Configuring AD FS as a Third-Party IdP in VMware Identity … · CONFIGURING AD FS AS A THIRD-PARTY IDP IN VMWARE IDENTITY MANAGER: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL DOCUMENT

DOCUMENT – AUGUST 2019

PRINTED 17 OCTOBER 2019

CONFIGURING AD FS AS ATHIRD-PARTY IDP INVMWARE IDENTITYMANAGER: VMWAREWORKSPACE ONEOPERATIONAL TUTORIALVMware Workspace ONE

CONFIGURING AD FS AS A THIRD-PARTY IDP IN VMWARE IDENTITY MANAGER: VMWARE WORKSPACE ONEOPERATIONAL TUTORIAL

DOCUMENT | 2

Table of Contents

Legacy

– Legacy

Overview

– Introduction

– Audience

– AD FS vs SAML

Configuring AD FS as a Third-Party IdP in VMware Identity Manager

– Introduction

– Prerequisites

– Installing and Configuring AD FS (Video)

– Downloading the AD FS Federation Metadata XML

– Creating a Third-Party Identity Provider

– Configuring Access Policies in VMware Identity Manager

– Configuring Relying Party Trust in AD FS

– Adding Claim Rules for a Relying Party

– Verifying Configurations

– Troubleshooting

Summary and Additional Resources

– Conclusion

– Terminology Used in This Tutorial


DOCUMENT | 3

– Additional Resources

– About the Authors

– Feedback


DOCUMENT | 4

Integrating VMware Identity Manager with Third-PartyActive Directory Federation Services: VMwareWorkspace ONE Operational Tutorial

LegacyLegacy

For the latest information on this topic, see Integrating VMware Workspace ONE with Active Directory Federation Services in VMwareDocs.

OverviewIntroductionVMware provides operational tutorials to help you with your VMware Workspace ONE® environment. In this tutorial, you set up ActiveDirectory Federation Services (AD FS) – a Windows Server component that provides single sign-on access using claims-basedauthentication. Then, you configure VMware Identity Manager to use AD FS as the third-party identity provider (IdP) forauthentication.

AudienceThis operational tutorial is intended for IT professionals and Workspace ONE administrators of existing production environments. Bothcurrent and new administrators can benefit from using this tutorial. Familiarity with networking and storage in a virtual environment isassumed, including Active Directory, identity management, and directory services. Knowledge of additional technologies such asVMware Workspace ONE® Access (formerly VMware Identity Manager) and VMware Workspace ONE® UEM is also helpful.

AD FS vs SAMLBy default, VMware Identity Manager uses Security Assertion Markup Language (SAML), which is an assertion-based form ofauthorization. In contrast, AD FS uses claims-based authorization to implement identity federation. Conceptually, there are manyparallels between SAML and AD FS. Use these similarities, outlined in the previous table, as a foundation for understanding VMwareIdentity Manager and AD FS integration.

https://media.screensteps.com/image_assets/assets/002/839/462/original/4557_VMW_LegacyContentStamp_CAP.png

https://docs.vmware.com/en/VMware-Identity-Manager/services/workspaceone_adfs_integration/GUID-29C7D29F-2E7D-45C7-A338-9BA9EC89DD1B.html

http://www.vmware.com/products/workspace-one.html

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&uact=8&ved=2ahUKEwj069_qkaXhAhVFG6wKHcy1AK0QFjAAegQIARAB&url=https%3A%2F%2Fwww.vmware.com%2Fproducts%2Fworkspace-one%2Fidentity-manager.html&usg=AOvVaw13RJuNGmdpZIvLZ5GKS2AZ

https://www.vmware.com/products/workspace-one/access.html

https://www.vmware.com/products/airwatch-enterprise-mobility-management.html


DOCUMENT | 5

AD FS ClaimsA claim is a statement about a user that includes values about the user (for example, user principal name (UPN), email address, role,group, windows account name, and so on) which are contained in a trusted token. Trusted parties, known as relying parties, use thevalues stored in the claim to determine how to authorize the request.

Claims providers, such as your Active Directory, source and sign these claims. The Federation Service brokers trust between claimsproviders and relying parties by processing and exchanging claims between these parties to allow for authorization decisions to bemade based on the statements of the claim.

The client requests a trusted token for access to a relying party, such as a web-hosted application.1.The client authenticates against AD FS, validated by the trusted attribute store.2.A trusted token is returned to the client upon successfully authenticating, which presents the trusted token to the relying party.3.The relying party validates that the trusted token and allows access.4.

Configuring AD FS as a Third-Party IdP in VMware IdentityManagerIntroductionComplete the exercises in this tutorial to set up AD FS as a third-party identity provider in VMware Identity Manager. The proceduresare sequential and build upon one another, so make sure that you the activities in order.

PrerequisitesBefore you can perform the procedures in this tutorial, you must satisfy the following requirements.

