Skip navigation
1 2 Previous Next

Identityville

18 posts

Use Case

 

  • SaaS applications federated with Azure AD
  • Azure AD delegates all user authentication including conditional access to Workspace ONE (VMware Identity Manager)

 

Configuration Steps

 

  • Configure your Active Directory with Azure AD and VMware Identity Manager

 

 

 

  • Test the configuration
    Goto https://portal.azure.com. Enter user email address. You should be redirected to your VMware Identity Manager instance/tenant for authentication.

Instructions to configure SecureAuth as IDP in VMware Identity Manager.

Configure Cisco Meraki Federation Connection

 

Log into your VMware Identity Manager admin interface and navigate to:

Catalog => Settings  => SAML Metadata  => Identity Provider (IdP) metadata

 

Use this information to configure  VMware Identity Manager IDP as IdP in Meraki as shown below.

 

Screen Shot 2017-07-18 at 10.14.29 AM_cen.jpg

 

 

Configure VMware Identity Manager IDP Federation Connection

 

In VMware Identity Manager administrative console, navigate to:

Catalog  => Application Catalog  => Add Application  => Create a new one

 

In “Add Application” wizard, configure as shown below.

Screen Shot 2017-07-18 at 12.53.22 PM.png

Screen Shot 2017-07-18 at 12.53.48 PM.png

This guide provides instructions to configure Active Directory Federation Services (AD FS 3.0 or higher) to utilize VMware Identity Manager as the claims provider for all application authentication requests coming from mobile devices. AD FS will delegate/forward all mobile authentication requests to VMware Identity Manager. As part of user authentication flow, VMware Identity Manager can apply conditional access polices including location, device type, user type, mobile SSO and device compliance check.

VMware Identity Manager is part of VMware Workspace ONE. As part of Workspace ONE, VMware Identity Manager provides enterprise identity integration and web/mobile single sign-on services.

VMware Identity Manager and OpenAM integration uses standard SAML 2.0.  This guide provides instructions to configure and test VMware Identity Manager as a trusted federation Identity Provider (IDP) with OpenAM.  OpenAM acts as the federation Service Provider (SP). 

This guide provides step-by-step instructions to configure and test VMware Identity Manager as a trusted federation Service Provider with Okta.  Okta acts as the Identity Provider.

VMware Identity Manager is part of VMware Workspace ONE. As part of Workspace ONE, VMware Identity Manager provides enterprise identity integration and web/mobile single sign-on services.

 

This guide provides step-by-step instructions to configure and test VMware Identity Manager as a trusted federation Service Provider with Centrify. Centrify acts as the Identity Provider.

Overview

This guide provides step-by-step instructions to configure VMware Identity Manager as trusted federation Service Provider with Oracle Access Manager (OAM).

 

Please see following document for more details.

This provides integration information between VMware Workspace ONE (VMware Identity Manager) and Third Party Identity Providers. Please feel free to send any feedback to respective content authors.

 

Active Directory Federation Services (AD FS)

 

Azure Active Directory (Azure AD)

 

 

CA CloudMinder

 

Centrify

 

F5 BIG-IP Access Policy Manager (APM)

 

Google

 

Okta

 

OneLogin

 

OpenAM (OpenSSO)

 

Oracle Access Manager

 

PingFederate

 

SecureAuth

Overview

This guide provides information to configure and test VMware Identity Manager as trusted federation Service Provider with OpenAM as Identity Provider.

 

Please see attached PDF document for details.

Overview

Many organizations use VMware Workspace ONE and Okta in the same environment and may seek guidance for integration use cases and best practices between the two solutions. This guide provides common integration use cases between Okta and Workspace ONE.

 

Please see attached PDF document for details.

Overview

This guide provides step-by-step instructions to configure and test VMware Identity Manager as federated Service Provider with PingFederate (as Identity Provider).

 

Please see attached PDF doc for details.

Use Case:

Display VMware Identity Manager (VMware Workspace ONE) federated web/SaaS applications in OneLogin end-user portal.

 

Prerequisites:

  • OneLogin configured as IDP for VMware Identity Manager. Following guide describes how to set it up:
    OneLogin as federated Identity Provider for VMware Identity Manager
  • A SaaS application federated with your VMware Identity Manager tenant. For simplicity, in this tutorial we use Salesforce.com. In your setup, assume your own app. In VMware Identity Manager, ensure that this application is assigned/entitled to your user(s).
  • This tutorial assumes you have basic understanding of identity federation concepts.

 

Steps:

  • Locate application "Launch URL" in VMware Identity Manager.
  • In OneLogin, configure app RelayState for VMware Identity Manager federated app.
  • Test Federation Connection.

 

Detailed steps are provided below.

 

1. Locate application "Launch URL" in VMware Identity Manager

  • Log into VMware Identity Manager and navigate to Catalog > Application Catalog.
  • Click on the link for application you are interested in (app should already be federated with VMware Identity Manager).

