configuring vmware identity manager as a claims provider ... · configuring vmware identity manager...

DOCUMENT – AUGUST 2019

PRINTED 29 OCTOBER 2019

CONFIGURING VMWAREIDENTITY MANAGER AS ACLAIMS PROVIDER IN AD FS:VMWARE WORKSPACE ONEOPERATIONAL TUTORIALVMware Workspace ONE

CONFIGURING VMWARE IDENTITY MANAGER AS A CLAIMS PROVIDER IN AD FS: VMWARE WORKSPACE ONEOPERATIONAL TUTORIAL

DOCUMENT | 2

Table of Contents

Legacy

– Legacy

Overview

– Introduction

– Audience

Configuring VMware Identity Manager as Claims Provider for AD FS

– Introduction

– Prerequisites

– Logging In to the Workspace ONE Access Console

– Adding VMware Identity Manager as a Claims Provider in AD FS

– Configuring a Claim Rule for VMware Identity Manager Claims Provider

– Downloading the AD FS Federation Metadata File

– Configuring AD FS Application Source in VMware Identity Manager

– Testing SP-Initiated Login with AD FS Applications

– Copying the Relying Party Identifier

– Adding Microsoft Office 365 to Workspace ONE Catalog

– Validating AD FS Authentication in the Workspace ONE Catalog

– Configuring VMware Identity Manager as Default Claims Provider

– Verifying AD FS Forwards Traffic to VMware Identity Manager

– Modifying AD FS to Forward Only Mobile Traffic to VMware Identity Manager


DOCUMENT | 3

– Verifying AD FS Forwards Mobile Traffic to VMware Identity Manager

– Applying Web Theme Modification to Specific Relying Party

Summary and Additional Resources

– Conclusion

– Terminology Used in This Tutorial

– Additional Resources

– About the Authors

– Feedback

Appendix: Alternative Custom Claim Rules

– Alternative Custom Claim Rules


DOCUMENT | 4

OT-WS1-vIDM-ADFS-Claims

LegacyLegacy

For the latest information on this topic, see Integrating VMware Workspace ONE with Active Directory Federation Services in VMwareDocs.

OverviewIntroductionVMware provides this operational tutorial to help you with your VMware Workspace ONE®environment. In this tutorial, you configureVMware Identity Manager™ as a claims provider within AD FS. You then test service provider-initiated login to an applicationfederated with AD FS and AD FS authentication to the Workspace ONE catalog.

AudienceThis operational tutorial is intended for IT professionals and Workspace ONE administrators of existing production environments. Bothcurrent and new administrators can benefit from using this tutorial. Familiarity with networking and storage in a virtual environment isassumed, including Active Directory, identity management, and directory services. Knowledge of additional technologies such asVMware Workspace ONE® Access (formerly VMware Identity Manager) and VMware Workspace ONE® UEM is also helpful.

Configuring VMware Identity Manager as Claims Provider forAD FSIntroductionWith the rapid adoption of Office 365, more companies are looking to implement the Workspace ONE suite of solutions to improve thelogin experience for their end users into the Office 365 client applications.

VMware Identity Manager is certified to handle all authentication use cases for Office 365 as a standalone identity provider. Yet manycompanies that have transitioned to Office 365 have also implemented Microsoft’s identity provider of choice; Active DirectoryFederation Services (AD FS) to federate the authentication of their Office 365 domain. In many cases, it is not feasible for a companythat has already deployed AD FS as their identity provider for Office 365 to change the configuration of their production tenant. Thistutorial explores an alternative that allows a company to take advantage of the Workspace ONE end-user experience while avoidinghaving to make any critical changes to their current setup.

AD FS supports the use of a third-party identity provider and can redirect incoming authentication requests from an Office 365 client toVMware Identity Manager. VMware Identity Manager can then challenge the client device for the specific mobile SSO authenticationmethod and seamlessly authenticate the user without the need to manually enter any credentials unless required by the company as asecond factor of authentication.

