VMware Workspace ONE Community
AymanSaleh
Contributor
Contributor
‎06-06-2020 10:50 PM
Jump to solution

VMware Identity Manager and SharePoint Intranet SSO on Win10

Hello,

How can I setup SSO for an intranet based on SharePoint Server (On-premises) for managed Win10 and not joined to the domain.

Environment details,

1- VMware Identity manager 1903 on-premises

2- VMWare Idenetity manager Connector

3- Workspace One UEM Console 1811

4- Airwatch Cloud connector

Thanks in advance.

Regards,

Ayman Saleh

Reply
0 Kudos
1 Solution

Accepted Solutions
AlexAskin
Enthusiast
Enthusiast
‎06-07-2020 11:11 PM
Jump to solution

Hi,

if you are able to activate SAML on SharePoint you can skip UAG (but at least you should consider as you already have licensed it, can act as reverse proxy for WS1 or even as Secure Content Gateway for your mobile devices and is in my opinion one of the most underestimated components in the VMware EUC stack) otherwise you would need the combination of Kerberos+UAG.

The moment SAML is enabled on SharePoint you can authenticate your users with everything WS1 Access (vIDM) offers (User/Pass, CERT, Verify, etc). To achieve a SSO experience for your users Certificate based would be ideal as no more auth prompts.

Users will either go directly to SharePoint and are redirected to WS1 Access for authentication if not yet logged in or launch the SharePoint „App“ from Workspace App on Windows or in a Browser.

Hope that makes it more clear.

Alex

View solution in original post

Reply
6 Replies
AlexAskin
Enthusiast
Enthusiast
‎06-07-2020 07:19 AM
Jump to solution

Hi Ayman,

first need to better understand your requirements:

  1. Which version of Sharepoint are you using?
  2. Is your Sharepoint environment Ready4SAML?
  3. Any need for device compliance check?

Alex

Reply
0 Kudos
AymanSaleh
Contributor
Contributor
‎06-07-2020 07:36 AM
Jump to solution

Hi Alex,

It is SharePoint Server 2016.

No, The SharePoint is not ready for SAML, The Web application currently use NTLM authentication.

No need for compliance check in our case.

Thanks,

Ayman

Reply
0 Kudos
AlexAskin
Enthusiast
Enthusiast
‎06-07-2020 08:25 AM
Jump to solution

In this case you are looking for a "Identity Bridge" between modern authentication and legacy applications (due to NTLM).

If you are able to switch from NTLM at least to Kerberos (recommend todo so) you may then want to take a look into VMware Unified Access Gateway which should help enable SSO for your scenario: Deployment for Single Sign-on Access to On-Premises Legacy Web Apps

On Windows 10 side you can choose between SAML (as you already have an WS1 Access (vIDM) as iDP) or Certificate (out of Workspace ONE UEM) which can be used to authenticate your users.

Alex

PS: You should update your WS1 UEM environment soon as support for 1811 ends on 17-Jun-20 -> https://kb.vmware.com/s/article/2960922

Reply
AymanSaleh
Contributor
Contributor
‎06-07-2020 12:12 PM
Jump to solution

Thank you alex for your help,

Actually, we don't have Unified Access Gateway at the moment that why we cannot go with the UAG identity bridge.

So, to address SSO on the SharePoint web application on non-domain join windows 10, we have only two options as the following, right?

1- UAG identity bridge

2- SAML Authentication through ADFS

and of course we need to make sure that our SharePoint environment is ready for SAML or Kerberos to make work.

When you say on Windows 10 side, you means sign-in on Workspace One App on Windows not on the SharePoint Web Application, right?

Is certificate authentication is a vaild option in our SharePoint scenario?

Thanks,

Ayman

Reply
0 Kudos
aguedesrocha
VMware Employee
VMware Employee
‎06-07-2020 02:42 PM
Jump to solution

AymanSaleh​,

Unified Access Gateway here provide two options when using Web Reverse Proxy and Identify Bridging:

1 - SAML to Kerberos - this will provide great experience to the user as you already have Workspace ONE Access.

2 - Certificate to Kerberos - in this case you can use Workspace ONE UEM to integrate with your CA and deliver the certificate to the device, when user access the sharepoint he will be prompted with the certs installed on the device and select the one to use for authenticate.

You need to deploy a Unified Access Gateway appliance and setup kerberos on your sharepont, both easy. This article provide detailed explanation and describe all the steps including the appliance deployment Configuring Web Reverse Proxy and Identity Bridging in VMware Unified Access Gateway: VMware Workspa...

Best,

Andreano Lanusse

Reply
AlexAskin
Enthusiast
Enthusiast
‎06-07-2020 11:11 PM
Jump to solution

Hi,

if you are able to activate SAML on SharePoint you can skip UAG (but at least you should consider as you already have licensed it, can act as reverse proxy for WS1 or even as Secure Content Gateway for your mobile devices and is in my opinion one of the most underestimated components in the VMware EUC stack) otherwise you would need the combination of Kerberos+UAG.

The moment SAML is enabled on SharePoint you can authenticate your users with everything WS1 Access (vIDM) offers (User/Pass, CERT, Verify, etc). To achieve a SSO experience for your users Certificate based would be ideal as no more auth prompts.

Users will either go directly to SharePoint and are redirected to WS1 Access for authentication if not yet logged in or launch the SharePoint „App“ from Workspace App on Windows or in a Browser.

Hope that makes it more clear.

Alex

Reply