirements before beginning the Workspace ONE Access and
Active Directory Federation Services integration.

Components
The following components are required.

n A Workspace ONE UEM tenant (administrator role required)

n A VMware Workspace ONE Access tenant (administrator role required)

n AirWatch Cloud Connector (ACC)

n VMware Workspace ONE Access connector

Note If your existing deployment syncs users to VMware Workspace ONE Access from
Workspace ONE UEM, the VMware Workspace ONE Access connector is not required. For
new deployments, use the VMware Workspace ONE Access connector to sync users from
Active Directory to VMware Workspace ONE Access.

n Microsoft Active Directory Federation Services (administrator role required)

Workspace ONE UEM and VMware Workspace ONE Access

Integration
Integrate your Workspace ONE UEM and VMware Workspace ONE Access tenants with Hub
Services and configure the mobile single sign-on (SSO) authentication methods that you intend to
use for device trust.

Active Directory Integration

Before integrating VMware Workspace ONE Access with Active Directory Federation Services,
integrate your Active Directory and sync users. You must integrate Active Directory with:

n Workspace ONE UEM using AirWatch Cloud Connector (ACC)

VMware, Inc. 6
Integrating VMware Workspace ONE Access with Active Directory Federation Services

n VMware Workspace ONE Access using VMware Workspace ONE Access connector (for new
deployments)

Note If your existing deployment syncs users to VMware Workspace ONE Access from
Workspace ONE UEM, you do not need to use the VMware Workspace ONE Access
connector to sync users.

Ensure that you sync the same users to all the environments.

VMware, Inc. 7
Overview of Workspace ONE
Access and Active Directory
Federation Services Integration
2
Integrating Workspace ONE Access with Active Directory Federation Services allows
organizations to manage access to enterprise applications and resources with conditional user
and device access policies.

About VMware Workspace ONE Platform

VMware Workspace ONE is a secure enterprise platform that integrates application
management, access control, and enterprise mobility management on all devices and
applications. The Workspace ONE Intelligent Hub app is used to register devices for mobile
device management and to manage access to company resources from devices or the Hub
portal.

VMware Workspace ONE Access and VMware Workspace ONE UEM are part of the Workspace
ONE platform. As the identity component of the Workspace ONE platform, VMware Workspace
ONE Access provides enterprise identity integration and web and mobile single sign-on (SSO)
services.

About the Integration Process

Workspace ONE Access has the capability to act as a standalone federation identity provider
(IdP). It can also integrate with existing IdP and SSO solutions like Active Directory Federation
Services as a federated IdP or service provider (SP). When configured in this way, the
Workspace ONE platform can provide augmented services such as a unified application catalog
and conditional access policies based on device posture.

With the flexible identity policies of Workspace ONE Access and Active Directory Federation
Services, either identity provider can authenticate login requests depending on the scenario.
For example, you can configure Workspace ONE Access to authenticate users of mobile
devices, while Active Directory Federation Services continues to authenticate desktop users.
This flexibility gives you the benefits of Workspace ONE Access integration in key areas while
maintaining your existing Active Directory Federation Services workflow in other scenarios.

VMware, Inc. 8
Integrating VMware Workspace ONE Access with Active Directory Federation Services

This guide provides step-by-step instructions on how to configure and test use cases supported
by theWorkspace ONE Access integration with Active Directory Federation Services. To perform
the integration, you integrate Workspace ONE Access, the identity component of the Workspace
ONE platform, with Active Directory Federation Services.

Read the following topics next:

n About Active Directory Federation Services and Claims-Based Authentication

n Main Use Cases

n IdP-initiated and SP-Initiated Authentication Flows

About Active Directory Federation Services and Claims-

Based Authentication
Microsoft Active Directory Federation Services (AD FS) enables federated identity and access
management by securely sharing digital identity and entitlement rights across security and
enterprise boundaries. Both AD FS and VMware Workspace ONE Access use a claims-based
authentication model to maintain application security and implement federated identity.

Claims-based authentication is the process of authenticating users based on a set of claims

about their identity contained in a security token.

A claim typically consists of an Active Directory user attribute, such as the user principal name
(UPN) or email address. A security token bundles the set of claims about a particular user in the
form of a Security Assertion Markup Language (SAML) assertion.

A claims-based workflow follows this sequence:

1 User requests access to an application or resource.

2 The application or resource service provider (also called the relying party) redirects the
authentication request to the federated identity provider (also called the claims provider).

3 If needed, the user is prompted to enter authentication credentials into the claims provider's
sign-in portal.

4 After authenticating the user's identity, the claims provider issues the security token and
sends it back to the federated relying party.

5 Upon accepting the token as validation of the user's identity, the relying party grants the user
access to the application or resource.

The following table shows the parallels between the terminology used by AD FS and VMware
Workspace ONE Access.

VMware, Inc. 9
Integrating VMware Workspace ONE Access with Active Directory Federation Services

VMware Workspace ONE Access

AD FS Term Term Description

Security Token Assertion Collection of SAML-formatted

security information describing users,
which is created and consumed
during a federated access request.

Claims Provider or Issuer Identity Provider (IdP) Partner in a federation that creates
security tokens for users.

Relying Party Service Provider (SP) Partner in a federation that consumes

security tokens for providing access
to applications.

Claims Assertion Attributes Data about users that is sent inside

security tokens.

Main Use Cases

By integrating AD FS with VMware Workspace ONE Access, you can implement several
beneficial use cases. The use cases include: Workspace ONE Intelligent Hub Login Using AD
FS, Unified Application Catalog, and Mobile Device Trust.

The following sections describe the main use cases supported by AD FS integration, including the
specific configuration procedures required to implement each use case. To realize the benefits
of all three use cases, perform an end-to-end setup that includes all the integration procedures
described in this guide.

Use Case 1: Workspace ONE Intelligent Hub Login Using AD FS

You can configure the Workspace ONE Intelligent Hub app and portal to use AD FS as a trusted
identity provider. This configuration allows end users to log in to the Workspace ONE Intelligent
Hub app and portal with their familiar Active Directory credentials. This use case also applies to
®
VMware Horizon customers who are using the Hub portal to run Horizon apps and desktops,
but have not yet deployed Workspace ONE UEM to manage devices.

To implement this use case, perform the procedures described in Chapter 3 Integrating AD FS as
a Federated Identity Provider for VMware Workspace ONE Access.

Use Case 2: Unified Application Catalog

You can configure the Hub App catalog to publish applications federated through AD FS. These
applications appear alongside other configured resources, such as virtual Horizon and Citrix
applications and desktops, and native Workspace ONE UEM applications. End users can go
to a single portal to discover, run, or download their enterprise apps from any device with a
consistent user experience.

To implement this use case, perform the procedures described in the following topics:

1 Creating a VMware Workspace ONE Access Claims Provider Trust in AD FS

VMware, Inc. 10
Integrating VMware Workspace ONE Access with Active Directory Federation Services

2 Configuring AD FS as a Service Provider for VMware Workspace ONE Access

3 Test the VMware Workspace ONE Access Authentication

4 Integrating AD FS-federated Applications With Workspace ONE Intelligent Hub

Use Case 3: Mobile Device Trust

Integrating AD FS with Workspace ONE Intelligent Hub lets administrators establish mobile
device trust by evaluating device posture before permitting access from end users to sensitive
applications. Device posture can refer to the security status of the mobile device, such as
whether it is managed and compliant with your organization's IT requirements. Device posture
policies are established in Workspace ONE UEM and evaluated whenever a user signs in to a
protected application.

