EUCbackup Default chapterFederating ADFS / Zendesk with Workspace ONE Access

Federating ADFS / Zendesk with Workspace ONE Access

Part 1. Setting up your own Saas ZENDESK account

  1. In this section we are going to register for a ZENDESK account
    1. Open your browser and add the following URL to your browser https://www.zendesk.co.uk/register/
    2. On the Let's get started window under Work Email Sign In with your Office 365 cloud Admin Account , and use the password VMware1! . In this particular example, cloudadmin@fernandoduplot.onmicrosoft.com, select Next ,
    3. On the Tell us about your company under company name type EUCLivefire and under number of employees select 500 - 999 employees, select Next

2. We are continuing to register for a ZENDESK account

  • On the Tell us about yourself, enter required information under First Name and Last Name and telephone number. Select Next

3.

  • We are continuing to register for a ZENDESK account
    1. On the Customize your team window, type your assigned student domain name and select Next
    2. You will briefly notice a Setting up your new account at window, this will automatically move on
    3. You will then be prompted to check your email, log in to your email to verify your ZENDESK registration
    4. Open the sent email and select click here to verify your email address
    5. Note you should now automatically be taken to your ZENDESK account as CloudADMIN,
    6. Notice too that you have a 13 day trial of this tenant

Part 2. Federating ADFS with Zendesk

1. Step 1 - Adding a Relying Party Trust

  • Log in to your Controlcenter2 account with Administrator@euc-livefire.com with the password VMware1! . On the ControlCenter server desktop, open the Remote Desktop folder and launch the ADFS.rdp shortcut using your Administrator@euc-livefire.com and password VMware1! credentials.
    1. On the ADFS server desktop select the Start menu and then under Most used select AD FS Management
    2. Select the Relying Party Trusts folder and right-click select Add Relying Party Trust
    3. On the Welcome page select Start
    4. In the Select Data Source screen, select the last option, Enter Data About the Party Manually. then select Next

2. Step 1 - Adding a Relying Party Trust ...

  • On the Specify Display Name screen,
    1. Under Display name type ZENDESK and select Next
    2. On the Configure Certificate page select Next

3. Step 1 - Adding a Relying Party Trust ...

  • On the Configure URL section add the following:-
    1. Next to Enable support for the SAML 2.0 WebSSO protocol select the checkbox
    2. Under Relying Party SAML 2.0 SSO service URL type the following and replacing auckland35 with your own assigned domain name The service URL will be https://subdomain.zendesk.com/access/saml, replacing subdomain with your Zendesk subdomain. e.g. https://auckland35.zendesk.com/access/saml . NB! There is no trailing slash at the end of the URL select Next
    3. On the Configure Identifiers window under Relying party trust Identifier type the FQDN of your Zendesk domain. e.g. https://Auckland35.Zendesk.com and select Add select Next

4. Step 1 - Adding a Relying Party Trust ...

    1. On the Choose Access Control Policy select Permit everyone and select Next
    2. On the Ready to Add Trust select Next
    3. On the Finish Page select Close

5. Step 2 - Adjusting the trust settings

  • In the Relying Party Trusts container select your ZENDESK configuration and select Properties
    1. Select the Advanced tab, make sure SHA-256 is specified as the secure hash algorithm.
    2. Select the Endpoints tab, select  Add SAML to add a new endpoint.
    3. On the Add an Endpoint window configure the following:
      • Under Endpoint type, select SAML Logout.
      • Under Binding, select POST.
      • Under Trusted URL, copy and paste the following : - https://adfs.euc-livefire.com/adfs/ls/?wa=wsignout1.0.
    4. Select OK twice to close the ZENDESK properties window

 

 

