Use Case:

Configure VMware Identity Manager as trusted federation Service Provider with OneLogin (IDP).

 

Prerequisites:

  • Access to VMware Identity Manager administrative interface.
  • Access to OneLogin  administrative interface.
  • At least one test user account in VMware Identity Manager and OneLogin. For this tutorial, the user email should match in both systems.
  • Basic understanding of federated identity concepts.

 

Approach and Steps:

We will use OneLogin "SAML Test Connector" to setup VMware Identity Manager as a federated application. The OneLogin SAML Test Connector allows you to build custom application connectors for applications that are not found within the OneLogin catalog. Following steps will be configured:

  1. Open VMware Identity Manager Service Provider metadata.
  2. Configure VMware Identity Manager as custom application (Service Provider) in OneLogin.
  3. Assign VMWare Identity Manager to users in OneLogin.
  4. Configure OneLogin as third party Identity Provider in VMware Identity Manager.
  5. Test federation connection for IDP and SP initiated authentication flows.

 

Detailed steps are provided below.

 

1. Open VMware Identity Manager Service Provider metadata

  • Log into VMware Identity Manager admin console and navigate to Catalog > Settings > SAML Metadata > Service Provider (SP) metadata.
  • Keep SP metadata open in a web browser window. This will be needed in the next step.

Screen Shot 2016-12-15 at 1.13.39 PM.png

 

2. Configure VMware Identity Manager as custom application (Service Provider) in OneLogin.

  • Log in to your OneLogin tenant with an Admin account.
  • Navigate to Apps > Add Apps.
  • Search for 'SAML Test Connector' and select the first search result.

 

Additional informaiton on other OneLogin Test Connectors is available here: How to Use the OneLogin SAML Test Connector – OneLogin Help Center

Screen Shot 2016-12-15 at 1.02.14 PM.png

 

  • Enter Display Name (i.e. VMware Identity Manager) and click Save.

Screen Shot 2016-12-15 at 1.06.07 PM.png

 

  • Under Configuration tab, enter following information from VMware Identity Manager SP SAML metadata (from Step 1):

entityID ==> Audience

Example: https://acmecorp.vmwareidentity.com/SAAS/API/1.0/GET/metadata/sp.xml

 

HTTP-POST Location ==> Recipient

Example: https://acmecorp.vmwareidentity.com/SAAS/auth/saml/response

 

HTTP-POST Location ==> ACS (Consumer) URL Validator

Example: https://acmecorp.vmwareidentity.com/SAAS/auth/saml/response

 

HTTP-POST Location ==> ACS (Consumer) URL

Example: https://acmecorp.vmwareidentity.com/SAAS/auth/saml/response

 

  • Click Save

Screen+Shot+2016-12-15+at+1.27.26+PM.png

 

Screen Shot 2016-12-15 at 8.05.35 PM.png

 

  • Under Parameters tab, select "Email"

 

Screen Shot 2016-12-15 at 7.59.09 PM.png

 

  • Expand "MORE ACTIONS" tab and download OneLogin IDP SAML Metadata. This will be used in Step 4.

Screen Shot 2016-12-17 at 11.01.42 AM.png

Screen Shot 2016-12-17 at 11.08.58 AM.png

 

 

3. Assign VMWare Identity Manager to users in OneLogin

In OneLogin, ensure that users are assigned to VMWare Identity Manager application. OneLogin provides various ways to assign users, for testing purposes we can assign a single user under "Users" > "All Users" > [click on user name] > "Applications tab". Click on '+' sign to assign your test user to application.

Screen Shot 2016-12-16 at 4.43.41 PM.png

 

4. Configure OneLogin as third party Identity Provider in VMware Identity Manager

  • In VMware Identity Manager admin console, navigate to Identity & Access Management > Identity Providers > Add Identity Provider > Create Third Party IDP.

Screen Shot 2016-12-15 at 1.42.24 PM.png


  • Enter Identity Provider Name (i.e. OneLogin).
  • In "SAML Metadata" text box, paste OneLogin IDP SAML metadata from Step 2 and Click "Process IdP Metadata". Ensure there are no error messages.

Screen Shot 2016-12-17 at 11.10.53 AM.png

 

  • Under Users section, select a Directory for your test user(s).
  • Under Network select ALL RANGES.
  • Under Authentication Methods:
    • Authentication Methods = "OneLogin_Password"
    • SAML Context =  urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
  • Click Save.

Screen Shot 2016-12-17 at 11.14.05 AM.png


  • Navigate to Identity & Access Management > Policies > default_access_policy_set.
  • Click on the row for device type "Web Browser"
  • Select OneLogin_Password as the authentication method.
  • Click OK

Screen Shot 2016-12-16 at 5.25.06 PM.png

  • Don't forget to click Save.

Screen Shot 2016-12-16 at 6.15.41 PM.png

 

5. Test federation connection

  • SP initiated authentication flow

    This can be tested by going to your VMware Identity Manager URL.

    Following video demonstrates this login flow:

    https://youtu.be/EK--F5LQSvg

 

  • IDP initiated authentication flow

    This can be tested by going to your OneLogin tenant URL.

    Following video demonstrates this login flow:

    https://youtu.be/ZXskGrRV3MM


More Information:

VMware Workspace ONE and OneLogin Integration Use Cases