For example, a device trust flow using Office 365 follows this sequence:

1 Mobile user attempts to access the Office 365 tenant.

2 Office 365 redirects to AD FS as the federated identity provider.

3 AD FS processes the incoming request and routes the user to VMware Workspace ONE
Access as a trusted claims provider.

4 As the identity component of the Workspace ONE platform, VMware Workspace ONE
Access challenges the user for authentication based on user access and device posture
policies.

5 VMware Workspace ONE Access performs authentication steps based on the device posture:

a If the device is managed and compliant with IT requirements, VMware Workspace ONE
Access authenticates the user.

b If the device is unmanaged but compliant with IT requirements, VMware Workspace ONE
Access enrolls the device and authenticates the user.

c If the device is not compliant with IT requirements, VMware Workspace ONE Access
blocks the user from accessing the Office 365 application.

6 Upon successful authentication with VMware Workspace ONE Access, the user is redirected
back to AD FS.

7 AD FS issues the SAML assertion for Office 365 and grants the user access to the application.

VMware, Inc. 11
Integrating VMware Workspace ONE Access with Active Directory Federation Services

Figure 2-1. Device Trust Flow

To implement this use case, perform the procedures described in the following topics:

1 Creating a VMware Workspace ONE Access Claims Provider Trust in AD FS

2 Configuring AD FS as a Service Provider for VMware Workspace ONE Access

3 Test the VMware Workspace ONE Access Authentication

4 Redirect Mobile Users to VMware Workspace ONE Access for Authentication

Note Alternatively, you can configure Office 365 to authenticate directly with the VMware
Workspace ONE Access service, without using AD FS as an intermediary. For information on
configuring this alternative use case, see the Workspace ONE Access Integration with Office 365
guide.

End to End Setup Covering All Use Cases

To set up the complete Workspace ONE Intelligent Hub and AD FS integration to cover all use
cases, perform all the procedures described in the following topics:

1 Chapter 3 Integrating AD FS as a Federated Identity Provider for VMware Workspace ONE

Access

2 Chapter 4 Integrating VMware Workspace ONE Access as a Federated Identity Provider for
AD FS

3 Chapter 5 Configure the Claims Provider for the VMware Workspace ONE Access Relying
Party Trust

IdP-initiated and SP-Initiated Authentication Flows

In an AD FS-federated configuration, the authentication flow differs depending on where the user
initiates the login request. This guide differentiates between IdP-initiated and SP-initiated login
requests.

VMware, Inc. 12
Integrating VMware Workspace ONE Access with Active Directory Federation Services

This guide uses the following terminology to refer to the origin of an authentication request:

n An identity provider-initiated (IdP-initiated) flow occurs when the user attempts to log in to
an application from the Hub portal.

n A service provider-initiated (SP-initiated) flow occurs when the user attempts to log into
an application directly from the application's sign-in portal (for example, portal.office.com for
Office 365).

Your configuration can support both IdP-initiated and SP-initiated authentication flows. To
support each type of authentication flow, you must configure certain settings, such as access
policies in VMware Workspace ONE Access.

VMware, Inc. 13
Integrating AD FS as a Federated
Identity Provider for VMware
Workspace ONE Access
3
With AD FS integrated as a trusted identity provider, end users can log in to the Hub portal with
their Active Directory credentials. To complete the integration, configure AD FS as an identity
provider for VMware Workspace ONE Access, and VMware Workspace ONE Access as a relying
party for AD FS.

Integrating AD FS as a federated identity provider for VMware Workspace ONE Access allows
you to implement Workspace ONE Intelligent Hub Login Using AD FS (see Main Use Cases ). This
use case employs the following authentication flow.

1 End user seeks access to the Hub portal.

2 As the identity component of the Workspace ONE platform, VMware Workspace ONE
Access redirects the authentication request to AD FS.

3 If needed, AD FS prompts the user to log in with Active Directory credentials.

4 AD FS authenticates the user, and issues a security token containing the LDAP email address
attribute of the user.

5 VMware Workspace ONE Access accepts the SAML-formatted token from AD FS as the
trusted identity provider.

6 VMware Workspace ONE Access grants the user access to the Hub portal.

Figure 3-1. AD FS Identity Provider Flow

Read the following topics next:

n Obtain the VMware Workspace ONE Access SP Metadata

n Configuring AD FS as a Trusted Identity Provider for VMware Workspace ONE Access

VMware, Inc. 14
Integrating VMware Workspace ONE Access with Active Directory Federation Services

n Configuring VMware Workspace ONE Access as a Relying Party for AD FS

n Test the Workspace ONE Intelligent Hub Login with AD FS Authentication

Obtain the VMware Workspace ONE Access SP Metadata

AD FS requires the VMware Workspace ONE Access service provider (SP) metadata for
federation. The SP metadata is an XML file that describes the capabilities and requirements of
VMware Workspace ONE Access as a trusted service provider.

Procedure

1 Log in to the VMware Workspace ONE Access console.

2 Select the Resources > Web Apps page.

3 Click Settings and then select SAML Metadata.

4 Under the SAML Metadata section, next to Service Provider (SP) metadata, click the Copy
URL link to copy the SP metadata URL to the clipboard. Paste and save the URL in a text file
on your computer.

5 Close the Settings page.

VMware, Inc. 15
Integrating VMware Workspace ONE Access with Active Directory Federation Services

Configuring AD FS as a Trusted Identity Provider for

VMware Workspace ONE Access
You can configure VMware Workspace ONE Access to use AD FS as a trusted identity provider
for authentication.

Add AD FS as an Identity Provider in the Service

To configure the AD FS integration, you must add AD FS as an identity provider instance in
VMware Workspace ONE Access.

Prerequisites

n Download the federation metadata file for the AD FS server by navigating to the
URL: https://ADFSdomain/FederationMetadata/2007-06/FederationMetadata.xml where
ADFSdomain is replaced with the fully qualified domain name for your AD FS server.

n In the VMware Workspace ONE Access console, configure the access policies that you want
to use for the AD FS identity provider instance. For information about configuring access
policies, see the Managing Workspace ONE Access User Authentication Methods guide.

Procedure

1 Log in to the VMware Workspace ONE Access console with full administrator privileges.

2 In the Integrations tab, select Identity Providers.

3 Click ADD and select SAML IDP.

VMware, Inc. 16
Integrating VMware Workspace ONE Access with Active Directory Federation Services

4 Modify the configuration settings.

Setting Description

Identity Provider Name Enter a short descriptive name for the AD FS identity provider instance.

SAML Metadata a To establish trust with AD FS, add the federation metadata here. In the
text box, copy and paste the contents of the AD FS federation metadata
file that you obtained previously.
b Click Process IdP Metadata. The Name ID format mappings are
automatically imported from the AD FS metadata.

c (Optional) Configure additional AD FS Name ID formats and map them to

user values in the VMware Workspace ONE Access service.

Just-in-Time User Provisioning Do not enable.

Users Select the VMware Workspace ONE Access directories of the users that can
authenticate using AD FS.

Network The existing network ranges configured in the service are listed. Select the
network ranges for the users, based on their IP addresses, that you want to
direct to AD FS for authentication.

Authentication Methods To add an authentication method that you want AD FS to use, click
the green plus sign and enter the name of the method. Then select the
SAML authentication context class that supports the method. Configure the
following authentication methods.
n Forms-based authentication: For SAML Context, select
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport.
n Kerberos-based authentication: For SAML Context, select
urn:federation:authentication:windows

Single Sign-Out Configuration Do not enable. Single sign-out configuration is not required for the AD FS
identity provider instance.

SAML Signing Certificate To display the VMware Workspace ONE Access service provider metadata
in a browser window, click Service Provider (SP) Metadata. Copy and save
the URL. You need this URL later when you configure the Federation Service
Properties in AD FS.

5 Click Add.

What to do next

Add AD FS Authentication Methods to Access Policy Rules

VMware, Inc. 17
Integrating VMware Workspace ONE Access with Active Directory Federation Services

Add AD FS Authentication Methods to Access Policy Rules

To complete the configuration of the AD FS identity provider instance, incorporate the AD FS
authentication methods into your access policies.

The following procedure describes an example of incorporating AD FS authentication methods

into a policy rule for Windows 10 devices. You can use this example as a guideline when
configuring your own access policies.

For more information about configuring access policies and policy rules, see the Managing
Workspace ONE Access User Authentication Methods guide.

Prerequisites

Add AD FS as an Identity Provider in the Service

Procedure

1 Log in to the VMware Workspace ONE Access console with full administrator privileges.

2 In the Resources tab, select Policies.

3 Select the access policy that you want to modify and click Edit.

The Edit Policy wizard appears.

VMware, Inc. 18
Integrating VMware Workspace ONE Access with Active Directory Federation Services

4 Click Next.

5 On the Configuration page, click Add Policy Rule and create a rule for Windows 10 devices.

a Specify Kerberos-based authentication as the first authentication method and Forms-

based authentication as the fallback method, according to the following example. Leave
the and user belongs to group(s): option blank to apply the rule to all users.

If a user's network range is: ALL RANGES

and user accessing content from: Windows 10+
and user belongs to group(s):
Then perform this action: Authenticate using
then the user may authenticate using: Kerberos-based authentication
If the preceding method fails or is not applicable, then: Forms-based authentication

b Click Save.

The new policy rule appears as Kerberos-based authentication+1 in the rules list.

6 In the rules list, reorder the rules such that Kerberos-based authentication+1 appears at the
top of the list as the first rule to apply. To move the rule in the list, drag the handle at the left
of the rule name.

VMware, Inc. 19
Integrating VMware Workspace ONE Access with Active Directory Federation Services

7 Click Next. Review your changes and then click Save.

Results

You are now finished with configuring AD FS as a trusted identity provider for VMware
Workspace ONE Access. Next, you must configure VMware Workspace ONE Access as a trusted
relying party for AD FS.

What to do next

Perform the procedures described in Configuring VMware Workspace ONE Access as a Relying
Party for AD FS.

Configuring VMware Workspace ONE Access as a Relying

Party for AD FS
A relying party trust defines how AD FS recognizes a relying party (or service provider) and
issues claims to it. To create a relying party trust, you add VMware Workspace ONE Access as a
relying party for AD FS and then configure claim rules.

Add VMware Workspace ONE Access as a Relying Party for AD FS

To add VMware Workspace ONE Access to the AD FS federation, you configure VMware
Workspace ONE Access as a relying party (or service provider) for AD FS.

Prerequisites

Obtain the VMware Workspace ONE Access SP Metadata

Procedure

1 On the AD FS server, run the AD FS Management console as an administrator.

2 (AD FS 3.0) In the left pane, expand the Trust Relationships folder.

VMware, Inc. 20
Integrating VMware Workspace ONE Access with Active Directory Federation Services

3 In the left pane, click Relying Party Trusts to highlight it. Then right-click Relying Party Trusts
and select Add Relying Party Trust from the menu.

The Add Relying Party Trust Wizard appears.

4 Start the Add Relying Party Trust Wizard.

n (AD FS 4.0) Select Claims aware, and then click Start.

VMware, Inc. 21
Integrating VMware Workspace ONE Access with Active Directory Federation Services

n (AD FS 3.0) Click Start.

5 On the Select Data Source page, select Import data about the relying party published online
or on a local network. In the text box, paste the URL of the VMware Workspace ONE Access
service provider metadata file that you obtained earlier. Then click Next.

The URL resembles https://{AccessTenant}/SAAS/API/1.0/GET/metadata/sp.xml,

where {AccessTenant} is replaced with the fully qualified domain name (FQDN) of the
VMware Workspace ONE Access service.

6 On the Specify Display Name page, in the Display name text box, enter a name for the
VMware Workspace ONE Access service. In the Notes text box, enter a description of this
relying party trust. Then click Next.

In AD FS 3.0, the Multi-factor Authentication page appears. The Workspace ONE Intelligent
Hub integration does not require multi-factor authentication. Click Next.

7 Configure the appropriate setting to allow all users access to Workspace ONE Intelligent Hub
after VMware Workspace ONE Access receives the valid claims.

n (AD FS 4.0) On the Choose Access Control Policy page, select Permit everyone. Then
click Next.

n (AD FS 3.0) On the Choose Issuance Authorization Rules page, select Permit all users to
access this relying party. Then click Next.

8 On the Ready to Add Trust page, review your changes and then click Next.

9 On the Finish page, select the option to edit the claim rules or issuance policy after you close
the wizard.

n (AD FS 4.0) Select the Configure claims issuance policy for this application check box
and then click Close.

n (AD FS 3.0) Select the Open the Edit Claim Rules dialog for this relying party trust when
the wizard closes check box and then click Close.
The Edit Claim Issuance Policy window (AD FS 4.0) or Edit Claim Rules window (AD FS 3.0)
appears.

VMware, Inc. 22
Integrating VMware Workspace ONE Access with Active Directory Federation Services

What to do next

Configure Claim Rules for the Relying Party Trust

Configure Claim Rules for the Relying Party Trust

As the claims issuer (or identity provider), AD FS sends security tokens containing authentication
claims to VMware Workspace ONE Access. Relying party claim rules define the content of these
claims and transform them into a format that VMware Workspace ONE Access can recognize and
consume.

You must configure two claim rules for VMware Workspace ONE Access as the relying party. The
first rule directs AD FS to look up the LDAP email address attribute for the requesting user and to
send this attribute as the claim. The second rule transforms this claim into the SAML-based email
address attribute expected by VMware Workspace ONE Access.

