This guide describes steps to configure and test Azure Active Directory as a federation Identity Provider (IDP) and VMware Identity Manager as a Federation Service Provider (SP).

 

Assumptions:

Following assumptions are made for this guide:

  • A SaaS tenant of VMware Identity Manager
  • Azure Active Directory (AD) Premium subscription

 

Prerequisites:

  • At least one test user account in Azure AD Premium
  • At least one corresponding test user account in VMware Identity Manager

 

Configure Azure AD

VMware Identity Manager can federate with Azure AD as a custom application in the app gallery.

Sign into the Azure management portal using your Azure Active Directory administrator account, and browse to:

Active Directory > [Your Directory] > Applications section, select Add, and then Add an application from the gallery.

Screen Shot 2016-11-10 at 3.59.23 PM.png

 

In the app gallery, add an unlisted app using the Custom category on the left. Enter a name for your VMware Identity Manager app.

Screen Shot 2016-11-10 at 4.02.49 PM.png

 

Select Configure Single Sign-On.

Screen Shot 2016-11-10 at 4.05.19 PM.png


Select Microsoft Azure AD Single Sign-On

Screen Shot 2016-11-10 at 4.07.23 PM.png


The Configure App Setting screen requires SP metadata informaiton from your VMware Identity Manager tenant.

The Identity Manager SP metadata is available at https://[your_tenant].vmwareidentity.com/SAAS/API/1.0/GET/metadata/sp.xml.

Open https://[your_tenant].vmwareidentity.com/SAAS/API/1.0/GET/metadata/sp.xml in a web browser.

Screen Shot 2016-11-10 at 4.11.33 PM.png


Copy following SP metadata values from VMware Identity Manager to Azure AD configuration Wizard:

  • EntityID = IDENTIFIER
  • HTTP-POST Assertion Consumer Service URL =REPLY URL

 

Click Next arrow.

Screen Shot 2016-11-10 at 4.18.06 PM.png


Click Download Metadata (XML) to download Azure AD IDP metadata. This will be used when configuring SP federation connection in VMware Identity Manager.

 

Click Next arrow.

Screen Shot 2016-11-10 at 4.32.10 PM.png


Complete the configuration wizard.



Assign App to user

Assign the newly created/federated "VMware Identity Manager" to a test user account.

Click Assign accounts.

Screen Shot 2016-11-10 at 4.36.19 PM.png

 

Select a user and assign

Screen Shot 2016-11-10 at 4.41.05 PM.png

 

At this stage we have configured IDP connection in Azure AD and assigned the VMware Identity Manager app to a user. Now we need to configure the VMware SP connection.

 

Configure VMware Identity Manager SP connection

Log into you VMware Identity Manager tenant as admin user and navigate to:

Identity & Access Management > Identity Providers > Add Identity Provider > Create Third Party IDP

 

Screen Shot 2016-11-10 at 4.46.00 PM.png

 

Give a name to this Identity Provider (e.g. Azure AD).

Azure AD Identity Provider metadata file was downloaded in one of the steps above. Open this file in a text editor and copy/paste Azure AD IDP Metadata into Identity Provider Metadata(URL or XML) text box and press Process IdP Metadata button. There should be no error messages.

Picture1.png

Under Name ID format mapping from SAML Response, add two mapping as below:Screen Shot 2016-11-10 at 4.52.20 PM.png

 

Under Users, select the user store for your test user(s)

Screen Shot 2016-11-10 at 4.53.25 PM.png

 

Under Network, select All Ranges

Screen Shot 2016-11-10 at 4.53.43 PM.png

Under Authentication Methods, select “urn:oasis:names:tc:SAML:2.0:ac:classes:Password”.

Also name the authentication method (e.g. AzureAD-Password)

Screen Shot 2016-11-10 at 4.55.22 PM.png

 

Click Add button at the bottom of the page to save the SP connection configuration. The following screenshots depict all settings.

Screen Shot 2016-11-10 at 5.00.17 PM.png

Screen Shot 2016-11-10 at 5.00.49 PM.png

 


Under Identity & Access Management > Policies, select default_access_policy_set

Screen Shot 2016-11-10 at 5.06.23 PM.png

Under Policy Rules, select Device Type Web Browser (note: feel free to try out other device types as well)

Screen Shot 2016-11-10 at 5.07.00 PM.png

Under Edit Policy Rule, select the newly created Azure AD Authentication Method (e.g. AzureAD-Password).

Save changes.

Screen Shot 2016-11-10 at 5.07.59 PM.png

Let's Test Now

 

Make sure you have a user account in VMware Identity Manager that maps to a user account in Azure AD.

 

Two user authentication flows can be tested:

  • IDP initiated authentication
    To test this flow goto:
    http://myapps.microsoft.com and login with your test user account and click on the VMware Identity Manager app icon.
    Here's a video of this authentication flow: