Workspace ONE Access as Third-Party IDP in ADFS
This lab will guide you through how to leverage Workspace ONE Access as a claims provider in ADFS. The added value a customer will get for doing such an integration is to leverage the authentication methods that Workspace ONE Access has to offer such as mobile single-sign-on.
In this scenario we will assume the customer has already federated the desired application with ADFS. For the sake of this lab socialcast will be used as the application (Relying Party) in ADFS.
First you will configure Workspace ONE Access in ADFS as the claims provider by importing the idp metadata. We will then set which claims we would like to send Workspace ONE Access for authentication.
Lastly you will set up ADFS as the application source in Workspace ONE Access.
- On your controlcenter2 open FireFox and browse to your unique Workspace ONE Access Admin tenant.
- Select the System Domain from the drop down domain drop down option and authenticate using the administrator account
- In the admin console click on catalog and click Settings
- In the Left Navigation column select SAML metadata under SaaS Apps
- Right click the Identity Provider (IdP) metadata and select save link as ... IDP.xml
- In the browser window that opens navigate to the Software folder on the desktop and open the ADFS folder and select Save
- Open the Remote Desktop folder on the desktop and RDP to the ADFS server
- Select and right click the Start button and select run. Type services.msc
- Browse down and right click Active Directory Federation Services and select Properties
- Now select the Log On tab at the top and select Browse. Now on the pop-up click locations and select the euc-livefire.com domain and type ADFSsvc and select Check Names. This should automatically find the the user that we are looking for. Select OK.
- Now type in the password twice VMware1! and hit OK now right click the service and click Start. This should now start the service,
- In Server Manager and at the top, select Tools and select AD FS Management
- When the AD FS Management interface is open navigate to Claims Provider Trusts (Only Active Directory should be present)
- Right Click Claims Provider Trust and select Add Claims Provider Trust...
- Click Start on the first Welcome page
- Then select Import data about the claims provider from a file
- Select Browse and navigate to Desktop > Software > ADFS and select the idp.xml and click Open
- Click next on the page and write Workspace ONE Access Livefire in the Display name click Next > Next > Close. Now you will see Active Director and Workspace ONE Access Livefire as Claims Providers
- Right Workspace ONE Access Livefire and select Edit Claim Rules...
- Now Select Add Rule...
- From the next page select from the drop down "Send Claim Using a Custom Rule" select Next
- Type Windows Accountname Claim for the claim rule name
- Paste the below into the custom rule field:
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] == "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"] => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer = "AD AUTHORITY", OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType);
5. Select Finish and OK
Configure Workspace ONE Access
- Return to the ControlCenter2 and open Firefox
- Using your browser go to you unique Workspace ONE Access tenat
- Login with System Domain using user:administrator password:VMware1!
- Now click on Catalog and select Settings
- Navigate to Application Sources under the Saas Apps on the left hand side and select ADFS to configure the App Source.
- Open the firefox browser on a new Tab and Browse to https://adfs.euc-livefire.com/FederationMetadata/2007-06/FederationMetadata.xml
- Select Save File and go to the Downloads folder. (Chrome will download the file automatically)
- Open the File using Notepad++ and copy the contents of the XML by pressing ctrl + a then ctrl + c
- Then go back to the ADFS Application Source configuration on Workspace ONE Access and select next.
- Paste the contents of the FederationMetadata.xml into the URL/XML field. Click NEXT
- Click Next in the Access Policies and SAVE on the Summary Page
- Now head back into the ADFS settings by selecting ADFS in the Application Source page.
- Navigate to Configuration on the left hand side and change Username Format to Unspecified
- Enter the following value under Username Value
- NB! there are no spaces in the below syntax
4. Click on advanced Properties and set Signature Algorithm to SHA256 with RSA and Digest Algorithm to SHA256
5. Select NEXT at the bottom of the page
6. Click SAVE on the Summary page
SAML Test Application (Socialcast)
Now that we have integrated Workspace ONE Access as a claims provider to ADFS we can now test an application that has been federated with ADFS. Socialcast has been pre-configured under the Relying Party trust as an application in ADFS. Configuring the SAML application is not part of this lab.
- Navigate to https://socialcast.euc-livefire.com
- Select as Employee on the look up account page
- Notice now you will be redirected to ADFS Home Realm Discovery Screen (HRD)
- You will then have two options for authentication (The claims providers configured in ADFS)
- Workspace ONE Access LiveFire
- Active Directory
- Now Select Workspace ONE Access LiveFire, You will then be redirected to authentication to Workspace ONE Access
- Select Next with the euc-livefire.com domain selected
- Type your custom user account and VMware1! and sign in
- Follow the wizard for first time users. example below
Adding ADFS app to Workspace ONE Access
In certain scenarios admins might want to provide access to the Relying party configured in ADFS directly in the Workspace ONE catalog. This is made possible via the ADFS integration. We are essentially using a redirect to the Relying Party. Let's add the socialcast application to the catalog.
- Log into you unique Workspace ONE Access Admin console using the local directory
- Now navigate to Catalog then select NEW and give it the name: Socialcast
- Click on Select File below Icon and select the socialcast.jpg file in the Download folder and select open. click NEXT
- In the Configuration page select ADFS Application Source under Authentication Type.
- Now type in the Target URL RPID=https://socialcast.euc-livefire.com and select NEXT
- Click NEXT on the Access Policies Page, and SAVE & ASSIGN on the Summary page
- In the Assign page assign the application to the Marketing@euc-livefire.com group
- Start typing email@example.com and you will see the Group showing up click it to confirm
- Now set the Deployment Type group to automatic and select SAVE
1. Close the browser and all windows to ensure firefox or chrome has closed properly. Now re-open firefox and navigate to your unique Workspace ONE Access SaaS instance.
2. Now log in as user1 user and password VMware1! in the domain euc-livefire.com you will then notice in the catalog the socialcast application.
3. Now click on Open under socialcast icon and you will be redirected to Socialcast and authenticated without additional credentials as user1.
ExtraCurricular: Setting Workspace ONE Access as the default claim provider
There might be a use-case where an organisation wants the configured relying party in ADFS always use a specific claims provider. Through powershell admins have the ability to set the default claims provider for specific relying parties.
On the ADFS Server do the following
1. navigating to https://socialcast.euc-livefire.com and clicking on "as employee" notice you will now have an option here to either choose Workspace ONE Access Livefire or Active directory.
2. Open powershell and type
3. You will now be able to see that socialcast is set to use both Active Directory and Workspace ONE Access LiveFire as the claims provider
4. Let's now set Workspace ONE Access as the default claims provider
In the same power shell windows now execute the below
Set-AdfsRelyingPartyTrust -TargetName "SocialCast" -ClaimsProviderName @("Workspace ONE Access Livefire")
5. Confirm the changes by typing the same command to get the relying party trust information. You will notice now that Workspace ONE Access Livefire is listed as the only ClaimsProvierName
6. Now close your browser and re-open to https://socialcast.euc-livefire.com
7. Click on as Employee notice now that you will automatically be re-directed to Workspace ONE click Next. After authenticated you will automatically be logged into Socialcast. Observe you weren't prompted to chose the claim provider as in the original test. In order to reverse the above simply re-add Active Directory as another claims provider.
Set-AdfsRelyingPartyTrust -TargetName "SocialCast" -ClaimsProviderName @("Workspace ONE Access Livefire", "Active Directory")