6. Step 3 - Creating claim rules

  • Once the Relying Party trust has been created, you can create the claim rules and update the RPT with minor changes that aren't set by the wizard.
    1. In the Relying Party Trusts container select and right-click the ZENDESK Relying Party Trusts configuration and select Edit Claim Issuance Policy
    2. In the Edit Claim Issuance Policy for ZENDESK, select Add Rule
    3. On Choose Rule Type section accept the default and select Next
    4. In the Configure Claim Rule section, type the following:-
      • Under Claim rule name: type ZENDESK_AD
      • Under Attribute store: select Active Directory
      • From the LDAP Attribute column, select E-Mail Addresses.
      • From the Outgoing Claim Type column, select E-Mail Address
      • Select Finish

7. Step 3 - Creating claim rules

  • Creating Claim rules Continued...
    1. On the Issuance Transform Rules tab select Add Rule
    2. On the Choose Rule Type Step under Claim Rule template from the dropdown select Transform an Incoming Claim Select Next
    3. On the Configure Claim Rule Step configure the following
      • Under Claim Rule name: type Email Transform
      • Next to Incoming Claim Type. Select E-mail Address
      • Next to Outgoing Claim Type, select Name ID.
      • Next to Outgoing Name ID Format, select Email.
        • Leave the rule to the default to Pass through all claim values.
      • Select Finish
    4. Click on OK to save the new rule.

Part 3. Configuring Zendesk for SSO with ADFS

1. Step 1 - Enabling SSO on Zendesk

  • Switch to ControlCenter2 server and if necessary login to the server with administrator@euc-livefire.com and password VMware1! credentials.
    1. On the ControlCenter2 server open the Remote Desktops folder and launch the ADFS.rdp shortcut and login to the ADFS server with your  administrator@euc-livefire.com and password VMware1! credentials.
    2. On the ADFS server select the Start menu and in the Start Menu launch the Windows Powershell, in the Windows Powershell console launch the following command
      • Get-AdfsCertificate
    3. Scroll down until you find the CertificateType : Token-Signing area, next to Thumbprint : select and copy the long serial string to a txt editor

2. Step 1 - Enabling SSO on Zendesk

  • Switch back to your Zendesk admin console
    1. Select the ADMIN cog wheel icon in your Zendesk admin console
    2. Under SETTINGS select Security
    3. Under the Security tab select Global
    4. In the Global tab select Manage Security Setting in the Admin Center

3. Step 1 - Enabling SSO on Zendesk

  • In the Admin Center Console,
    1. in the Security section, select Single sign-on
    2. In the Single sign-on section next to SAML select Configure
    3. In the SAML interface configure the following. Next to:
      • Enabled: select the Check box
      • SAML SSO URL type: https://adfs.euc-livefire.com/adfs/ls/
      • Certificate fingerprint*: copy from your text editor . eg. 56A66986EC41D546CD80A52A78AFAFEC181B2AF2
      • Remote logout URL type : https://adfs.euc-livefire.com/adfs/ls/?wa=wsignout1.0.
    4. Select Save

4. Step 2 - Enabling SSO on Zendesk User Configurations

  • We  will now configure and provision the users that will connect
    1. In the Zendesk New Admin console above Single sign-on select Staff members
    2. In the Staff member section, perform the following tasks, next to:
      • Zendesk authentication : Checkbox UNCHECKED
      • External authentication : Checkbox CHECKED
        • Single sign-on radio button: ENABLED
    3. Select Save
    4. On the Disabling Zendesk authentication page copy the get out of Jail URL and save to your information sheet
    5. Select Disable
    6. Select Save

 

5. Step 2 - Enabling SSO on Zendesk User Configurations

  • In this section we will provision a Few Staff Members to Zendesk
  • Switch back to the Original Admin Console
    1. In the Old Admin Console right at the top select + Add
    2. Select User
    3. Under Requester select + Add user
    4. In the Add User window , next to, type the following: -
      • Name : your custom Salesforce account, e.g User35ANZ
      • Email:  your custom Salesforce account email address e.g. User35ANZ@auckland35.euc-livefire.com

Part 4. Configuring Zendesk for SSO with ADFS

1. Step 1 - Configuring Workspace ONE Access with ADFS

  • Return to the ControlCenter2 and open Firefox
    1. Using your browser go to you unique vIDM tenant
    2. Login with System Domain using user:administrator password:VMware1!
    3. Now click on Catalog and select Settings
    4. Navigate to Application Sources under the Saas Apps on the left hand side and select ADFS to configure the App Source.