This operational tutorial helps you to configure VMware Identity Manager as a third-party identity provider within AD FS. This guideassumes that Office 365 has already been set up and properly federated with an AD FS server. You need admin access to both theVMware Identity Manager tenant and AD FS server.

https://media.screensteps.com/image_assets/assets/002/839/462/original/4557_VMW_LegacyContentStamp_CAP.png

https://docs.vmware.com/en/VMware-Identity-Manager/services/workspaceone_adfs_integration/GUID-29C7D29F-2E7D-45C7-A338-9BA9EC89DD1B.html

http://www.vmware.com/products/workspace-one.html

https://www.vmware.com/products/workspace-one/identity-manager.html

https://www.vmware.com/products/workspace-one/access.html

https://www.vmware.com/products/airwatch-enterprise-mobility-management.html


DOCUMENT | 5

PrerequisitesBefore you can perform the procedures in this tutorial, you must satisfy the following requirements. For more information, see theVMware Identity Manager Documentation and VMware Workspace ONE UEM Documentation.

Check whether you have the following components installed and configured:

Workspace ONE UEM tenant 9.4 and later with admin credentialsVMware Identity Manager tenant 3.3 and laterVMware Identity Manager login details

If your tenant is cloud-hosted, retrieve the login details from the email received when you set up the tenantOr, retrieve your details from the Workspace ONE UEM Console; navigate to Content > Content Locker > List Viewand download the vIDM Tenant Details text file

Windows machine to install the VMware Identity Manager ConnectorUse the VMware Identity Manager Connector to sync a domain and at least a single domain user to login withMicrosoft Active Directory Federated Services—this tutorial uses AD FS 2016AD FS applications for testing—this tutorial uses Salesforce and MS Office 365PowerShell with admin privileges

To ensure relying party trusts in AD FS can query Active Directory, you must meet the following requirements:

The claim rule has a value of type windowsaccountname (usually this value in the format domain\user).In most cases, the Issuer of the claim value is set as AD AUTHORITY.

The following are examples of default claim rules for test applications used in this tutorial.

Office365:

c:[Type =="http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"] =>issue(store = "Active Directory", types =("http://schemas.xmlsoap.org/claims/UPN","http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID"), query ="samAccountName={0};userPrincipalName,objectGUID;{1}", param =regexreplace(c.Value, "(?<domain>[^\\]+)\\(?<user>.+)", "${user}"), param =c.Value);

Salesforce:

c:[Type =="http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname",Issuer == "AD AUTHORITY"]=> issue(store = "Active Directory", types =("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"), query =";userPrincipalName;{0}", param = c.Value);

Logging In to the Workspace ONE Access ConsoleTo perform most of the steps in this exercise, you must first log in to the Workspace ONE Access console.

1. Launch Google Chrome (If Needed)

https://www.vmware.com/support/pubs/identitymanager-pubs.html

https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/index.html


DOCUMENT | 6

If Google Chrome is not already open, launch Google Chrome by double-clicking the icon from the desktop.

2. Open a New Browser Tab

Click the Tab space to open a new tab.

3. Navigate to Your Workspace ONE Access Tenant

Paste or enter the Tenant URL into the navigation bar and press Enter to continue.

4. Login to Your Workspace ONE Access Tenant

Enter the Username, for example, Administrator.1.Enter the Password, for example, VMware1!.2.


DOCUMENT | 7

Click Sign In.3.

5. Navigate to the Administrator Console (If Necessary)

If you see the User Portal as shown in the screenshot, navigate to the Administrator Console.

Click the user drop-down icon.1.Select Administration Console.2.

This opens the Administration Console in a separate tab in your browser.

Adding VMware Identity Manager as a Claims Provider in AD FSThis section helps you to configure VMware Identity Manager as a claims provider within AD FS. This allows VMware Identity Managerto serve as an alternative method to authenticate incoming requests in AD FS, in addition to the default local Active Directory.

Note: Completing the steps within this section will add VMware Identity Manager as a claims provider for all relying parties within ADFS.

1. Navigate to Web Apps


DOCUMENT | 8

In the VMware Identity Manager tenant:

Select the Catalog drop-down menu.1.Select Web Apps.2.

2. Open Web Apps Settings Menu


DOCUMENT | 9

Click Settings.

3. Download Identity Provider Metadata XML File


DOCUMENT | 10

Click SAML Metadata.1.Right-click Identity Provider (idP) metadata.2.Click Save Link As...3.

4. Save Metadata File Locally


DOCUMENT | 11

Save the metadata file locally. You need to access this file from your AD FS console.

