This guide provides step by step instructions to configure and test Workspace ONE as a trusted federation identity provider with OpenAM.

Prerequisites.

  • Test Instance of ForgeRock OpenAM v 5.5  (or higher) installed and configured.
  • Workspace ONE tenant
  • Configured Service Providers (ie. Salesforce, O365 etc..)
  • This solution will only work if you have architected OpenAM to leverage an IDP Proxy as below:

 

 

Note: I've been told by ForgeRock that this will also work using their Identity Gateway however I've not personally tested this.

 

Download Workspace ONE IDP Metadata

  1. Log into Workspace ONE Administration console and go to:
    1. Catalog -> Settings -> SAML Metadata -> Identity Provider (IDP) metadata
  2. Download and Save the file.
  3. Log into the OpenAM Console
  4. Click on the Realm where you want to configure Workspace ONE. This doc will assume you are configuring the Top Level Realm (/).
  5. Click Configure SAMLv2 Provider from the Dashboard

Create Workspace ONE as an Identity Provider in OpenAM

  1. Log into the OpenAM Console
  2. Click on the Realm where you want to configure Workspace ONE. This doc will assume you are configuring the Top Level Realm (/).
  3. Click Configure SAMLv2 Provider from the Dashboard
  4. Click “Configure Remote Identity Provider”
  5. Select “File” and Upload the Workspace ONE metadata:
  6. Select an existing Circle of Trust. Note: WorkspaceONE needs to be in the same COT as other SP’s and IDP’s that will be used in this environment.
  7. Select OK
  8. Click Save
  9. Click Create Authentication Scheme and Module

 

Configure IDP Proxy

  1. From the left menu, click on Applications -> SAML
  2. Ensure your IDP Proxy is listed and is of type “SP;IDP”
  3. Click on your IDP Proxy from the Entity Providers List
  4. Click on the IDP Tab
  5. Click on Advanced
  6. Scroll down to “IDP Finder Implementation”
  7. Add the following if not there:
    1. IDP Finder Implementation Class: com.sun.identity.saml2.plugins.SAML2IDPProxyFRImpl
    2. IdP Finder JSP: proxyidpfinder.jsp
  8. Enable the Proxy IDP Finder for all SP’s.
  9. Click Save and then it the back button.

 

Configure Service Providers

  1. In the Federation Tab, copy the Entity ID for Workspace ONE and the Entity ID for the OpenAM IDP instance that will handle authentications that are not sent to Workspace ONE
  2. Click on the entity id for your service provider
  3. Click on the Advanced Tab
  4. Scroll down to IDP Proxy and Enable the Proxy
  5. Check “Proxy all Requests”
  6. Check “Use IDP Finder”
  7. Set the proxy count to something greater than 2.
  8. In the Proxy List, paste the Entity ID’s of all your IDP servers
  9. Click Save and Back.

 

Export IDP Proxy Metadata

  1. In your browser, go to: http://[openAM-Host]:8080/openam/saml2/jsp/exportmetadata.jsp??entityid=[EntityOfIDPProxy]

      Ie. http://openam.one-identity.ca:8080/openam/saml2/jsp/exportmetadata.jsp?entityid=http://openam.one-identity.ca:8080/openam

 

Configure OpenAM as a SP in Workspace ONE

  1. Log into Workspace ONE Administration -> Catalog
  2. Click on Add Application -> Create a new one
  3. Provide a name ie. OpenAM
  4. Leave SAML 2.0 Post as the profile and Click Next
  5. Under Configuration, paste the SAML Metadata and Click Save
  6. Select Sign Assertion
  7. Select the correct NameID value to match the value that OpenAM is expecting.
  8. Click on Entitlements and add the necessary entitlements.
  9. Click Save

 

Update Workspace ONE Policies (optional)

  1. Log into the Workspace ONE Administration -> Identity and Access Management
  2. Configure the appropriate authentication policies as per your requirements Refer to VMware Documentation on how to configure policies.

 

Test the Configuration

We should test our configuration out first to ensure everything is working before we modify the JSP to automate the IDP selection.

  1. Log into your SP and you should be redirected to your IDP Finder on the IDP Proxy:
  2. Test out all you configured IDP’s to ensure that Federation is working all the way through.

 

Update ProxyIDPFinder.JSP to Automate the Selection.

  1. You will need to SSH into your IDP Proxy Host and modify the proxyidpfinder.jsp file which is located in $TOMCAT_HOME/webapps/openam
  2. Open up the file in your file editor and search for the following block of code:
  3. Comment out the first line
  4. You will then need to prepare your code to select the user agent.
    1. Using a Base64 Encoding tool such as https://www.freeformatter.com/base64-encoder.html you will need to encode each of your IDP Entity ID’s.
  5. Once you have each of your encoded IDP’s, you can create something similar to below:

String userAgent = request.getHeader("User-Agent");
if(userAgent != null && userAgent.indexOf("Android") != -1){
samlIdP="aHR0cHM6Ly9kc2FzLnZtd2FyZWlkZW50aXR5LmNvbS9TQUFTL0FQSS8xLjAvR0VUL21ldGFkYXRhL2lkcC54bWw=";
}else if (userAgent != null && userAgent.indexOf("iPhone") != -1){
samlIdP="aHR0cHM6Ly9kc2FzLnZtd2FyZWlkZW50aXR5LmNvbS9TQUFTL0FQSS8xLjAvR0VUL21ldGFkYXRhL2lkcC54bWw=";
}else{
samlIdP="aHR0cDovL29wZW5hbS5vbmUtaWRlbnRpdHkuY2E6ODA4MC9vcGVuYW0=";
}