Check whether you have the following components installed and configured:

Workspace ONE UEM tenant 9.3 or later with admin credentialsOn-premises VMware Identity Manager tenantMicrosoft Active Directory Federated Services

You must also complete the following exercises, which are located in Deploying On-Premises VMware Identity Manager: VMwareWorkspace ONE Operational Tutorial.

https://techzone.vmware.com/deploying-premises-vmware-identity-manager-vmware-workspace-one-operational-tutorial

https://techzone.vmware.com/deploying-premises-vmware-identity-manager-vmware-workspace-one-operational-tutorial


DOCUMENT | 6

Downloading the VMware Identity Manager ConnectorInstalling and Configuring the VMware Identity Manager Connector ServiceConfiguring your VMware Identity Manager Tenant for AD UsersCreating and Configuring the VMware Identity Manager ConnectorSyncing Directory Users to VMware Identity Manager

In this tutorial, you configure settings in various admin consoles. Prior to beginning this tutorial, log-in to these consoles by completingthe following exercises:

Logging In to the Workspace ONE UEM ConsoleLogging In to the VMware Identity Manager Console

Installing and Configuring AD FS (Video)For this exercise, you need AD FS installed and configured to authenticate domain users. Because the focus of this exercise isintegrating VMware Identity Manager with an existing AD FS deployment, it does not provides instructions for installing the AD FSinstance from scratch.

To watch a video demonstrating this procedure, click Active Directory Federation Services integration with VMware Identity Manager,or click the video itself.

Downloading the AD FS Federation Metadata XMLTo establish trust between VMware Identity Manager and your AD FS instance, you must download the AD FS federation metadata.

1. Download the Federation Metadata XML

On your desktop, open Chrome and navigate tohttps://<adfs_server_name>/FederationMetadata/2007-06/FederationMetadata.xml. Replaceadfs_server_name with your AD FS server, for example, adfs.corp.local.

The FederationMetadata.xml downloads and will be stored in your Downloads folder. You will use this file when configuringVMware Identity Manager in a later exercise.

2. Open AD FS Management

https://www.youtube.com/watch?v=5lxGT1HaF_A&feature=youtu.be


DOCUMENT | 7

Log in to your AD FS server and:

Click the Server Manager icon from the taskbar.1.Click Tools.2.Click AD FS Management.3.

3. Locate the FederationMetadata.xml Endpoint


DOCUMENT | 8

Expand Service under AD FS.1.Click Endpoints.2.Scroll down to find the Metadata section.3.Locate the Metadata object with the type Federation Metadata. Note the URL Path.4.

The link you used to download the Federation Metadata XML was your ADFS hostname (for example,https://adfs.corp.local)followed by your Federation Metadata endpoint as shown in the screenshot(/FederationMetadata/2007-06/FederationMetadata.xml). This is how the Federation Metadata endpoint was found.

4. Open the ADFS Federation Metadata XML in Notepad


DOCUMENT | 9

On your desktop:

Click the File Explorer icon from the taskbar.1.Click Documents.2.Right-click the FederationMetadata.xml.3.Select Edit with Notepad++.4.

5. Copy the Federation Metadata


DOCUMENT | 10

Right-click and click Select All.1.Right-click and click Copy.2.

Creating a Third-Party Identity ProviderIn this activity, use the FederationMetadata.xml downloaded from your Federation Service to establish trust between AD FS asthe identity provider and VMware Identity Manager as the service provider. Then, create a third-party identity provider (IdP) withinVMware Identity Manager.

1. Open Third-Party Identity Provider Settings


DOCUMENT | 11

In Chrome, open your VMware Identity Manager Administration Console.

Click Identity & Access Management.1.Click Identity Providers.2.Click Add Identity Provider.3.Click Create Third Party IDP.4.

2. Enter Identity Provider Name and SAML Metadata

Open the FederationMetadata.xml file you downloaded earlier and copy the full XML text contained within the document.

Enter AD FS for the Identity Provider Name. This is a display name that will be used for this third-party identity provider.1.Paste the XML text contained in your FederationMetadata.xml file into the SAML Metadata field.2.Click Process IdP Metadata. This configures certain settings in your identity provider based on the specifications that are3.noted within the Federation Metadata.

3. Confirm Processed IdP Metadata


DOCUMENT | 12

After selecting to Process the IdP Metadata, notice that the SAML AuthN Request Binding and the Name ID format mappings havebeen automatically configured. These values were taken from the FederationMetadata.xml, which informs VMware IdentityManager how to send requests to our third-party identity provider to process authentication requests.

