EUCbackup Default chapterVMware Identity Manager as a Third-Party IDP in ADFS

VMware Identity Manager as a Third-Party IDP in ADFS

This lab will guide you through how to leverage vIDM as a claims provider in ADFS. The added value a customer will get for doing such an integration is to leverage the authentication methods that vIDM has to offer such as mobile single-sign-on.

In this scenario we will assume the customer has already federated the desired application with ADFS. For the sake of this lab socialcast will be used as the application (Relying Party) in ADFS.

First you will configure vIDM in ADFS as the claims provider by importing the idp metadata. We will then set which claims we would like to send vIDM for authentication.

Lastly you will set up ADFS as  the application source in vIDM.

ADFS Configuration

  1. On your Controlcenter2 server open your FireFox browser and browse to your unique vIDM SaaS instance.
  2. If you are not already on the system domain click change to a different domain and select the System Domain from the drop down domain option
  3. Type administrator and VMware1! and select Sign in
  4. In the admin console click Catalog , to the right of the Catalog interface, select Settings
  5. In the Settings panel on the left navigate to SAML Metadata under SaaS Apps.
  6. Right Click on Identity Provider (IdP) metadate then select Save Link as...
  7. In the browser window that opens navigate to the Software folder on the desktop and create and open an ADFS folder and select Save

This will save a file idp.xml into the folder that we can later access from the ADFS server. the IDP.xml is the metadate with the information about vIDM.

The next section will focus on the adding of VMware Identity Manager as a Claims provider in to the AD FS Management Interface.

Navigate to the desktop and open the folder Remote Desktops Now double-click ADFS.RDP to remote into the ADFS server

  1. In Server Manager and at the top, select Tools and select  AD FS Management
  2. When the AD FS Management interface is open navigate to Claims Provider Trusts (Only Active Directory should be present)
  3. Right Click Claims Provider Trust and select Add Claims Provider Trust...
  4. Click Start on the first Welcome page
  5. Then select Import data about the claims provider from a file
  6. Select Browse and navigate to Desktop > Software > ADFS and select the idp.xml and select Open
  7. Select Next
  • On the Specify Display Name page under the Display Name dialogue, write vIDM Livefire in the Display name click Next > on the Ready to Add Trust window select Next > Close. Now you will see Active Director and vIDM Livefire as Claims Providers

1. Right click vIDM Livefire and select Edit Claim Rules...

2. Select Add Rule...

 

 

3. On the Select Rule Template page select from the Claim rule template drop down select "Send Claim Using a Custom Rule" select Next

  1. Under the Claim rule name: Type Windows Accountname Claim
  2. Paste the below into the Custom rule field:
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] == "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"] => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer = "AD AUTHORITY", OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType);

3.  Select Finish . On the Edit Claim Rules for vIDM Livefire window select OK

Configure vIDM

  1. Return to the ControlCenter2 server and open Firefox
  2. Using your browser go to your custom VMware Identity manager SAAS URL e.g. https://aw-euclivefirefp.vidmpreview.com/
  3. Login with System Domain using user:admin password:VMware1!
  4. Select the Catalog tab and to the right of the Catalog interface select Settings
  5. On the left of the Settings window, Under SaaS Apps select  Application Sources.
  6. To the right of Application sources, select ADFS

 

  1. On your ControlCenter Browser, Open a new Tab and  Browse to https://adfs.euc-livefire.com/FederationMetadata/2007-06/FederationMetadata.xml
  2. Select Save File (by default it will save to the download folder)and go to the Downloads folder.
  3. Open the File using Notepad++ and copy the contents of the XML by pressing ctrl + a then ctrl + c

 

  • Navigate back to your browser with the  ADFS Application Source Wizard Tab and select Next on the Definition Page
  1. On the Configuration Page Click in the URL/XML text box and click ctrl + v
    This will paste the metadata from ADFS into vIDM
  2. Leave the rest as default for now and click Next. on the Summary page select Save
  3. On the Settings Page, select the X to the right of the window to close.
  1. Now head back into the ADFS settings by clicking on ADFS  in the Application Source page.
  2. Click Next on the Definition page.