2. Step 1 - Configuring Workspace ONE Access with ADFS

  • Open a new Tab and  Browse to https://adfs.euc-livefire.com/FederationMetadata/2007-06/FederationMetadata.xml
    1. Select Save File and go to the Downloads folder. (Chrome will download the file automatically)
    2. Open the File using Notepad++ and copy the contents of the XML by pressing ctrl + a then ctrl + c
    3. Then go back to the ADFS Application Source configuration on vIDM and select next.
    4. Paste the contents of the FederationMetadata.xml into the URL/XML field.  Click NEXT
    5. Click Next in the Access Policies and SAVE on the Summary Page

 

3. Step 1 - Configuring Workspace ONE Access with ADFS

  • Now head back into the ADFS settings by selecting ADFS in the Application Source page.
    1. Navigate to Configuration on the left hand side and  change Username Format to Unspecified
    2. Enter the following value under Username Value
      • ${user.domain}\${user.userName}    NB! there are no spaces in the below syntax
    3. Click on advanced Properties and set Signature Algorithm to SHA256 with RSA and Digest Algorithm to SHA256
    4. Select NEXT at the bottom of the page
    5. Click SAVE on the Summary page

Part 5 Test Application

Now that we have integrated vIDM as a claims provider to ADFS we can now test an application that has been federated with ADFS. Socialcast has been  pre-configured under the Relying Party trust as an application in  ADFS. Configuring the SAML application is not part of this lab.

  1. On your ControlCenter navigate to your ZENDESK Custom FQDN e.g. https://auckland35.zendesk.com
  2. Select as Employee on the look up account page  
  3. Notice now you will be redirected to ADFS Home Realm Discovery Screen (HRD)
  4. You will then have two options for authentication (The claims providers configured in ADFS)
    1. vIDM LiveFire
    2. Active Directory
  5. Now Select vIDM LiveFire, You will then be redirected to authentication to vIDM
  6. Select Next with the euc-livefire.com domain selected
  7. Type User1 and VMware1! and sign in

 

Part 6. Linking the ADFS application to Workspace ONE Access

1.  ADFS link to Workspace ONE Access

  • In certain scenarios admins might want to provide access to the Relying party configured in ADFS directly in the Workspace ONE catalog. This is made possible via the ADFS integration. We are essentially using a redirect to the Relying Party. Let's add the Zendesk application to the catalog.
    1. Log into you unique Workspace ONE Access Admin console using the local directory
    2. Now navigate to Catalog then select NEW and give it the name: ZENDESK
    3. Click on Select File below Icon and select the socialcast.jpg file in the Download folder and select open. click NEXT
    4. In the Configuration page select ADFS Application Source under Authentication Type.
    5. Now type in the Target URL  RPID=https://auckland35.zendesk.com and select NEXT
    6. Click NEXT on the Access Policies Page, and SAVE & ASSIGN on the Summary page
    7. In the Assign page assign the application to the Marketing@euc-livefire.com group
    8. Start typing marketing@euc-livefire.com and you will see the Group showing up click it to confirm
    9. Now set the Deployment Type group to automatic and select SAVE

2.  ADFS link to Workspace ONE Access

  • Close the browser and all windows to ensure firefox or chrome has closed properly. Now re-open firefox and navigate to your unique Workspace ONE Access SaaS instance.
    1. On your ControlCenter server, open an Incognito browser session. Log in with your custom user account , eg user35anz  and password VMware1! in the domain euc-livefire.com you will then notice in the catalog the Zendesk application.
    2. Now click on Open next to Zendesk icon and you will be redirected to Zendesk and authenticated without additional credentials as your custom user eg user35anz.