Prerequisites

Add VMware Workspace ONE Access as a Relying Party for AD FS

VMware, Inc. 23
Integrating VMware Workspace ONE Access with Active Directory Federation Services

Procedure

1 If needed, open the Edit Claim Issuance Policy window (AD FS 4.0) or Edit Claim Rules
window (AD FS 3.0) on the AD FS server by performing the following steps.

a Run the AD FS Management console as an administrator.

b (AD FS 3.0) In the left pane, expand the Trust Relationships folder.

c In the left pane, select Relying Party Trusts.

d In the center pane, select the relying party trust that you created for VMware Workspace
ONE Access.

e In the right pane, click Edit Claim Issuance Policy (AD FS 4.0) or Edit Claim Rules (AD FS
3.0) .

VMware, Inc. 24
Integrating VMware Workspace ONE Access with Active Directory Federation Services

2 In the Edit Claim Issuance Policy window (AD FS 4.0) or Edit Claim Rules window (AD FS 3.0),
select the Issuance Transform Rules tab.

3 Click Add Rule.

The Add Transform Claim Rule Wizard appears.

4 For Claim rule template, select Send LDAP Attributes as Claims. Then click Next.

The Configure Rule page appears.

5 Specify the following settings.

Setting Description

Claim rule name Enter a descriptive name for the rule (for example, Get E-Mail Address
Attribute).

Attribute store Select Active Directory.

LDAP Attribute Select E-Mail-Addresses.

Outgoing Claim Type Select E-mail address.

VMware, Inc. 25
Integrating VMware Workspace ONE Access with Active Directory Federation Services

6 Click Finish.

7 Verify that the email address attribute rule appears in the list of claim rules.

Next, you add a second rule that transforms the email address attribute in the outgoing claim
to the SAML-based format expected by VMware Workspace ONE Access.

8 Click Add Rule.

9 For Claim rule template, select Send Claims Using a Custom Rule. Then click Next.

10 Specify the following settings.

n For Claim rule name, enter a descriptive name for the rule (for example, Transform
E-Mail Address).

n In the Custom rule text box, enter the following script, where {AccessTenant} at the end
of the script is replaced with the fully qualified domain name (FQDN) of the VMware
Workspace ONE Access service. This script uses the required syntax for custom rules.

c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"] =>

issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
Issuer =
c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType,
Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] =
"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/
spnamequalifier"]
= "{AccessTenant}");

VMware, Inc. 26
Integrating VMware Workspace ONE Access with Active Directory Federation Services

11 Click Finish.

12 Verify that both new rules appear in the rules list, with the custom transformation rule
appearing in the second position. Click Apply, and then click OK.

Results

This procedure concludes the integration of AD FS as a federated identity provider for VMware
Workspace ONE Access.

What to do next

Test the Workspace ONE Intelligent Hub Login with AD FS Authentication

Test the Workspace ONE Intelligent Hub Login with AD FS

Authentication
After integrating AD FS as a federated identity provider for VMware Workspace ONE Access,
test the configuration by logging in to the Hub portal.

VMware, Inc. 27
Integrating VMware Workspace ONE Access with Active Directory Federation Services

Prerequisites

Perform all the procedures described in Chapter 3 Integrating AD FS as a Federated Identity

Provider for VMware Workspace ONE Access.

Procedure

1 In a web browser, navigate to your organization's Hub portal.

2 Enter the Active Directory credentials of a test user, and verify that the user can successfully
access the Hub portal based on those credentials.

Note If the test login fails, you can reaccess the VMware Workspace ONE Access console
by navigating to https://{Accesstenant}/SAAS/login/0, where {Accesstenant} is the fully
qualified domain name of the VMware Workspace ONE Access tenant.

VMware, Inc. 28
Integrating VMware Workspace
ONE Access as a Federated
Identity Provider for AD FS
4
To perform the integration, you first configure VMware Workspace ONE Access as a federated
identity provider (or claims provider) for AD FS. Then you configure AD FS as a service provider
for VMware Workspace ONE Access.

Integrating VMware Workspace ONE Access as a federated identity provider allows you to
implement the Mobile Device Trust and Unified Application Catalog use cases (see Main Use
Cases ).

Read the following topics next:

n Creating a VMware Workspace ONE Access Claims Provider Trust in AD FS

n Configuring AD FS as a Service Provider for VMware Workspace ONE Access

n Test the VMware Workspace ONE Access Authentication

n Integrating AD FS-federated Applications With Workspace ONE Intelligent Hub

n Redirect Mobile Users to VMware Workspace ONE Access for Authentication

Creating a VMware Workspace ONE Access Claims Provider

Trust in AD FS
A claims provider trust defines how AD FS recognizes a claims provider (or identity provider)
and accepts claims from it. To create a claims provider trust, you add VMware Workspace ONE
Access as a claims provider for AD FS and then configure claim rules.

Download the VMware Workspace ONE Access IdP Metadata

AD FS requires the VMware Workspace ONE Access identity provider (IdP) metadata for
federation. The IdP metadata describes the capabilities and requirements of VMware Workspace
ONE Access as a trusted identity provider.

Procedure

1 Log in to the VMware Workspace ONE Access console with full administrator privileges.

VMware, Inc. 29
Integrating VMware Workspace ONE Access with Active Directory Federation Services

2 Select the Resources > Web Apps page.

3 Click Settings and then select SAML Metadata.

4 Under the SAML Metadata section, click the Identity Provider (IdP) metadata link to open a
new window displaying the contents of the SAML metadata .xml file. Right-click in the window
and select Save as to save the contents to a .xml file on your computer.

5 Close the Settings page.

What to do next

Add VMware Workspace ONE Access as a Claims Provider for AD FS

Add VMware Workspace ONE Access as a Claims Provider for AD FS

To create a federation between VMware Workspace ONE Access and AD FS, you configure
VMware Workspace ONE Access as a claims provider (or identity provider) for AD FS.

Prerequisites

n Download the VMware Workspace ONE Access IdP Metadata

n Verify the federation between AD FS and the application that you want to authenticate
through the VMware Workspace ONE Access service. Verify that AD FS successfully
authenticates users logging into the application through a web browser.

Note Before proceeding,

VMware, Inc. 30
Integrating VMware Workspace ONE Access with Active Directory Federation Services

Procedure

1 On the AD FS server, run the AD FS Management console as an administrator.

2 (AD FS 3.0) In the left pane, expand the Trust Relationships folder.

3 In the left pane, click Claims Provider Trusts to highlight it. Then right-click Claims Provider
Trusts and select Add Claims Provider Trust from the menu.

The Add Claims Provider Trust Wizard appears.

4 Click Start.

VMware, Inc. 31
Integrating VMware Workspace ONE Access with Active Directory Federation Services

5 On the Select Data Source page, import the IdP metadata file that you downloaded from
VMware Workspace ONE Access.

a Select Import data about the claims provider from a file.

b Click Browse, and navigate to the VMware Workspace ONE Access IdP metadata file. To
import the metadata file, click Open.

c Then click Next.

6 On the Specify Display Name page, in the Display name text box, enter a name for the
VMware Workspace ONE Access relying party. Use a name that is recognizable to users who
might need to select VMware Workspace ONE Access as the authentication option during
the login process. Then click Next.

7 On the Ready to Add Trust page, review your changes and then click Next.

8 On the Finish page, select the Open the Edit Claim Rules dialog for this claims provider trust
when the wizard closes check box. Then click Close.

