For updates on this blog and other blogs: Follow @SteveIDM

 

I've had quite a few requests lately for assistance setting up SCIM capabilities with OneLogin and Workspace ONE.

 

In full disclosure, I've set this up in my lab but I've not done full end to end testing of all CRUD capabilities.

 

The one obvious difference in the setup and configuration with OneLogin over some of our other partners is the ability to support the Authorization Code Grant Flow.  Big Kudos to the OneLogin team.

 

Lets look at the high level steps:

  1. Create a directory instance in Workspace ONE Access
  2. Create a OneLogin Remote App Access Client.
  3. Configure VMware Workspace ONE application in OneLogin.

 

Create Directory Instance in Workspace ONE Access

In order to create a directory instance in Workspace ONE Access, we'll need to use the API because the type of directory required for this integration can not currently be done using the Admin Console. In the following steps we'll use Postman to run the necessary API calls.

  1. We will need an Oauth Token in order to use the API.  Please see my other blog on your options on getting an OAuth Token
  2. Open a new tab in Postman, Select POST and the method.
  3. For the URL, enter: https://[TENANTURL]SAAS/jersey/manager/api/connectormanagement/directoryconfigs
    Replace the Tenant URL with your URL
    https://dsas.vmwareidentity.com/SAAS/jersey/manager/api/connectormanagement/directoryconfigs
  4. In the Authorization Tab, Select either BEARER Token or OAuth 2.0 depending on the option you chose in Step 1 to get a token. Select or Paste your Token.
  5. In the Headers Tab, Set the Content-Type to "application/vnd.vmware.horizon.manager.connector.management.directory.other+json"
  6. Click on the Body Tab
  7. Use the following as a sample and Click Send:
    {
    "type":"OTHER_DIRECTORY",  
    "domains":["onelogin.com"],    
    "name":"OneLogin Directory" 
    }
  8. In the Workspace ONE Admin Console, verify that the directory is created and is associated with the correct domain.
    Screen Shot 09-25-20 at 03.03 PM.PNG

Create a OneLogin Remote App Access Client

We will now create a OneLogin Application in Workspace ONE Access which will be used by OneLogin to create/update/delete users in Workspace ONE.

  1. In the Workspace ONE Admin Console, go to Catalog -> Webapps
  2. Click New (Top Left)
  3. Enter a Name ie. OneLogin SCIM
    Screen Shot 09-25-20 at 03.09 PM.PNG
  4. Click Next
  5. On the configuration page, you will need to enter:
    SettingValue
    Authentication TypeOpen ID Connect
    Target URLEnter your OneLogin Tenant ie. https://tenant.onelogin.com
    Redirect URLhttps://admin.us.onelogin.com/provisioning/oauth_redirect_uri
    Client IDEnter a value for the Client ID: ie. OneLoginSCIM
    Client SecretEnter a value for the Client Secret ie. Test12345
    Show in User PortalNO
    Screen Shot 09-25-20 at 03.11 PM.PNG
  6. Click Next
  7. Click Next for Access Policy
  8. Click Save
  9. Assign the application to your System Domain user
    Screen Shot 09-30-20 at 09.51 AM.PNG

 

This wizard will create a new remote app access client that will be used by OneLogin. You can see the client which was created by going to Catalog -> Settings -> Remote App Access.

 

Warning: Do NOT edit the scopes. You will not be able to re-add the Admin scope if you do.

Screen Shot 09-25-20 at 03.20 PM.PNG

 

Configure VMware Workspace ONE application in OneLogin.

 

  1. In the OneLogin admin console, search for "VMware Workspace ONE" under Applications
    Screen Shot 09-25-20 at 03.24 PM.PNG
  2. Select and Click Save
  3. Click on Configuration on the left menu
  4. Under SCIM Base URL, enter: https://[tenant].vmwareidentity.com/SAAS/jersey/manager/api/scim
    ie. https://dsas.vmwareidentity.com/SAAS/jersey/manager/api/scim
  5. Under VMware Site, enter your tenant URL. This will be used as the Oauth Authorization Server URL.
    ie. https://dsas.vmwareidentity.com
  6. Under Client ID, enter the client ID you used in the previous step
  7. Under Client Secret, enter the secret you used in the previous step.
    Screen Shot 09-25-20 at 03.31 PM.PNG
  8. Click Save

    Please don't forget to hit SAVE!

  9. Go back to the Configuration Tab

    Before you Continue, you need to make sure your Policy in Workspace ONE Access will allow you to authenticate using System Domain credentials without using the backdoor.  You will need a policy similar to below. The Password (Local Directory) needs to be a fallback.
    Screen Shot 09-25-20 at 03.42 PM 001.PNG

  10. Under API Connection, Click Authenticate
    Screen Shot 09-25-20 at 03.32 PM.PNG
  11. In the pop up, click VMware Workspace ONE
    Screen Shot 09-25-20 at 03.33 PM.PNG
  12. When prompted to Authenticate, Select System Domain
    Screen Shot 09-25-20 at 03.39 PM.PNG
  13. Enter your Credentials
  14. You should be returned back to the One Login Portal with a Successful Authorization
    Screen Shot 09-25-20 at 03.40 PM.PNG
  15. Click on the Parameters Tab
  16. We will need to map the attributes appropriately that will be sent to Workspace ONE.

    In order to map the attributes correctly, we will need to understand how users are created in in OneLogin. Take a look at your users to ensure all the required attributes are set for all users that will be provisioned to Workspace ONE Access.  Attributes such as Username, External ID and User Principal Name are typically set if you have an external directory server. If you are creating users directly in OneLogin without a directory server you will need to select different attribute mappings.

  17. Map the attributes appropriately:
    VMware Workspace ONE FieldValue
    Distinguished NameDistinguished Name
    Email AddressEmail
    External IDIf ALL users are created in OneLogin from a directory server, select ExternalID
    If some users are created locally in OneLogin, select Internal ID.
    First NameFirst Name
    Last NameLast Name
    Name IDEmail
    SCIM Username

    If ALL users are created in OneLogin from a directory server, select Username

    If some users are created locally in OneLogin (without a username) , select Email

    User DomainEnter value used as the domain when creating the directory in Workspace ONE Access
    Screen Shot 09-25-20 at 03.59 PM.PNG
    User PrincipleName

    If ALL users are created in OneLogin from a directory server, select User Principal Name

     

     

    If some users are created locally in OneLogin, select Email

  18. Click Save
  19. Click Provisioning on the left menu, and enable the Provisioning Checkbox.
  20. Click Save
  21. Assign a user the application and verify it successfully provisions
    Screen Shot 09-25-20 at 04.12 PM.PNG