Skip navigation
2017

Steve's IDM Blog

November 2017 Previous month Next month

If you have followed the documentation for ADFS Integration with WS1, you configured the WS1 to send “${user.domain}\${user.userName}” as the NameID. However, you will probably need to send additional attributes in case other applications are looking for things like UPN. The following is how you would configure this:

 

  1. Under Attribute Mapping, enter the Name of the Attribute using Microsoft Schema syntax. The following is a list of common attributes:
    1. http://schemas.xmlsoap.org/ws/2005/05/identity/claims/email
    2. http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
    3. http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
    4. http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn
  2. Enter the Attribute Name and the matching value:

 

ADFS Configuration

  1. Under Claims Provider Trusts, edit the claims for the Workspace ONE Claims Provider Trust
  2. Add a Rule
  3. Select the attribute and pass all values.
  4. Save
  5. In the Relying Party Trust
  6. Edit the claims
  7. Create a New Transform Rule to Set the NAME to the UPN

This guide provides step by step instructions to configure and test Workspace ONE as a trusted federation identity provider with OpenAM.

Prerequisites.

  • Test Instance of ForgeRock OpenAM v 5.5  (or higher) installed and configured.
  • Workspace ONE tenant
  • Configured Service Providers (ie. Salesforce, O365 etc..)
  • This solution will only work if you have architected OpenAM to leverage an IDP Proxy as below:

 

 

Note: I've been told by ForgeRock that this will also work using their Identity Gateway however I've not personally tested this.

 

Download Workspace ONE IDP Metadata

  1. Log into Workspace ONE Administration console and go to:
    1. Catalog -> Settings -> SAML Metadata -> Identity Provider (IDP) metadata
  2. Download and Save the file.
  3. Log into the OpenAM Console
  4. Click on the Realm where you want to configure Workspace ONE. This doc will assume you are configuring the Top Level Realm (/).
  5. Click Configure SAMLv2 Provider from the Dashboard

Create Workspace ONE as an Identity Provider in OpenAM

  1. Log into the OpenAM Console
  2. Click on the Realm where you want to configure Workspace ONE. This doc will assume you are configuring the Top Level Realm (/).
  3. Click Configure SAMLv2 Provider from the Dashboard
  4. Click “Configure Remote Identity Provider”
  5. Select “File” and Upload the Workspace ONE metadata:
  6. Select an existing Circle of Trust. Note: WorkspaceONE needs to be in the same COT as other SP’s and IDP’s that will be used in this environment.
  7. Select OK
  8. Click Save
  9. Click Create Authentication Scheme and Module

 

Configure IDP Proxy

  1. From the left menu, click on Applications -> SAML
  2. Ensure your IDP Proxy is listed and is of type “SP;IDP”
  3. Click on your IDP Proxy from the Entity Providers List
  4. Click on the IDP Tab
  5. Click on Advanced
  6. Scroll down to “IDP Finder Implementation”
  7. Add the following if not there:
    1. IDP Finder Implementation Class: com.sun.identity.saml2.plugins.SAML2IDPProxyFRImpl
    2. IdP Finder JSP: proxyidpfinder.jsp
  8. Enable the Proxy IDP Finder for all SP’s.
  9. Click Save and then it the back button.

 

Configure Service Providers

  1. In the Federation Tab, copy the Entity ID for Workspace ONE and the Entity ID for the OpenAM IDP instance that will handle authentications that are not sent to Workspace ONE
  2. Click on the entity id for your service provider
  3. Click on the Advanced Tab
  4. Scroll down to IDP Proxy and Enable the Proxy
  5. Check “Proxy all Requests”
  6. Check “Use IDP Finder”
  7. Set the proxy count to something greater than 2.
  8. In the Proxy List, paste the Entity ID’s of all your IDP servers
  9. Click Save and Back.

 

Export IDP Proxy Metadata

  1. In your browser, go to: http://[openAM-Host]:8080/openam/saml2/jsp/exportmetadata.jsp??entityid=[EntityOfIDPProxy]

      Ie. http://openam.one-identity.ca:8080/openam/saml2/jsp/exportmetadata.jsp?entityid=http://openam.one-identity.ca:8080/openam

 

Configure OpenAM as a SP in Workspace ONE

  1. Log into Workspace ONE Administration -> Catalog
  2. Click on Add Application -> Create a new one
  3. Provide a name ie. OpenAM
  4. Leave SAML 2.0 Post as the profile and Click Next
  5. Under Configuration, paste the SAML Metadata and Click Save
  6. Select Sign Assertion
  7. Select the correct NameID value to match the value that OpenAM is expecting.
  8. Click on Entitlements and add the necessary entitlements.
  9. Click Save

 

Update Workspace ONE Policies (optional)

  1. Log into the Workspace ONE Administration -> Identity and Access Management
  2. Configure the appropriate authentication policies as per your requirements Refer to VMware Documentation on how to configure policies.

 

Test the Configuration

We should test our configuration out first to ensure everything is working before we modify the JSP to automate the IDP selection.