The Edit Claim Rules window appears.

VMware, Inc. 32
Integrating VMware Workspace ONE Access with Active Directory Federation Services

What to do next

Configure Claim Rules for the Claims Provider Trust

Configure Claim Rules for the Claims Provider Trust

As a claims issuer, VMware Workspace ONE Access sends security tokens containing
authentication claims to AD FS. Claim rules define the content of these claims and transform
them into a format that AD FS can recognize and consume.

VMware Workspace ONE Access sends the Name ID user attribute as an authentication claim
to AD FS. This attribute takes the form domain\samAccountName in the SAML assertion
issued by VMware Workspace ONE Access. However, AD FS expects instead a value of type
WindowsAccountName formatted as domain\user. AD FS also expects to see Active Directory
named as the issuer of this value.

The solution is to configure a claim rule that transforms the Name ID attribute into
WindowsAccountName format and changes the named issuer from VMware Workspace ONE
Access to Active Directory. AD FS can then recognize and consume the incoming claim from
VMware Workspace ONE Access.

VMware, Inc. 33
Integrating VMware Workspace ONE Access with Active Directory Federation Services

Prerequisites

Add VMware Workspace ONE Access as a Claims Provider for AD FS

Procedure

1 If needed, open the Edit Claim Rules window on the AD FS server by performing the following
steps.

a Run the AD FS Management console as an administrator.

b (AD FS 3.0) In the left pane, expand the Trust Relationships folder.

c In the left pane, select Claims Provider Trusts.

d In the center pane, select the claims provider trust that you created for VMware
Workspace ONE Access.

e In the right pane, click Edit Claim Rules.

VMware, Inc. 34
Integrating VMware Workspace ONE Access with Active Directory Federation Services

2 In the Edit Claim Rules window, click Add Rule.

The Add Transform Claim Rule Wizard appears.

VMware, Inc. 35
Integrating VMware Workspace ONE Access with Active Directory Federation Services

3 For Claim rule template, select Send Claims Using a Custom Rule. Then click Next.

The Configure Rule page appears. You can now create a rule that transforms the incoming
Name ID attribute into the WindowsAccountName value formatted as domain\user. The rule
also names Active Directory as the issuer of this value.

4 On the Configure Rule page, perform the following steps.

a For Claim rule name, enter a descriptive name for the rule.

b In the Custom Rule text box, enter the following rule.

c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] ==
"urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"]

=> issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/

windowsaccountname",
Issuer = "AD AUTHORITY", OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType =
c.ValueType);

VMware, Inc. 36
Integrating VMware Workspace ONE Access with Active Directory Federation Services

5 Click Finish.

VMware, Inc. 37
Integrating VMware Workspace ONE Access with Active Directory Federation Services

6 In the Edit Claim Rules window, verify that the custom rule you created appears in the list.

7 Click Apply, and then click OK.

What to do next

Proceed to Configuring AD FS as a Service Provider for VMware Workspace ONE Access.

Configuring AD FS as a Service Provider for VMware

Workspace ONE Access
After configuring VMware Workspace ONE Access as the claims provider, complete the
federation setup by configuring AD FS as the service provider. You must add AD FS as an
application source in VMware Workspace ONE Access and make the application source available
to all users.

VMware, Inc. 38
Integrating VMware Workspace ONE Access with Active Directory Federation Services

Add AD FS as an Application Source in VMware Workspace ONE

Access
To configure AD FS as a service provider for VMware Workspace ONE Access, you add AD FS as
an application source. The AD FS application source enables VMware Workspace ONE Access to
respond to authentication requests from the AD FS server.

Prerequisites

Download the federation metadata file for the AD FS server by navigating to the URL:
https://{ADFSdomain}/FederationMetadata/2007-06/FederationMetadata.xml where
{ADFSdomain} is replaced with the fully qualified domain name (FQDN) your AD FS server.

Procedure

1 Log in to the VMware Workspace ONE Access console with full administrator privileges.

2 In the Resources tab, select Web Apps.

3 Click Settings.

4 In the left pane, click Application Sources.

5 On the Application Sources page, click ADFS.

6 On the Definition page of the ADFS Application Source wizard, click Next.

VMware, Inc. 39
Integrating VMware Workspace ONE Access with Active Directory Federation Services

7 On the Configuration page, perform the following steps.

a For Configuration, select URL/XML.

b In the URL/XML text box, copy and paste the contents of the federation metadata file
that you downloaded previously from the AD FS server.

8 Click Next.

9 On the Access Policies page, select the access policy that you want to use for the AD FS
application source.

For more information about access policies, see the Managing Workspace ONE Access User
Authentication Methods guide.
10 Click Next, review your selections, and click Save.

Saving the setup at this stage allows VMware Workspace ONE Access to import
configuration settings from the AD FS metadata.

11 On the Application Sources page, click ADFS again. Then click Next.

Some settings on the Configuration page now contain values imported from the AD FS
metadata.

VMware, Inc. 40
Integrating VMware Workspace ONE Access with Active Directory Federation Services

12 On the Configuration page, modify the following settings. Accept the default values for all
other settings.

a For Username Format, select Unspecified.

b For Username Value, enter ${user.domain}\${user.userName}. This value ensures

that VMware Workspace ONE Access sends the user name value in the
WindowsAccountName domain\user format required by AD FS.

13 Expand the Advanced Properties section and configure the following settings.

a Set Include Assertion Signature to Yes.

b For Signature Algorithm, select SHA256 with RSA.

14 Click Next, and click Next again to advance to the Summary page. Then click Save.

What to do next

Assign the AD FS Application Source to All Users

Assign the AD FS Application Source to All Users

After you configure the AD FS application source, assign it to all users in VMware Workspace
ONE Access.

Prerequisites

Add AD FS as an Application Source in VMware Workspace ONE Access

Procedure

1 Log in to the VMware Workspace ONE Access console with full administrator privileges.

2 In the Accounts tab, select User Groups.

3 Double-click the group name ALL USERS.

VMware, Inc. 41
Integrating VMware Workspace ONE Access with Active Directory Federation Services

4 Click the Applications tab.

5 Select AD FS application source.

6 In the CHANGE DEPLOYMENT TYPE tab, select Automatic.

What to do next

Test the VMware Workspace ONE Access Authentication

Test the VMware Workspace ONE Access Authentication

After configuring VMware Workspace ONE Access as the claims provider and AD FS as the
service provider, you can test the SP-initiated authentication flow with an AD FS-federated
application. A successful configuration allows you to use VMware Workspace ONE Access to
authenticate access to an AD FS-federated application.

Use the following procedure to test the SP-initiated authentication flow with an AD FS-federated
application. For more information about authentication flows, see IdP-initiated and SP-Initiated
Authentication Flows.

Prerequisites

Perform the procedures described in the following topics:

n Creating a VMware Workspace ONE Access Claims Provider Trust in AD FS

n Configuring AD FS as a Service Provider for VMware Workspace ONE Access

Procedure

1 Open a private browsing session (a good practice when testing federated authentication) on
your computer browser.

2 Navigate to the login portal for an AD FS-federated application (for example, https://
login.microsoftonline.com for Office 365).