5. Open AD FS Management


DOCUMENT | 12

On your AD FS server:

Click the Server Manager icon from the taskbar.1.Click Tools.2.Click AD FS Management.3.

6. Add New Claims Provider in AD FS Management


DOCUMENT | 13

Click Claim Provider Trusts.1.Click Add New Claim Provider Trust.2.

7. Start the Add Claims Provider Wizard


DOCUMENT | 14

Click Start.

8. Select the Data Source


DOCUMENT | 15

Select Import data about the claims provider from a file.1.Click Browse and select the idp metadata file from VMware Identity Manager. This is the idp file previously downloaded in2.Save Metadata File Locally.Click Next.3.

9. Specify Display Name


DOCUMENT | 16

Enter a friendly name for the new claims provider. For example, VMware Identity Manager.1.Click Next.2.

10. Review Settings


DOCUMENT | 17

Review the settings and click Next.

11. Complete Claims Provider Wizard


DOCUMENT | 18

Select the check box Open the Edit Claim Rules...1.Click Close.2.

12. Validate New Claims Provider is Active


DOCUMENT | 19

Test the service provider initiated authentication with one of the applications federated with AD FS.

When redirected to AD FS, you should now have VMware Identity Manager listed as an authentication option in addition to ActiveDirectory.

Configuring a Claim Rule for VMware Identity Manager Claims ProviderThis section helps you to add a claim rule for the VMware Identity Manager claims provider in AD FS. This claim rule should consumethe value(s) received from the VMware Identity Manager SAML and issue a claim value that can be used as the target relying partytrust. Instead of including all the values that might be needed for each relying party trust within the VMware Identity Manager SAMLassertion, we include a single value that can identify the authenticated user, and be used to perform a query to Active Directory andretrieve the user values needed for each relying party trust.

In other words, in this exercise, you add a claim rule to the claim provider that will intake the user identifier from the SAML assertion,and in turn, issue a value of type windowsaccountname with the issuer set to AD AUTHORITY.

1. Add Claim Rule


DOCUMENT | 20

Click Add Rule.

Note: The Edit Claim Rules window automatically opens if you previously selected the check box when completing the ClaimsProvider Wizard. If not, right-click the newly-created relying party and click Add Rule.

2. Send Claims Using a Custom Rule


DOCUMENT | 21

Select Send Claims Using a Custom Rule from the claim rule template drop-down menu.1.Click Next.2.

3. Configure Custom Claim Rule


DOCUMENT | 22

The rule added in this step assumes that the SAML assertion issued by VMware Identity Manager contains a value in the formdomain\samAccountName. If these values are not available in VMware Identity Manager, the integration can be configured to rely onthe user's UserPrincipalName instead. If this is the case, see Appendix: Alternative Custom Claim Rules.

Enter a friendly name for the new claim rule. For example, Transform NameID to windowsaccount + set AD as1.source.Copy the following claim rule into the Custom rule text box.2.

c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] =="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"] => issue(Type ="http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer = "ADAUTHORITY", OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType);

Click Finish.4.

4. Accept Transform Rules


DOCUMENT | 23

Validate that the new claim rule has been added.1.Click OK.2.

5. Validate Custom Claim Rules are Added


DOCUMENT | 24

Validate that the new claim rules have been added.1.Click OK.2.

Downloading the AD FS Federation Metadata FileBefore you configure the AD FS Application Source in VMware Identity Manager, you must download the AD FS federation metadataXML file. This exercise helps you to download the federation metadata file.

1. Download the Federation Metadata File


DOCUMENT | 25

Navigate to https://<adfs_server_name>/FederationMetadata/2007-06/FederationMetadata.xml. Replaceadfs_server_name with your AD FS server, for example, adfs.corp.local.

The FederationMetadata.xml downloads and automatically stores in your Downloads folder.

2. Copy AD FS Metadata Content

On your desktop, open and copy the contents of the federationmetadata.xml file downloaded from AD FS.

Configuring AD FS Application Source in VMware Identity ManagerAfter downloading the federation metadata, you are ready to begin configuring AD FS as an application source in VMware IdentityManager. In this exercise, create an access policy that applies only to SP-Initiated AuthN requests for applications federated with ADFS.

1. Navigate to Web Apps


DOCUMENT | 26

In the VMware Identity Manager tenant:

Select the Catalog drop-down menu.1.Select Web Apps.2.