  1. Log into your SP and you should be redirected to your IDP Finder on the IDP Proxy:
  2. Test out all you configured IDP’s to ensure that Federation is working all the way through.

 

Update ProxyIDPFinder.JSP to Automate the Selection.

  1. You will need to SSH into your IDP Proxy Host and modify the proxyidpfinder.jsp file which is located in $TOMCAT_HOME/webapps/openam
  2. Open up the file in your file editor and search for the following block of code:
  3. Comment out the first line
  4. You will then need to prepare your code to select the user agent.
    1. Using a Base64 Encoding tool such as https://www.freeformatter.com/base64-encoder.html you will need to encode each of your IDP Entity ID’s.
  5. Once you have each of your encoded IDP’s, you can create something similar to below:

String userAgent = request.getHeader("User-Agent");
if(userAgent != null && userAgent.indexOf("Android") != -1){
samlIdP="aHR0cHM6Ly9kc2FzLnZtd2FyZWlkZW50aXR5LmNvbS9TQUFTL0FQSS8xLjAvR0VUL21ldGFkYXRhL2lkcC54bWw=";
}else if (userAgent != null && userAgent.indexOf("iPhone") != -1){
samlIdP="aHR0cHM6Ly9kc2FzLnZtd2FyZWlkZW50aXR5LmNvbS9TQUFTL0FQSS8xLjAvR0VUL21ldGFkYXRhL2lkcC54bWw=";
}else{
samlIdP="aHR0cDovL29wZW5hbS5vbmUtaWRlbnRpdHkuY2E6ODA4MC9vcGVuYW0=";
}

This guide provides step by step instructions to configure and test Workspace ONE as a trusted federation identity provider with Oracle Access Manager 12c.

 

 

Prerequisites.

  • Test Instance of Oracle Access Manager v 12.2.1.0.0 (or higher) installed and configured.
  • Workspace ONE tenant
  • Configured Service Providers (ie. Salesforce, O365 etc..)

 

Download Workspace ONE IDP Metadata

  1. Log into Workspace ONE Administration console and go to:
    1. Catalog -> Settings -> SAML Metadata -> Identity Provider (IDP) metadata
  2. Download and Save the file.
  3. Log into the OAM Console
  4. Click on the Federation Tab
  5. Click on Service Provider Management

 

Create WorkSpace ONE as an Identity Provider in OAM

  1. Log into the OAM Console
  2. Click on the Federation Tab
  3. Click on Service Provider Management
  4. Click on Create Identity Provider
  5. In the Name field, enter “WorkspaceONE”
  6. Under Service Information, upload your Workspace ONE IDP Metadata.
  7. Choose the correct Attribute Mapping to match the value being sent by Workspace ONE in the NameID attribute.
  8. Click Save
  9. Click Create Authentication Scheme and Module

Configure OAM as a SP in Workspace ONE

  1. Download the Oracle Access Manager SP Metadata

http://[OAM_HOST]:14100/oamfed/sp/metadata

  1. Log into Workspace ONE Administration -> Catalog
  2. Click on Add Application -> Create a new one
  3. Provide a name ie. Oracle Access Manager
  4. Leave SAML 2.0 Post as the profile and Click Next
  5. Under Configuration, paste the SAML Metadata and Click Save
  6. Select Sign Assertion
  7. Select the correct NameID value to match the value that OAM is expecting.
  8. Click on Entitlements and add the necessary entitlements.
  9. Click Save

 

Update Workspace ONE Policies (optional)

  1. Log into the Workspace ONE Administration -> Identity and Access Management
  2. Configure the appropriate authentication policies as per your requirements Refer to VMware Documentation on how to configure policies.

 

Update SP Partners to use WS1 for Authentication using WLST

  1. Set Environment Variable
    • $DOMAIN_HOME/bin/setDomainEnv.sh
  2. Start WLST
    • $ORACLE_HOME/oracle_common/common/bin/wlst.sh
  3. Connect to OAM
    • Connect(‘weblogic’,’WeblogicPassword’,’t3://localhost:7001’)
  4. You should now be logged into WLST and ready to issue WLST Commands:
  5. Type “domainRuntime()”
  6. Type the following:

setSPPartnerAlternateScheme("SFDC", "true", httpHeaderName="User-Agent", httpHeaderExpression=".*((Android)|(iPhone)).*", authnScheme="WorkspaceONEFederationScheme")

 

NOTE: Replace “SFDC” with the correct partner name as per your configuration. If you named your Workspace ONE IDP instance differently from the steps in the document, replace with the correct name in the command above.

Screen Shot 11-07-17 at 11.15 AM.PNG

 

For more information on this WLST command and other available commands, please refer to the following documentation:

https://docs.oracle.com/cd/E52734_01/oam/STIAM/if_wlst.htm#STIAM13030

 

 

  1. Type “exit()”

 

Note: There could be a slight delay when updating the configuration via WLST until the changes are propagated across all OAM nodes.