3 Enter the user name of a user residing in the AD FS-federated domain.

Verify that the application portal redirects you to the AD FS Home Realm Discovery page,
which presents VMware Workspace ONE Access as an authentication option.

VMware, Inc. 42
Integrating VMware Workspace ONE Access with Active Directory Federation Services

Note The VMware Workspace ONE Access authentication option uses the Display Name
that you specified during the Claims Provider configuration. For more information, see Add
VMware Workspace ONE Access as a Claims Provider for AD FS.

4 Select the option to authenticate with VMware Workspace ONE Access.

Verify that AD FS redirects you to the Workspace ONE Intelligent Hub login page.

VMware, Inc. 43
Integrating VMware Workspace ONE Access with Active Directory Federation Services

5 Enter the credentials of a user entitled to this resource.

Verify that VMware Workspace ONE Access successfully authenticates you into the
application portal.

What to do next

Proceed to Integrating AD FS-federated Applications With Workspace ONE Intelligent Hub.

VMware, Inc. 44
Integrating VMware Workspace ONE Access with Active Directory Federation Services

Integrating AD FS-federated Applications With Workspace

ONE Intelligent Hub
After verifying the federation between AD FS and VMware Workspace ONE Access, you can add
AD FS-federated applications to the Workspace ONE Intelligent Hub catalog. End users can then
use an IdP-initiated authentication flow to access AD FS-federated applications alongside other
enterprise applications from the Hub portal.

For more information about authentication flows, see IdP-initiated and SP-Initiated Authentication
Flows.

Enable the RelayState Parameter in AD FS

To complete the integration of AD FS-federated applications with Workspace ONE Intelligent
Hub, you must enable the RelayState parameter in AD FS. This parameter passes an application's
relying party identifier from VMware Workspace ONE Access to AD FS, so that AD FS can
redirect users to the application portal.

Without the RelayState parameter enabled, users can click an AD FS-federated application in the
Hub portal and authenticate into AD FS through VMware Workspace ONE Access. However, they
are not further redirected to the application portal.

With RelayState enabled, an IdP-initiated authentication flow follows this sequence:

1 End user requests access to an AD FS-federated application in the Hub portal.

2 VMware Workspace ONE Access sends an IdP-initiated authentication response to AD FS.

This SAML response contains a RelayState value set to the relying party identifier of the
application.

3 AD FS accepts the authentication response and redirects the user to the application portal
specified by the RelayState value.

4 User is granted access to the application.

For more information about IdP-initiated authentication flows, see IdP-initiated and SP-Initiated
Authentication Flows. For more information about RelayState support in AD FS, see the following
links:

n https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-
R2-and-2008/jj127245(v=ws.10)

n http://www.expta.com/2014/11/how-to-enable-relaystate-in-adfs-20-and.html

n https://s4erka.wordpress.com/2018/01/24/relaystate-support-for-adfs-2016-in-the-mixed-
mode-adfs-farm/

Prerequisites

Test the VMware Workspace ONE Access Authentication

VMware, Inc. 45
Integrating VMware Workspace ONE Access with Active Directory Federation Services

Procedure

1 On the AD FS server, open the file: %systemroot%\AD

FS\Microsoft.IdentityServer.Servicehost.exe.config

2 Insert <useRelayStateForIdpInitiatedSignOn enabled="true" /> within the

<microsoft.identityServer.web> section of the config file.

What to do next

Obtain the Relying Party Identifier for an AD FS-federated Application

Obtain the Relying Party Identifier for an AD FS-federated

Application
The relying party identifier uniquely identifies an AD FS-federated application so that another
claims provider can authenticate users seeking access to the application. You must obtain
the relying party identifier for each AD FS-federated application that you want to add to the
Workspace ONE Intelligent Hub catalog.

Prerequisites

Enable the RelayState Parameter in AD FS

Procedure

1 On the AD FS server, run the AD FS Management console as an administrator.

2 (AD FS 3.0) In the left pane, expand the Trust Relationships folder.

3 In the left pane, select Relying Party Trusts.

VMware, Inc. 46
Integrating VMware Workspace ONE Access with Active Directory Federation Services

4 In the Relying Party Trusts list, locate the name of the AD FS-federated application that you
want to add to the catalog. Note the relying party identifier that appears in the Identifier
column for the application.

What to do next

Add an AD FS-federated Application to the Workspace ONE Intelligent Hub Catalog

Add an AD FS-federated Application to the Workspace ONE

Intelligent Hub Catalog
Adding an AD FS-federated application to the catalog makes it possible for end users to access
the application alongside other enterprise applications from the Hub portal. You must repeat this
procedure for each application that you want to add to the catalog.

Prerequisites

n Enable the RelayState Parameter in AD FS

n Obtain the Relying Party Identifier for an AD FS-federated Application

Procedure

1 Log in to the VMware Workspace ONE Access console with full administrator privileges.

2 In the Resources tab, select Web Apps.

VMware, Inc. 47
Integrating VMware Workspace ONE Access with Active Directory Federation Services

3 Click New.

4 On the New SaaS Application Definition page, enter the following information.

Option Description

Name Enter a name for the application.

Description (Optional) Enter a description of the application.

Icon (Optional) Upload an icon.

Category (Optional) To add the application to a category, select it from the drop-
down menu.

5 Click Next.

6 On the Configuration page, enter the following information.

Option Description

Authentication Type Select ADFS Application Source.

Target URL Enter the URL of the application in this format: RPID={AppIdentifier},
where {AppIdentifier} is replaced with the application's relying party
identifier that you obtained previously from the AD FS Management console.

Open in VMware Browser Set to No.

VMware, Inc. 48
Integrating VMware Workspace ONE Access with Active Directory Federation Services

7 Click Next.

8 On the Access Policies page, select the access policy that you want to use for the application,
and then click Next.

For more information about access policies, see the Managing Workspace ONE Access User
Authentication Methods guide .
9 Review your selections and click Save, or click Save & Assign to assign the application to
users and groups.

If you do not assign the application to any users and groups now, you can do so later by
selecting the application on the Catalog > Web Apps page and clicking Assign.

10 Verify that the application is added to the catalog.

11 Repeat this procedure for each application that you want to add to the Workspace ONE
Intelligent Hub catalog.

What to do next

Using a test user account, navigate to your organization's Hub portal. From the application
catalog, issue an IdP-initiated authentication request by opening the target AD FS-federated
application. Verify that you are successfully redirected to the application's login portal.

For more information about IdP-initiated authentication flows, see IdP-initiated and SP-Initiated
Authentication Flows.

Redirect Mobile Users to VMware Workspace ONE Access

for Authentication
In a successful configuration, users who visit the web portal of an AD FS-federated application
can select their authentication method. You can automate this selection by configuring AD FS

VMware, Inc. 49
Integrating VMware Workspace ONE Access with Active Directory Federation Services

to authenticate desktop users and route mobile users to VMware Workspace ONE Access for
authentication.

Use the following procedure to implement Mobile Device Trust (see Main Use Cases ). With
this use case, you gain the unique mobile device management features provided by VMware
Workspace ONE Access with Workspace ONE UEM. Desktop users can continue to use the
existing AD FS authentication workflow to which they are accustomed.

