This guide provides step by step instructions to configure and test Workspace ONE as a trusted federation identity provider with Oracle Access Manager 12c.

 

 

Prerequisites.

  • Test Instance of Oracle Access Manager v 12.2.1.0.0 (or higher) installed and configured.
  • Workspace ONE tenant
  • Configured Service Providers (ie. Salesforce, O365 etc..)

 

Download Workspace ONE IDP Metadata

  1. Log into Workspace ONE Administration console and go to:
    1. Catalog -> Settings -> SAML Metadata -> Identity Provider (IDP) metadata
  2. Download and Save the file.
  3. Log into the OAM Console
  4. Click on the Federation Tab
  5. Click on Service Provider Management

 

Create WorkSpace ONE as an Identity Provider in OAM

  1. Log into the OAM Console
  2. Click on the Federation Tab
  3. Click on Service Provider Management
  4. Click on Create Identity Provider
  5. In the Name field, enter “WorkspaceONE”
  6. Under Service Information, upload your Workspace ONE IDP Metadata.
  7. Choose the correct Attribute Mapping to match the value being sent by Workspace ONE in the NameID attribute.
  8. Click Save
  9. Click Create Authentication Scheme and Module

Configure OAM as a SP in Workspace ONE

  1. Download the Oracle Access Manager SP Metadata

http://[OAM_HOST]:14100/oamfed/sp/metadata

  1. Log into Workspace ONE Administration -> Catalog
  2. Click on Add Application -> Create a new one
  3. Provide a name ie. Oracle Access Manager
  4. Leave SAML 2.0 Post as the profile and Click Next
  5. Under Configuration, paste the SAML Metadata and Click Save
  6. Select Sign Assertion
  7. Select the correct NameID value to match the value that OAM is expecting.
  8. Click on Entitlements and add the necessary entitlements.
  9. Click Save

 

Update Workspace ONE Policies (optional)

  1. Log into the Workspace ONE Administration -> Identity and Access Management
  2. Configure the appropriate authentication policies as per your requirements Refer to VMware Documentation on how to configure policies.

 

Update SP Partners to use WS1 for Authentication using WLST

  1. Set Environment Variable
    • $DOMAIN_HOME/bin/setDomainEnv.sh
  2. Start WLST
    • $ORACLE_HOME/oracle_common/common/bin/wlst.sh
  3. Connect to OAM
    • Connect(‘weblogic’,’WeblogicPassword’,’t3://localhost:7001’)
  4. You should now be logged into WLST and ready to issue WLST Commands:
  5. Type “domainRuntime()”
  6. Type the following:

setSPPartnerAlternateScheme("SFDC", "true", httpHeaderName="User-Agent", httpHeaderExpression=".*((Android)|(iPhone)).*", authnScheme="WorkspaceONEFederationScheme")

 

NOTE: Replace “SFDC” with the correct partner name as per your configuration. If you named your Workspace ONE IDP instance differently from the steps in the document, replace with the correct name in the command above.

Screen Shot 11-07-17 at 11.15 AM.PNG

 

For more information on this WLST command and other available commands, please refer to the following documentation:

https://docs.oracle.com/cd/E52734_01/oam/STIAM/if_wlst.htm#STIAM13030

 

 

  1. Type “exit()”

 

Note: There could be a slight delay when updating the configuration via WLST until the changes are propagated across all OAM nodes.