2. Open Web Apps Settings Menu


DOCUMENT | 27

Click Settings.

3. Configure AD FS Application Source

Click Application Sources.1.Click ADFS.2.


DOCUMENT | 28

4. Start the AD FS Application Source Wizard

Click Next.

5. Configure ADFS Application Source Single Sign-On


DOCUMENT | 29

Select URL/XML as the Configuration option.1.Paste the contents from the federationmetadata.xml file into the URL/XML text box.2.Click Next.3.

6. Configure AD FS Application Source Access Policy

Select an Access Policy from the drop-down menu.1.Click Next.2.


DOCUMENT | 30

7. Complete AD FS Application Source Wizard

Click Save.

8. Open AD FS Application Source


DOCUMENT | 31

Click ADFS.

9. Modify AD FS Application Source Username Format andValue


DOCUMENT | 32

Click Configuration.1.Select Unspecified from the Username Format drop-down menu. This is the expected format from ADFS based on previously2.created claim rule.Enter the following in the Username Value:3.${user.domain}\${user.userName}

Click Advanced Properties.4.

10. Modify ADFS Application Source Signature Algorithm


DOCUMENT | 33

Scroll-down to find the Signature Algorithm option.

Select SHA256 with RSA from the Signature Algorithm drop-down menu.1.Note: This is the expected default signature algorithm for SAML assertion but this might differ in your environment.Click Summary.2.

11. Complete AD FS Application Source Wizard


DOCUMENT | 34

Click Save.

Testing SP-Initiated Login with AD FS ApplicationsIn this exercise, test SP-initiated login. Open an application federated with AD FS and confirm that you are prompted for VMwareIdentity Manager credentials. This example uses MS Office 365.

1. Test SP-Initiated Login with AD FS Application


DOCUMENT | 35

Open MS Office 365.

2. Authenticate with VMware Identity Manager


DOCUMENT | 36

When presented with the authentication options in AD FS, select VMware Identity Manager.

3. Enter User Credentials for VMware Identity Manager


DOCUMENT | 37

Enter your user credentials and authenticate using VMware Identity Manager.

4. Validate Successful Authentication


DOCUMENT | 38

Validate the the end user is successfully authenticated into the target application.

Copying the Relying Party IdentifierThe relying party is your test application—in this case, MS Office 365. Before you can upload the MS Office 365 to the WorkspaceONE catalog, you must copy its identifier.

1. Open Relying Party Properties in AD FS


DOCUMENT | 39

In the AD FS Management console:

Click Relying Party Trust.1.Right-click the Relying Party Trust for Microsoft Office 365 Identity Provider.2.Click Properties.3.

2. Copy Relying Party Identifier


DOCUMENT | 40

Select the Identifiers tab.1.Copy the Relying party identifier. For example, urn:federation:MicrosoftOnline for Office365.2.

Adding Microsoft Office 365 to Workspace ONE CatalogNow that you have copied the identifier for Microsoft Office 365, you are ready to begin adding this AD FS application to theWorkspace ONE Catalog. In this exercise, the authentication policy that you select applies only when launching the application fromwithin the Workspace ONE catalog (IdP-initiated login).

1. Add New SaaS App in VMware Identity Manager


DOCUMENT | 41

In the VMware Identity Manager console:

Click Catalog.1.Click New.2.

2. Name the SaaS Application


DOCUMENT | 42

Enter a friendly name for the application. For example, ADFS 2016 - Office365.1.Click Next.2.

3. Configure Application Authentication Type and Target URL


DOCUMENT | 43

Select ADFS Application Source from the Authentication Type drop-down menu.1.Enter RPID= followed by the relying party identifier previously copied from ADFS. For example,2.RPID=urn:federation:MicrosoftOnline

Click Next.3.

4. Configure Application Access Policy

Select an Access Policy for the new application.1.Click Next.2.


DOCUMENT | 44

5. Complete Application Configuration

Click Save & Assign.

6. Assign SaaS App to Users / Groups

Assign the new application to a set of test users / user groups.1.Click Save.2.

7. Repeat Process for Additional Applications

Repeat the previous steps to add additional AD FS applications to the catalog. Modify the Target URL to match the relying party


DOCUMENT | 45

identifiers for those applications in AD FS.