This use case applies to users who log in directly to an AD FS-federated application through
the application portal (for example, portal.office.com for Office 365). When a user starts an
SP-initiated flow in this way, AD FS routes the authentication request to the appropriate identity
provider based on the user's device type.

n If the user logs in from a desktop computer, AD FS handles the authentication request as the
identity provider. The login experience remains unchanged for desktop users, as they sign in
to the application using their familiar AD FS credentials.

n If the user logs in from a mobile device, AD FS forwards the authentication request to
VMware Workspace ONE Access as the trusted identity provider (or claims provider).
VMware Workspace ONE Access validates the user's credentials, and Workspace ONE UEM
manages the user's access to the application based on the device posture policies in effect.

Note The following procedure uses an AD FS Web Theme to run the HRD page, which contains
the mobile redirect code. If your Relying Party contains only a single Claims Provider, the HRD
page (and thus code) does not run.

For more information about SP-initiated authentication flows, see IdP-initiated and SP-Initiated
Authentication Flows.

Prerequisites

Perform the procedures described in Integrating AD FS-federated Applications With Workspace

ONE Intelligent Hub.

Procedure

1 Log in to the AD FS server with full administrator privileges.

2 Run PowerShell as an administrator.

3 Create a working folder by entering the following cmdlet.

mkdir c:\myscripts

4 Export the default AD FS web theme.

Export-AdfsWebTheme –Name "Default" –DirectoryPath c:\myscripts

VMware, Inc. 50
Integrating VMware Workspace ONE Access with Active Directory Federation Services

The Export cmdlet creates an onload.js file in the c:\myscripts\script folder. To specify
the authentication option based on the type of user device, you modify this JavaScript file.

5 Open C:\myscripts\script\onload.js in a text editor such as Notepad++, and add the

following JavaScript code to the beginning of the file.

Replace the placeholder values in the code as follows.

Placeholder Value Replacement Value for AD FS 4.0 Replacement Value for AD FS 3.0

{AccessTenant} Fully qualified domain name (FQDN) FQDN of the VMware Workspace ONE Access
of the VMware Workspace ONE service
Access service

{AD FS claims 'AD Authority' 'http://{ADFSdomain}/adfs/services/trust'

provider} (Where {ADFSdomain} is the FQDN of the AD FS
server)

var myCheckHRD = document.getElementById('hrdArea');

if (myCheckHRD)
{

// redirect mobile traffic to Workspace ONE

if (navigator.userAgent.match(/iPad|iPhone|Android|Windows Phone/i) != null)
{
HRD.selection('https://{AccessTenant}/SAAS/API/1.0/GET/metadata/idp.xml');
}

// ADDITIONAL LOGIC FOR iPadOS AND iOS 13 iPad DEVICES

else if (navigator.userAgent.match(/Macintosh/i) != null)
{
if(navigator.maxTouchPoints > 2)
{
HRD.selection('https://{AccessTenant}/SAAS/API/1.0/GET/metadata/idp.xml');
}
else
{
HRD.selection('{AD FS claims provider}');
}

VMware, Inc. 51
Integrating VMware Workspace ONE Access with Active Directory Federation Services

// else authenticate with local AD claims provider

else
{
HRD.selection('{AD FS claims provider}');
}

// hide HRD selector from user

var hrdui = document.getElementById("bySelection");
hrdui.style.display = "none";
}

This code designates the VMware Workspace ONE Access service as the authentication
option for users logging in from a mobile device. It designates AD FS as the authentication
option for users logging in from all other devices. It also instructs AD FS to route
authentication requests automatically without prompting the user for action.

Note Beginning with iOS 13 on Apple iPad devices, the default user agent is macOS instead
of iPad. All services that rely on user agent information to determine the type of device must
be updated. This JavaScript code includes the extra logic to account for Apple's current iOS
products, including iPadOS. Apple can change the behavior of the 'ADDITIONAL LOGIC for
iPadOS and iOS 13 iPad DEVICES" in future releases. If the behavior is changed, this code
script might need to be modified to reflect the change.

6 Put the updated onload.js file in the c:\myscripts\script folder, overwriting the old file.

Next, you customize the AD FS login page by creating a AD FS web theme that references
the updated onload.js file.

7 In PowerShell, create a AD FS web theme.

New-AdfsWebTheme –Name "WS1ACCESS" –SourceName "Default"

8 Import the updated onload.js file.

Set-AdfsWebTheme -TargetName WS1ACCESS -AdditionalFileResource

@{Uri='/adfs/portal/script/onload.js';path="c:\myscripts\script\onload.js"}

9 Activate the new web theme.

To redirect mobile traffic from an individual AD FS app to mobile:

Set-AdfsRelyingPartyWebTheme
-TargetRelyingPartyName "Microsoft Office 365 Identity Platform"
-SourceWebThemeName "WS1ACCESS"

To redirect mobile traffic from all AD FS apps to mobile:

Set-AdfsWebConfig -ActiveThemeName "WS1ACCESS"

VMware, Inc. 52
Integrating VMware Workspace ONE Access with Active Directory Federation Services

10 To save your changes, restart the AD FS service.

Restart-Service adfssrv

Note If you want to revert to the default AD FS web theme, enter this cmdlet:

Set-AdfsWebConfig -ActiveThemeName "Default"

AD FS Authentication Sequence for IOS

AD FS Authentication Sequence for Android

VMware, Inc. 53
Integrating VMware Workspace ONE Access with Active Directory Federation Services

VMware, Inc. 54
Configure the Claims Provider
for the VMware Workspace ONE
Access Relying Party Trust
5
When setting up an end-to-end integration to cover all main use cases, you must specify Active
Directory as the sole claims provider for the VMware Workspace ONE Access relying party trust.
This claims provider configuration is required to prevent an authentication loop from occurring
between AD FS and VMware Workspace ONE Access.

Use the following procedure to specify Active Directory as the sole claims provider for the
VMware Workspace ONE Access relying party trust. After you complete the configuration,
authentication requests will follow this flow:

1 End user attempts to access the Hub portal.

2 VMware Workspace ONE Access redirects the authentication request to AD FS as the

federated identity provider.

3 AD FS refers to the VMware Workspace ONE Access relying party trust.

4 Since Active Directory is the sole claims provider specified for the relying party trust, the flow
concludes with AD FS as the final authentication authority.

For more information about setting up an end-to-end integration, see Main Use Cases .

Prerequisites

Perform all the procedures described in the following topics:

n Chapter 3 Integrating AD FS as a Federated Identity Provider for VMware Workspace ONE

Access

n Chapter 4 Integrating VMware Workspace ONE Access as a Federated Identity Provider for
AD FS

Procedure

1 On the AD FS server, open a PowerShell session with elevated administrator rights.

2 Run the following cmdlet.

Set-ADFSRelyingPartyTrust -TargetName "{WORKSPACE ONE ACCESS RELYING PARTY}"

-ClaimsProviderName
"Active Directory"

VMware, Inc. 55
Integrating VMware Workspace ONE Access with Active Directory Federation Services

Replace {WORKSPACE ONE ACCESS RELYING PARTY} with the name of the relying party
trust that you configured for VMware Workspace ONE Access. Use the name as it appears in
the AD FS Management console.