 

  1. On the Configuration Page noticed how all the values are populated from the xml previously imported. We need to make a few tweaks here.
  2. To the right select the scroll bar and scroll down until you find Username Format. Using the dropdown to the right Change the Username Format from Email Address to Unspecified
  3. In the Username Value section section, replace ${user.userName} with the following,
${user.domain}\${user.userName}

4.   Further down, on the ADFS Application Source page select Advanced Properties , then scroll further down

  1. To the right, select the Signature Algorithm replace SHA1 with RSA by selecting the dropdown SHA256 with RSA
  2. In the Digest Algorithm, using the dropdown, replace SHA1 with and SHA256
  3. Select Next at the bottom of the page and Save on the Summary page.
  4. Close the Settings Page

SAML Test Application (Socialcast)

Now that we have integrated vIDM as a claims provider to ADFS we can now test an application that has been federated with ADFS. Socialcast has been  pre-configured under the Relying Party trust as an application in ADFS. Configuring the SAML application is not part of this lab.

  1. Close all browsers so as to clear any saml cache. Now open Chrome and Navigate to https://socialcast.euc-livefire.com
  2. Select as Employee on the look up account page  
  3. Notice now you will be redirected to ADFS Home Realm Discovery Screen (HRD)
  4. You will then have two options for authentication (The claims providers configured in ADFS)
    1. vIDM LiveFire
    2. Active Directory
  5. Now Select vIDM LiveFire, You will then be redirected to authentication to vIDM
  6. Select Next with the euc-livefire.com domain selected
  7. Type User1 and VMware1! and sign in

 

Adding ADFS app to vIDM

In certain scenarios admins might want to provide access to the Relying party configured in ADFS directly in the Workspace ONE catalog. This is made possible via the ADFS integration. We are essentially using a redirect to the Relying Party. Let's add the socialcast application to the catalog.

  1. Log into https://workspaceone.euc-livefire.com using the System directory username admin password VMware1!
  2. Now navigate to Catalog then select New and select

 

  1. On the New SaaS Application > Definition page give it the name: Socialcast
  2. On the same page under Icon click Select File... in the downloads folder click the socialcast.jpg file and select Open select Next on the bottom of the page

 

  1. On the Configuration Page under Authentication Type, replace SAML 2.0 by selecting the dropdown to the right and then select ADFS Application Source.
  2. In the Target URL type  RPID=https://socialcast.euc-livefire.com and select Next

 

  • Leave the Access Policies as default and click Next

 

  1. In the Summary page click on Save & Assign
  2. In the Assign page begin typing Marketing until you can select the Marketing@euc-livefire.com group select "Automatic" for deployment method. Hit Save to finish adding the application.

You have now successfully added the Socialcast application federated with ADFS into your Workspace ONE Catalog.

1. Close the browser and all windows to ensure firefox or chrome has closed properly. Now re-open firefox and navigate to https://workspaceone.euc-livefire.com

2. Now log in as user1 user and password VMware1! in the domain euc-livefire.com you will then notice in the catalog the socialcast application.

3. Now click on Open under socialcast icon and you will be redirected to Socialcast and authenticated without additional credentials as user1.

ExtraCurricular: Setting vIDM as the default claim provider

There might be a use-case where an organisation wants the configured relying party in ADFS to always use a specific claims provider. Through powershell admins have the ability to set the default claims provider for specific relying parties.  

On the ADFS Server do the following

1. navigating to https://socialcast.euc-livefire.com and clicking on "as employee" notice you will now have an option here to either choose vIDM Livefire or Active directory.