Validating AD FS Authentication in the Workspace ONE CatalogAfter you have added Microsoft Office 365 to the Workspace ONE catalog, complete the following steps to verify AD FS authenticationto the Workspace ONE catalog.

1. Log In to Workspace ONE Catalog

Log in to the Workspace ONE catalog with a user assigned to the ADFS application.

Click Open to launch the ADFS application.

2. Launch Test Application Federated with AD FS


DOCUMENT | 46

Verify that the user is successfully logged in to the target application.

Configuring VMware Identity Manager as Default Claims ProviderThis section helps you to set VMware Identity Manager as the default claims provider for a specific relying party trust in AD FS. Theexample in this exercise uses the Salesforce application but you can also use MS Office 365.

If you want to configure AD FS to redirect only mobile traffic to VMware Identity Manager, skip this section and go to Modifying AD FSto Forward Only Mobile Traffic to VMware Identity Manager.

1. Open PowerShell as Administrator


DOCUMENT | 47


DOCUMENT | 48

Open Windows PowerShell from your AD FS server.1.Select Run as administrator.2.

2. Set the Default Claims Provider

Run the following command in PowerShell to set VMware Identity Manager as the default claims provider for a given relying party inADFS:

Set-ADFSRelyingPartyTrust -TargetName Salesforce -ClaimsProviderName @("VMwareIdentity Manager")

Modify the command:

Replace Salesforce with the friendly name of the relying party within ADFSReplace VMware Identity Manager if a different name was given to the VMware Identity Manager claims provider in ADFS.

For more information, see Home Realm Discovery Customization.

Verifying AD FS Forwards Traffic to VMware Identity ManagerAfter you have configured PowerShell, complete the steps in this section to verify that they applied successfully.

1. Test Authentication using Test Application

Test an SP-initiated authentication flow using the test application. In this example, the application is Salesforce.

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/home-realm-discovery-customization


DOCUMENT | 49

2. Validate Default Redirection to VMware Identity Manager

You should be automatically presented with the VMware Identity Manager login screen.

Modifying AD FS to Forward Only Mobile Traffic to VMware Identity ManagerThis section helps you to configure AD FS to forward only mobile traffic to VMware Identity Manager.

1. Open PowerShell as Administrator


DOCUMENT | 50


DOCUMENT | 51

Open Windows PowerShell from your AD FS server.1.Select Run as administrator.2.

2. Create Working Folder

Run the following command to create a working folder:

mkdir c:\myscripts

3. Export Default AD FS Web Theme

Run the following command to export the AD FS Web Theme:

Export-AdfsWebTheme –Name default –DirectoryPath c:\myscripts

4. Open Text Editor as Administrator


DOCUMENT | 52


DOCUMENT | 53

Open a text editor such as Notepad++.1.Select Run as administrator.2.

5. Open Onload.js File

Select the onload.js file that was exported from AD FS.1.Click Open.2.

6. Insert JavaScript into Onload.js File

Replace {VIDMURL} with your VMware Identity Manager tenant URL.

If you are using AD FS version 4 and later, copy the following into the onload.js file and save.


DOCUMENT | 54

var myCheckHRD = document.getElementById('hrdArea');if (myCheckHRD){ // redirect mobile traffic to Workspace ONE if (navigator.userAgent.match(/iPad|iPhone|Android|Windows Phone/i) !=null) {HRD.selection('https://{VIDMURL}/SAAS/API/1.0/GET/metadata/idp.xml'); } // else authenticate with local AD claims provider else { HRD.selection('AD AUTHORITY'); }}// hide HRD selector from user var hrdui = document.getElementById("bySelection"); hrdui.style.display = "none";

If you are using AD FS version 3, copy the following into the onload.js file and save.

Replace {VIDMURL} with your VMware Identity Manager tenant URL.

Replace {ADFS Domain} with the domain name of your AD FS server.

var myCheckHRD = document.getElementById('hrdArea');if (myCheckHRD){ // redirect mobile traffic to Workspace ONE if (navigator.userAgent.match(/iPad|iPhone|Android|Windows Phone/i) !=null) {HRD.selection('https://{VIDMURL}/SAAS/API/1.0/GET/metadata/idp.xml'); } // else authenticate with local AD claims provider else { HRD.selection('http://{ADFS Domain}/adfs/services/trust'); }}// hide HRD selector from user var hrdui = document.getElementById("bySelection"); hrdui.style.display = "none";

The previous code creates a redirection to VMware Identity Manager based on the AuthN request user agent (for example, iPad,iphone, and so on).