VMware, Inc. 56
Configure VMware Workspace
ONE Access as the Default Claims
Provider for an AD FS-federated
6
Application

This optional topic explains how to configure VMware Workspace ONE Access as the default
claims provider for an AD FS-federated application.

Note Do not perform the following procedure if you want to implement the Mobile Device
Management use case. Instead, perform the procedure described in Redirect Mobile Users to
VMware Workspace ONE Access for Authentication.

Prerequisites

Perform the procedures described in the following topics.

n Creating a VMware Workspace ONE Access Claims Provider Trust in AD FS

n Configuring AD FS as a Service Provider for VMware Workspace ONE Access

n Test the VMware Workspace ONE Access Authentication

Procedure

1 On the AD FS server, open a PowerShell session with elevated administrator rights.

2 Run the following cmdlet.

Set-ADFSRelyingPartyTrust -TargetName "{RP_app}" -ClaimsProviderName

"{WORKSPACE ONE ACCESS CLAIMS PROVIDER}"

Replace the placeholders in the cmdlet as follows.

n Replace {RP_app} with the name of the relying party trust corresponding to the target
application.

n Replace {WORKSPACE ONE ACCESS CLAIMS PROVIDER} with the name of the claims
provider trust that you configured for VMware Workspace ONE Access.
Use the names of the relying party trust and claims provider trust as they appear in the AD
FS Management console.

VMware, Inc. 57
Integrating VMware Workspace ONE Access with Active Directory Federation Services

Results

Since VMware Workspace ONE Access is the sole claims provider specified in the cmdlet,
all authentication requests for the designated relying party trust are redirected to VMware
Workspace ONE Access. This configuration eliminates the user’s choice to authenticate with the
AD FS authentication policies.

What to do next

For information about more customization options on the AD FS sign-in page, see the following
link: https://technet.microsoft.com/en-us/library/dn280950.aspx

VMware, Inc. 58
Troubleshooting
7
To troubleshoot issues you might encounter with the VMware Workspace ONE Access and AD
FS integration, look up symptoms and error messages.

For more help with investigating and troubleshooting login issues, see the following resources.

n The VMware Workspace ONE Access documentation.

n The VMware Workspace ONE Access Audit Events report. This report lists the events related
to user logins, including the authentication methods used to log in. To run this report, log in to
the VMware Workspace ONE Access console with full administrator privileges. Then navigate
to Dashboard > Reports > Audit Events, and click Show.

Read the following topics next:

n Unable to log in to VMware Workspace ONE Access

n Error: "Contact your administrator"

n Error: "Cannot update Identity Provider"

n Error: "404.idp.not.found"

n Unable to authenticate into Hub portal using AD FS

n Unable to authenticate into AD FS-federated applications

Unable to log in to VMware Workspace ONE Access

Problem

You cannot log in to VMware Workspace ONE Access from the login page.

Cause

VMware Workspace ONE Access is not configured correctly.

Solution

u To log in as the local administrator, use the following login URL:

https://{AccessTenant}/SAAS/login/0, where {AccessTenant} is replaced with the

fully qualified domain name of the VMware Workspace ONE Access tenant.

VMware, Inc. 59
Integrating VMware Workspace ONE Access with Active Directory Federation Services

Error: "Contact your administrator"

Problem

User is unable to log in and receives the error Contact your administrator.

Cause

When integrating with AD FS, the VMware Workspace ONE Access signing certificate URL was
specified as a URL or as XML information.

When AD FS is configured with the VMware Workspace ONE Access signing certificate URL, the
XML file is downloaded for every user login request. If the XML download fails once, this blocks
further login attempts and breaks the IDP integration.

Solution

u Download the VMware Workspace ONE Access signing certificate XML file, and copy and
paste the content directly into the appropriate AD FS certificate page.

Error: "Cannot update Identity Provider"

Problem

In the VMware Workspace ONE Access console, after editing the AD FS identity provider to add
or update an authentication method, you receive the error Cannot update Identity Provider.

Cause

When adding or updating a SAML context rule, the SAML context name must be unique in your
VMware Workspace ONE Access tenant. Authentication methods for the AD FS identity provider
are not deleted when you click Save.

Solution

u Provide a new authentication method name. This name must be unique in your tenant.

Note Authentication methods you add here can be deleted only through the REST API. To
avoid issues with repetitive authentication methods, use a consistent naming convention to
remember the last authentication method that you created. For example, use a date in the
authentication method name: Password092116.

Error: "404.idp.not.found"

Problem

When attempting a login to the Hub portal using AD FS as the identity provider, the user
encounters the error 404.idp.not.found.

VMware, Inc. 60
Integrating VMware Workspace ONE Access with Active Directory Federation Services

Cause

When testing, the name of the authentication method is not removed from an access policy
rule when changing the rule’s configuration. This error occurs when the policy selects an old
authentication method or an authentication method of a disabled identity provider. The error also
occurs when the AirWatch Cloud Connection password authentication method is selected but
not enabled in VMware Workspace ONE Access and the AirWatch pages.

Solution

u In the access policy rule, select an authentication method that is active and current.

Unable to authenticate into Hub portal using AD FS

Problem

When logging in, users cannot advance past the Workspace ONE Intelligent Hub sign-in page.

Cause

The VMware Workspace ONE Access relying party trust does not have Active Directory
designated as its sole claims provider. The missing claims provider designation results in an
authentication loop between AD FS and VMware Workspace ONE Access.

Solution

u Perform the procedures described in Chapter 5 Configure the Claims Provider for the
VMware Workspace ONE Access Relying Party Trust.

Unable to authenticate into AD FS-federated applications

Problem

You cannot authenticate into AD FS-federated applications using VMware Workspace ONE
Access as the identity provider.

Cause

Possibly one of the following:

n The federation between VMware Workspace ONE Access and AD FS is configured

incorrectly.

n The value or format provided in the claim issued by VMware Workspace ONE Access does
not match the value or format expected by AD FS.

n The RelayState parameter is not enabled, or the relying party identifier is not configured for
the application.

VMware, Inc. 61
Integrating VMware Workspace ONE Access with Active Directory Federation Services

Solution

1 Attempt an IdP-initiated login into AD FS by navigating to: https://{ADFSdomain}/ADFS/ls/

idpinitiatedsignon.aspx, where {ADFSdomain} is replaced with the fully qualified domain
name of the AD FS server.

n A successful IdP-initiated login indicates that trust and authentication endpoints have
been configured correctly in both AD FS and VMware Workspace ONE Access. Proceed
to step 2.

n If the IdP-initiated login fails, check and redo all the configuration procedures described in
Chapter 4 Integrating VMware Workspace ONE Access as a Federated Identity Provider
for AD FS.

2 Check the AD FS Event Viewer log for authentication errors.

Most errors indicate a mismatch between the value or format provided by VMware
Workspace ONE Access and what is expected by the AD FS server. Check and redo the
procedure described in Configure Claim Rules for the Claims Provider Trust.

VMware, Inc. 62
Integrating VMware Workspace ONE Access with Active Directory Federation Services

VMware, Inc. 63