2. Open powershell and type

Get-AdfsRelyingPartyTrust

3. You will now be able to see that socialcast is set to use both Active Directory and vIDM LiveFire as the claims provider

4. Let's now set vIDM as the default claims provider

 In the same powershell window execute the following command

Set-AdfsRelyingPartyTrust -TargetName "SocialCast" -ClaimsProviderName @("vIDM Livefire")

5. Confirm the changes by typing the same command to get the relying party trust information. You will notice now that vIDM Livefire is listed as the only ClaimsProvierName 

Get-AdfsRelyingPartyTrust

6. Now close your browser and re-open to https://socialcast.euc-livefire.com 

7. Click on as Employee notice now that you will automatically be re-directed to Workspace ONE click Next.  After authenticated you will automatically be logged into Socialcast. Observe you weren't prompted to chose the claim provider as in the original test. In order to reverse the above simply re-add Active Directory as another claims provider. 

 Set-AdfsRelyingPartyTrust -TargetName "SocialCast" -ClaimsProviderName @("vIDM Livefire", "Active Directory")

Modify ADFS to Forward Only Mobile Traffic to VMware Identity Manager

We will now look at implementing a common use-case when federating ADFS with VMware Identity Manager. Many customers desire to use the same authentication flow through ADFS for their desktop and laptop devices, but want to use a modern authentication flow for Mobile (such as iOS & Android). In this case they can leverage the user-agent attribute in the HTTP header to redirect the authentication to VMware Identity Manager or the ADFS server.

1. On the ADFS server open the Windows Powershell as Administrator.

2. Create a working folder by running the following in Powershell:

 mkdir C:\Users\administrator.EUC-LIVEFIRE\myscripts

3. Then give in the following to export the default ADFS Web Theme

  Export-AdfsWebTheme –Name default –DirectoryPath cC:\Users\administrator.EUC-LIVEFIRE\myscripts

4. Open Notepad as administrator

5. Click File > Open and navigate to C:\Users\administrator.EUC-LIVEFIRE\myscripts\script

Open the onload.js file

6. Copy the following into the onload.js file and save.

*Replace {VIDMURL} with your VMware Identity Manager tenant URL.

// redirect mobile traffic to Workspace ONE
 if (navigator.userAgent.match(/iPad|iPhone|Android|Windows Phone/i) != null){
 HRD.selection('https://{VIDMURL}/SAAS/API/1.0/GET/metadata/idp.xml')}
 // else authenticate with local AD claims provider
 else {HRD.selection('AD AUTHORITY')};
 // hide HRD selector from user
 var hrdui = document.getElementById("bySelection");
 hrdui.style.display = "none";

The code above creates a redirection to VMware Identity Manager based on the authn request user agent (iPad|iphone...).

Any traffic that doesn't match the user agents listed are authenticated with the local Active Directory (i.e. Windows/Mac desktops).

Create New ADFS Web Theme

1. Create a new ADFS Web Theme by running the following in Powershell:

New-AdfsWebTheme –Name VIDM –SourceName default

2. Import the modified onload javascript into the ADFS Web Theme by running the following in Powershell:

Set-AdfsWebTheme -TargetName VIDM -AdditionalFileResource @{Uri='/adfs/portal/script/
 onload.js';path="C:\Users\administrator.EUC-LIVEFIRE\myscripts\script\onload.js"}

3. Active the new ADFS Web Theme by running the following in Powershell:

 Set-AdfsWebConfig -ActiveThemeName VIDM

This will now ensure that mobile devices are re-directed to vIDM for authentication and non-mobile are using "AD Authority" as their identity source.

DO NOT DO FOR THIS LAB

  1. Open the remote desktop folder on the desktop and RDP to the ADFS server
  2. Select and right click the Start button and select run. Type services.msc
  3. Browse down and right click Active Directory Federation Services and select Properties
    1. Now select the Log On tab at the top and select Browse. Now on the pop-up click locations and select the euc-livefire.com domain and type ADFSsvc and select Check Names. This should automatically find the the user that we are looking for. Select OK.
    2. Now type in the password twice VMware1! and hit OK now right click the service and click Start. This should now start the service,

0 Comments

Add your comment

E-Mail me when someone replies to this comment