Any traffic that does not match the user agents listed are authenticated with the local Active Directory (for example, Windows or Macdesktops).


DOCUMENT | 55

7. Verify Active Directory Identifier

In some cases the identifier used for Active Directory in the previous step (AD Authority) might be different in some installations ofAD FS. Run the following in PowerShell to verify:

Get-AdfsClaimsProviderTrust | Format-List -Property Name,Identifier

8. Create New AD FS Web Theme

Run the following command to create a new AD FS Web Theme:

New-AdfsWebTheme –Name VIDM –SourceName default

9. Import Updated JavaScript File

Run the following command to import the modified onload javascript into the ADFS Web Theme:

Set-AdfsWebTheme -TargetName VIDM -AdditionalFileResource@{Uri='/adfs/portal/script/onload.js';path="c:\myscripts\script\onload.js"}


DOCUMENT | 56

10. Activate New ADFS Web Theme

Run the following command to activate the new ADFS Web Theme:

Set-AdfsWebConfig -ActiveThemeName VIDM

Verifying AD FS Forwards Mobile Traffic to VMware Identity ManagerAfter completing your PowerShell configurations, complete the steps in this section to verify that they applied successfully.

1. Test Authentication from Non-Mobile Device

Test an SP-inititated authentication flow using one of the applications federated with ADFS, from a non-mobile device (user agent notspecified in the ADFS web theme rule).

2. Test Authentication from Mobile Device


DOCUMENT | 57

Test an SP-inititated authentication flow using one of the applications federated with ADFS, from a mobile device (user agent specifiedin the ADFS web theme rule).

Applying Web Theme Modification to Specific Relying PartyThe previous steps can be modified to target a specific relying party trust (for example, Salesforce) within AD FS instead of affectingall AuthN requests.


DOCUMENT | 58

After modifying and saving the onload.js file, continue with the following steps.

1. Create New ADFS Web Theme

Run the following command to create a new ADFS Web Theme:

New-AdfsWebTheme –Name rpVIDM –SourceName default

2. Import Updated JavaScript File

Run the following command to import the modified javascript into the relying party specific web theme:

Set-AdfsWebTheme -TargetName rpVIDM -AdditionalFileResource@{Uri='/adfs/portal/script/onload.js';path="c:\myscripts\script\onload.js"}

3. Set Relying Party Web Theme

Run the following command to set the relying party (for example, Salesforce) web theme:

Set-AdfsRelyingPartyWebTheme -TargetRelyingPartyName Salesforce -SourceWebThemeName rpVIDM

Summary and Additional ResourcesConclusionThis operational tutorial provided steps to configure VMware Identity Manager as a claims provider for AD FS. Procedures includedconfiguring a claim rule for VMware Identity Manager claims provider, configuring AD FS application source, adding AD FS


DOCUMENT | 59

applications to the Workspace ONE catalog, and modifying AD FS to forward mobile traffic to VMware Identity Manager.

Terminology Used in This TutorialThe following terms are used in this tutorial:

application storeA user interface (UI) framework that provides access to a self-service catalog, publicexamples of which include the Apple App Store, the Google Play Store, and the MicrosoftStore.

auto-enrollmentAuto-enrollment simplifies the enrollment process by automatically enrolling registereddevices following the Out-of-Box-Experience.

catalogA user interface (UI) that displays a personalized set of virtual desktops and applications tousers and administrators. These resources are available to be launched upon selection.

cloudAsset of securely accessed, network-based services and applications. A cloud can also hostdata storage. Clouds can be private or public, as well as hybrid, which is both private andpublic.

device enrollmentThe process of installing the mobile device management agent on an authorized device.This allows access to VMware products with application stores, such as Workspace ONEAccess (formerly VMware Identity Manager).

identity provider (IdP)A mechanism used in a single-sign-on (SSO) framework to automatically give a user accessto a resource based on their authentication to a different resource.

mobile devicemanagement(MDM) agent

Software installed on an authorized device to monitor, manage, and secure end-user accessto enterprise resources.

one-touch loginA mechanism that provides single sign-on (SSO) from an authorized device to enterpriseresources.

service provider (SP) A host that offers resources, tools, and applications to users and devices.

virtual desktop The user interface of a virtual machine that is made available to an end user.

virtual machineA software-based computer, running an operating system or application environment, that islocated in the data center and backed by the resources of a physical computer.

