Integrate Active Directory Federation Services, commonly referred to as AD FS, with VMware Workspace ONE. Leveraging organizational configurations, AD FS integration creates a consistent authentication experience across platforms and device types.
Today’s post explains the procedure for AD FS integration with VMware Identity Manager. Completing these steps establishes AD FS as a Workspace ONE identity provider.
AD FS for Workspace ONE
Workspace ONE unifies Identity Manager access control and application management and VMware AirWatch unified endpoint management (UEM) technology into a single platform. Available as a cloud service or for on-premises deployments, the Workspace ONE platform enables IT to deliver and manage any app on any device.
AD FS & Identity Manager Integration
AD FS Overview
Using claims-based authorization to implement identity federation, AD FS provides single sign-on access to applications and systems.
What’s a Claim?
A claim is a statement about a user that can include values like the user principal name (UPN), email address, role, group or windows account name.
Contained in a trusted token, a claim serves as one half of a corresponding pair about the user’s identity. Another trusted party, known as a relying party, evaluates the pair to determine authorization.
AD FS vs. SAML Authentication
By default, Identity Manager uses Security Assertion Markup Language (SAML), which is an assertion-based form of authorization. Conceptually, there are many parallels between SAML and AD FS. The table below outlines these similarities. Use these parallels as a foundation for understanding AD FS integration with Identity Manager.
AD FS
SAML
Description
Security Token
Assertion
Collection of XML-formatted security information describing users, which is created and consumed during a federated access request.
Claim Provider
Identity Provider
Partner in a federation that creates security tokens for users.
Relying Party
Service Provider
Partner in a federation that consumes security tokens for providing access to applications.
Claims
Assertion Attributes
Data about users that is sent inside security tokens.
Integrate AD FS with Identity Manager
Before You Begin AD FS Integration
Identity Manager Tenant: Utilize a Software-as-a-Service (SaaS) or on-premises instance of Identity Manager that you have administrator access to.
Install AD FS: Install AD FS on a server you have access to. This requires administrator access.
Configure AD FS Integration with Identity Manager
Watch the video for a how-to demonstration of AD FS integration with Identity Manager. Alternatively, expand the drop-down menus to read step-by-step instructions of the processes covered in the videos.
Install AD FS
Install AD FS
Navigate to the server where AD FS gets installed. This example uses Windows Server 2012 R2 to install the AD FS server role.
Open Server Manager.
From the top-right corner, navigate to Manage > Add Roles and Features and configure the settings:
Installation Type – Select Role-based or feature-based installation.
Server Selection – Select the intended server.
Server Roles – Enable Active Directory Federation Services.
Features – Click Next to continue with modifications.
Step through the remaining instructions and click Install.
Configure AD FS
Configure AD FS
Within Server Manager, next to Manage, select the NotificationFlag.
Under the Post-deployment Configuration Notification, click Configure the federation service on this server and complete the fields:
Connect to ADFS – Specify an account with Active Directory domain administrator privileges to perform the federation service configuration.
Specify Service Properties – Configure the following settings:
Setting
Description
SSL certificate
Select a certificate for AD FS configuration.
Federation Service Name
Provide the AD FS service’s endpoint. For example, adfs.airwlab.com.
Federation Service Display Name
Provide the display name. For example, AIRWLAB Federation Services.
Specify Service Account – Select an existing domain user account for the AD FS service account, or create a new one. Creating a new account requires appropriate access permissions.
Specify Database – Choose between using a Windows Internal Database or providing a SQL Server database. If prompted to overwrite an existing AD FS configuration database, overwrite before continuing.
Confirm the pre-requisites, and click Configure.
AD FS Management
AD FS Management
From Server Manager, select Tools > AD FS Management.
Download a copy of the xml, for later use establishing trust between VMware Identity Manager and AD FS.
VMware Identity Manager Configuration
Identity Manager Configuration
Login to your Identity Manager tenant with an administrator account.
Navigate to Identity & Access Management > Identity Providers > Add Identity Provider > Create Third Party IDP.
Identity Provider Name – Use any name as desired. For example, ADFS.
SAML Metadata – Copy and paste the previously downloaded FederationMetadata.xml file into the field, and click Process IdP Metadata. The Name ID format mappings use the imported xml to establish. This creates trust with AD FS as an Identity Provider for VMware Identity Manager.
Just-in-Time User Provisioning – Leave this setting disabled, because this guide does not cover this implementation.
Users – Select the Directory that this Identity Provider applies to. For example, select the synced corp.local directory, which contains the corp.local domain users.
Network – If setup, choose the network range this Identity Provider applies to. Use the default value, ALL RANGES, to apply the identity provider across all networks.
Authentication Methods – Choose the method used to authenticate users processed by this identity provider. For example, review the table below:
Authentication Methods
SAML Context
SAML Password
urn:oasis:names:tc:SAML:2.0:ac:classes:Password
SAML Kerberos
urn:oasis:names:tc:SAML:2.0:ac:classes:Password
Windows Auth
urn:federation:authentication:windows
Single Sign-Out Configuration – Allow users to end their IdP session when they sign out from the Workspace ONE apps portal.
Service Provider Metadata – Open a URL that contains the metadata required to establish trust between AD FS and the VMware Identity Manager tenant.
Click Save.
Configure Relying Party Trust in AD FS
Configure Relying Party Trust in AD FS
Return to AD FS Management and navigate to AD FS > Trust Relationships > Relying Party Trusts > Add Relying Party Trust.
Select Data Source – Import the Metadata file using the URL or the file. For example, provide the Service Provider Metadata URL from the previous step.
Multi-Factor Authentication – Configuring Multi-Factor Authentication (MFA) is beyond the scope of these instructions, so leave this option disabled.
Issuance Authorization Rules – Permit all users to access this relying party.
Ready to Add Trust – Review the settings, and click Next to add the trust.
Select the option, Open the Edit Claim Rules dialog for this relying trust when the wizard closes, and add the following claims rules.
Add the Get Attributes Email Address Rule
Click Add Rule.
Select Send LDAP Attributes as Claims, and click Next.
Claim Rule Name – Get Attributes Email Address
Attribute Store – Active Directory
LDAP Attribute – E-Mail-Address
Outgoing Claim Type – E-Mail Address
Click Finish.
Add the Transform Email Address Rule
Click Add Rule.
Select Send Claimsusing a Custom Rule, and click Next.
Claim Rule Name – Transform Email Address
Custom Rule – Enter the below text and change the spnamequalifier to your VMware Identity Manager URL:c:[Type == “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress”] => issue(Type = “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier”, Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties[“http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format”] = “urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress”, Properties[“http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier“] = “yourtenant.vmwareidentity.com“);
Click Finish.
Identity Manager Policy Configuration
Identity Manager Policy Configuration
Return to your VMware Identity Manager tenant. In the Administration Console, navigate to Identity & Access Management > Policies.
Click the default_access_policy_set
Add new Policy Rules:
Handle Local Users Authenticating into the Workspace ONE Portal