Screen Shot 2016-12-21 at 10.45.49 AM.png


  • Go to "Configuration tab". Note "Launch URL", this will be used in step 2.

Screen Shot 2016-12-21 at 10.48.33 AM.png


2. In OneLogin, configure app RelayState for VMware Identity Manager federated app

  • Configure OneLogin as IDP for VMware Identity Manager using following instructions:

    OneLogin as federated Identity Provider for VMware Identity Manager

  • Log into OneLogin admin console and navigate to APPS > Company Apps.
  • Select VMware Identity Manager, application (configured using above instructions).

Screen Shot 2016-12-21 at 3.18.13 PM.png


Under "Info" tab, change "Display Name" to appropriate app name. In this example, we are using Salesforce.com, so we call it "Salesforce - VMware IDM Federated".

Screen Shot 2016-12-21 at 3.31.29 PM.png



  • Under "Configuration" tab, paste app "Launch URL" from step 1 in "RelayState" text box.

Screen Shot 2016-12-21 at 3.27.57 PM.png


  • Click Save.


3. Test Federation Connection

This can be tested by going to your OneLogin tenant and clicking on the respective app in OneLogin end-user portal.

Following video demonstrates this login flow:

https://youtu.be/lT7tLHj1C2Y


More Information:

VMware Workspace ONE and OneLogin Integration Use Cases

Use Case:

An organization wants to use OneLogin to federate with SaaS applications and utilize VMware Workspace ONE for conditional access and unified app portal (catalog/launcher).

Users will be able to log into Workspace ONE unified portal and see apps federated with OneLogin and VMware Identity Manager (Workspace ONE). When users click on apps in the unified portal (OneLogin federated or VMware Identity Manager federated), they experience seamless SSO.

 

Prerequisites:

  • Workspace ONE (VMware Identity Manager) configured as IDP for OneLogin. Please see following guide to learn how to set it up:

VMware Identity Manager as federated Identity Provider for OneLogin

  • A SaaS application federated with your OneLogin tenant. For simplicity, in this tutorial we use Salesforce.com. In your setup, assume your own app.
  • This tutorial assumes you have basic understanding of federated identity concepts.

 

Steps:

  1. Configure direct app level signon in OneLogin.
  2. In VMware Identity Manager, configure direct singon into OneLogin federated app.
  3. Test.

 

Detailed steps are provided below.


1. Configure direct app level signon in OneLogin 

  • Log into OneLogin admin interface and go to SETTINGS > Trusted IdPs > VMware Identity Manager.
  • Ensure "Sign users into OneLogin" and "Sign users into additional applications" are checked.
  • Click SAVE

Screen Shot 2016-12-17 at 5.08.05 PM.png

  • Select "App" tab
  • Check "Salesforce" app

Screen Shot 2016-12-17 at 5.13.58 PM.png

 

  • Click on the link for "Salesforce" app and copy the SAML Signon URL. OneLogin SAML Signon URL enables an identity provider to sign users directly into an app without the users going to OneLogin portal. This URL will be used in next step.

Screen Shot 2016-12-17 at 5.17.26 PM.png

 

2. In VMware Identity Manager, configure direct singon into OneLogin federated app

  • Configure VMware Identity Manager as IDP with OneLogin using following steps:

VMware Identity Manager as federated Identity Provider for OneLogin

  • In VMware Identity Manager, goto: Catalog > Application Catalog and select "OneLogin" application.
  • Select "Details" section under Application Info.

Screen Shot 2016-12-17 at 12.26.53 PM.png

 

  • Under Application Details, change Application Name from "OneLogin" to "Salesforce (OneLogin Federated)".
  • Click Save.

Screen Shot 2016-12-17 at 12.28.01 PM.png

 

  • Click "Configuration".
  • Copy SAML Signon URL from step 1 to "Assertion Consume Service" text box.

Screen Shot 2016-12-17 at 5.47.30 PM.png

 

  • Click Save.
  • If you have multiple applications, please repeat step 2 for each application.


Test federation connection

Before we start testing, it might help to review our test environment setup. The following diagram provide high level understanding:

 

Screen Shot 2016-12-17 at 7.01.52 PM.png

 

SP initiated authentication flow

    This can be tested by going to your OneLogin federated app. For example, Salesforce.com My Domain URL (i.e. https://onloginworkspace-dev-ed.my.salesforce.com)

     Following video demonstrates this login flow:

     https://youtu.be/yP7qL5kX4c4

 

IDP initiated authentication flow

    This can be tested by going to your Workspace ONE (VMware Identity Manager) unified portal (i.e. https://acmecorp.vmwareidentity.com).

    Following video demonstrates this login flow:

    https://youtu.be/7T-AvRWiOec

  

More Information:

VMware Workspace ONE and OneLogin Integration Use Cases