For more information, see the VMware Glossary.

Additional ResourcesFor more information about Workspace ONE, explore the VMware Workspace ONE Activity Path. The activity path provides step-by-step guidance to help you level-up in your Workspace ONE knowledge. You will find everything from beginner to advanced curatedassets in the form of articles, videos, and labs.

Additionally, you can check out the VMware Workspace ONE and VMware Horizon Reference Architecture which provides aframework and guidance for architecting an integrated digital workspace using VMware Workspace ONE and VMware Horizon.

About the AuthorsThis tutorial was written by:

https://www.vmware.com/support/pubs/

https://techzone.vmware.com/becoming-workspace-one-hero

https://techzone.vmware.com/resource/workspace-one-and-horizon-reference-architecture


DOCUMENT | 60

Camilo Lotero, Senior Solutions Engineer, End-User-Computing Identity & Access Management, VMware

Contributors to this tutorial include:

Joe Rainone, Consulting Architect, AMER End-User Computing, VMwareSascha Warno, Staff Customer Success Architect, Customer Success, VMwareSteven D'Sa, Staff Sales Engineer, End-User Computing, VMware

FeedbackThe purpose of this tutorial is to assist you. Your feedback is valuable. To comment on this tutorial, contact VMware End-User-Computing Technical Marketing at [email protected].

Appendix: Alternative Custom Claim RulesAlternative Custom Claim RulesThis section lists some alternative custom claim rules that rely on the user's UserPrincipalName, if the domain\samAccountNamevalues are not available in VMware Identity Manager.

1. Alternative Custom Claim Rule for UPN (1)

mailto:[email protected]


DOCUMENT | 61

To use UPN instead of a domain\username value from VMware Identity Manager, you must add four different custom rules to theVMware Identity Manager claims provider in AD FS.

The first rule is used to query AD for the user's UPN and samAccountName values, and save them in temporary variables.

Enter a friendly name for the first rule. For example, Query AD for UPN and samAccountName + Save into temp1.variables.Copy the following into the custom rule text box:2.c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] =="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"]=> add(store = "Active Directory",types = ("ssupn", "sswindowsaccountname"), query =

"userPrincipalName={0};userPrincipalName,sAMAccountName;domain\dummy", param = c.Value); Note:This rule needs to be adjusted slightly. Replace domain\dummy to include your logon domain (for example,clotero\dummy).Click Finish.3.


DOCUMENT | 62


Enter a friendly name. For example, Extract Domain out of Value.1.Copy the following into the custom rule text box:2.c:[Type == "ssupn"] => add(Type = "ssnewupn", Value = RegExReplace(c.Value, "^(.*?)@", ""));

Click Finish.3.



DOCUMENT | 63

Enter a friendly name. For example, Extract Logon Domain.1.Copy the following into the custom rule text box:2.c:[Type == "ssnewupn"] => add(Type = "ssnewupn2", Value = RegExReplace(c.Value, "\.(.*?)$",""));

Click Finish.3.



DOCUMENT | 64

Enter a friendly name. For example, Issue windowsacountname claim.1.Copy the following into the custom rule text box:2.c1:[Type == "ssnewupn2"] && c2:[Type == "sswindowsaccountname"] => issue(Type ="http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer = "ADAuthority", Value = c1.Value + "\" + c2.Value, ValueType = c2.ValueType);

Click Finish.3.

VMware, Inc. 3401 Hillview Avenue Palo Alto CA 94304 USA Tel 877-486-9273 Fax 650-427-5001

www.vmware.com

Copyright © 2019 VMware, Inc. All rights reserved. This product is protected by U.S. and international

copyright and intellectual property laws. VMware products are covered by one or more patents listed at

http://www.vmware.com/go/patents. VMware is a registered trademark or trademark of VMware, Inc. in

the United States and/or other jurisdictions. All other marks and names mentioned herein may be

trademarks of their respective companies.

configuring vmware identity manager as a claims provider ... · configuring vmware identity manager...

Documents