ADFS as Third-Party IDP in vIDM
Setup for integration
In this lab you will configure the VMware Identity Manager service to use Active Directory Federation Service (AD FS) as the third-party identity provider instance for authentication.
This is comparable with adding any other third-party Identity Provider into vIDM.
Begin by doing the pre-requirement work before getting started on the integration.
On your Control Center server open the Chrome Browser
NOTE: IF you aren't getting the file it is most likely the ADFS service on adfs.euc-livefire.com hasn't started.
2. This will download a .xml file which is your Federation metadata to initiate the trust between vIDM and ADFS.
3. Now navigate to the vIDM admin console https://workspaceone.euc-livefire.com
4. Open the Identity Providers section under Identity & Access Management > Manage > Identity Providers
5. Select Add Identity Provider > Create Third Party IDP
6. Give it the following details:
NAME: ADFS 2016
SAML Metadata: Copy the text from the .xml file we downloaded from ADFS and paste into the field. > Then Select Process IdP Metadata
NOTE: the Name ID Format match to a Name ID Value. This is extracted from the metadata
Users: Check the LivefireSync directory to be used
Network: Select ALL RANGES
Authentication Methods: Password ADFS
SAML Context: urn:oasis:names:tc:SAML:2.0:ac:classes:Password
SAML Signing Certificate: Right click the Service Provider (SP) and select Save Link As. Save it to the software folders under ADFS \\cs1-pd1.euc-livefire.com\software\ADFS. This will Download the SP.xml which we will later import into ADFS
Select ADD at the bottom of the page to save.
We will now configure an Access Policy utilize the authentication we have just created in the ADFS Identity Provider to be used when authenticating to SFDC.
1. Navigate to Policies under Identity & Access Management > Manage > Policies
2. Select the Add Policy at the top right, Name the Policy: ADFS - SFDC and
3. Then Click Select for the application this policy should apply to put a check box next to SalesForce
scroll to Policy Rule and click the +
4. Once in the policy rule creator select ALL RANGES & Web Browser
use the Password ADFS as the first authentication methods and set the fall back to just Password (Cloud Deployment)
5. Click OK to finish creating the rule and SAVE on the screen
Now we will create the relying party trust from the ADFS Serer. Before we do that we need to export the Token-Signing Certificate
1. Navigate to your RDP folder and RDP into your ADFS server
2. Open the Server Manager and select Tools and open the AD FS management Console
3. In the console navigate AD FS > Services > Certificates
4. Right click the Token-signing Certificate and click "View Certificate"
5. Then select "Detail" and "Copy To File"
6. Select the Base-64 Encoded X.509 (.CER) and hit Next
7. Save the File to the desktop as ADFS.cer and Select Finish
1. In the AD FS Console navigate to AD FS > Relying Party Trust and select Add Relying Party Trust on the right-hand panel.
2. A wizard will launch select claims aware and click Start
3. Now Select "Import Data about the relying party from a file" > Now select the file SP.xml in the Software's folder. \\cs1-pd1.euc-livefire.com\software\ADFS click Next
4. Give it the name vIDM LiveFire
5. In the Choose Access Control Policy leave the default as Permit anyone next
6. Leave the next two options as default and simply hit next and finish.
7. You should now see the vIDM LiveFire listed as relying trust party. Click on this and select Edit Claim Issuance Policy on the right hand pane.
8. Now click Add Rule...
9. Leave the default Claim Rule Template: Send LDAP Attributes as Claims select next
10. In the Configure Claim Rule, name it E-mail vIDM
11. Select Attribute Store to be Active Directory
The LDAP attribute to is E-Mail-Addresses and the Outgoing Claim Type is E-Mail Address
12. Select Finish and OK
Add Custom Rule to Transform Email Addresses Format
1. Select the Edit Claim Issuance Policy and select add Rule
2. Select the Send Claims Using Custom Rule option for Claim rule template
3. Claime rule name: Custom E-mail vIDM
4. Paste into the custom field the below:
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier"] = "workspaceone.euc-livefire.com");
5. Click Finish
Add another claim rule to pass the user name to VMware Identity Manager in the SAML.
1. Select Add Rule on the Edit Claim Issuance Policy
2. In the Issuance Transform Rules tab, click Add Rule and select Send LDAP Attributes as Claims as the template. Click Next.
3. Give it the name Username vIDM
4. For Attribute store, select Active Directory. In the Mapping of LDAP attributes to outgoing claim types section, select the LDAP attributes SAM-Account-Name and the Outgoing Claim Type E-Mail Address.
Create a custom rule to transforms the SAM Account Name attribute that is retrieved from LDAP in the Get Attributes rule into the desired SAML format. The custom rule uses the AD FS claim rule language.
1. Click Add Rule and select Send Claims Using a Custom Rule as the template. Click Next.
2. Enter the name to be Custom Username vIDM
3. Enter the below text:
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"] => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier"] = "workspaceone.euc-livefire.com");
4. Select Finish and hit OK
Test ADFS integration
Now test that your access policy is applying to the SFDC application and re-directing you to ADFS for authentication. Remember to actually sign into the workspace one portal we will use the default access policy where we have specified AD username and password.
1. Open a incognito window in the Chrome browser and navigate to https://workspaceone.euc-livefire.com
2. Leave the domain as euc-livefire.com and select Next > Sign in with User1 and VMware1!
3. Once logged in launch the Salesforce Application by clickin on it
4. You will get redirected to ADFS that is our IDP we set-up earlier
5. Type the UPN email@example.com and PW: VMware1!
6. You should now be re-directed back to vIDM and authenticated to SFDC.