4. Configure Users and Networks

Scroll down until you see the section for Just-in-Time user Provisioning.1.Deselect the check box for Just-in-Time User Provisioning. 2.Just-in-Time user provisioning allows users to be created within VMware Identity Manager dynamically when they authenticateusing this third-party identity provider, if they do not already exist. This can be useful for dynamically adding any missed usersor new users who have not been synced but still belong to your domain(s) that will be using this third-party identity provider.Select your domain users, for example, corp.local. 3.This determines which users will be allowed to use this third-party identity provider when authenticating.

https://media.screensteps.com/image_assets/assets/001/097/464/original/65db1ed5-ff52-4752-87aa-86ff70ed5b37.png


DOCUMENT | 13

Select ALL RANGES for the Network.4.

5. Configure Authentication Methods

We need to specify which authentication methods this third-party identity provider will use to authenticate our selected users.

Scroll down until you see the section for Authentication Methods.1.Enter SAML Password for the Authentication Method.2.Select urn:oasis:names:tc:SAML:2.0:ac:classes:Password for the SAML Content.3.Click the Add (+) button to add another Authentication Method.4.Enter SAML Kerberos for the Authentication Method.5.Select urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos for the SAML Content.6.Click the Add (+) button to add another Authentication Method.7.Enter Windows Authentication for the Authentication Method.8.Select urn:federation:authentication:windows for the SAML Content.9.

The Authentication Methods column acts as a display name for the SAML Context. When creating Access Policies, theAuthentication Methods column name will display as options for which authentication methods to use to authenticate our users. Notethat these names must be unique across your VMware Identity Manager tenant, and cannot share names with the defaultAuthentication Methods.

The SAML Context informs the Identity Provider (AD FS in this instance) how the user should be authenticated. The SAML Contextwill be inserted as part of the SAML Assertion (under the AuthnStatement section). This SAML Assertion will be signed and sent to ADFS as a request to authenticate users when they attempt to login to VMware Identity Manager using this third-party identity provider.

For reference, here is a sample of a SAML Assertion that will be signed and sent to AD FS when users attempt to authenticate. Noticethe AuthnStatement section, which details when the authentication request was made and contains how the user is attempting toauthenticate (using Kerberos, in this example).


DOCUMENT | 14

6. Configure Single Sign-Out and access Service ProviderMetadata

Scroll down to find the additional configuration options.1.Enable the Single Sign-Out Configuration, which will also sign users out of their identity provider session when they sign out2.from Workspace ONE. You can optionally provide a Sign-Out URL, which will re-direct users to the provided URL upon

https://media.screensteps.com/image_assets/assets/001/104/648/original/fad91da5-1512-40dd-b37f-f9a276a4a36f.png

https://media.screensteps.com/image_assets/assets/001/647/240/original/2ad34e50-784e-45bd-944f-49870a1113ed.png


DOCUMENT | 15

logging out, and a Redirect Parameter, which will send URL parameters to the Sign-out URL which can be used by the identityprovider to perform certain actions based on the provided parameters. In this example, we want our users to be re-directed toour Identity Provider (AD FS) using SAML single logout with no additional parameters so these will remain blank.Right-click the Service Provider (SP) Metadata link.3.Click Copy link address.4.You will be providing the Service Provider Metadata URL to ADFS in an upcoming step to establish trust between the twoparties as an Identity Provider and Service Provider.

7. Add the Third Party Identity Provider

Click Add to save the configuration of your third-party identity provider for AD FS.

Configuring Access Policies in VMware Identity ManagerThis section helps you configure access policies with specific authentication methods in VMware Identity Manager. Theseauthentication methods are used to authenticate domain users with your third-party identity provider instead of using the defaultaccess policy rules.

1. Edit the Access Policy

In VMware Identity Manager:

Click Identity & Access Management.1.Click Policies.2.Click Edit Default Policy.3.Click the default_access_policy_set to edit it.4.


DOCUMENT | 16

2. Create a New Policy Rule

Click the Configuration tab.1.Click Add Policy Rule.2.

3. Configure General Settings

This policy rule will allow domain users to login using the AD FS authentication methods set up earlier as part of your third-partyidentity provider configuration.

Select ALL RANGES for the network range.1.Select All Device Types for the content origin.2.Enter Domain Users into the user groups search box.3.Click the domain users group, for example, Domain [email protected].

4. Configure the Authentication Methods

https://media.screensteps.com/image_assets/assets/001/647/199/original/55fa2212-cb68-4235-9229-5141047967b3.png


DOCUMENT | 17

Scroll down to find the additional configuration options.1.Select Authenticate using... as the action.2.Set the first authentication method as SAML Kerberos.3.Set the fallback authentication method as Windows Authentication.4.Click Add fallback method.5.Set the second fallback authentication method as SAML Password.6.Click Save.7.

This Policy Rule first attempts to authenticate users through Kerberos with AD FS. Should that fail or be inapplicable, WindowsAuthentication is attempted. Lastly, if all other methods have failed or been inapplicable, Password authentication is attempted.

5. Re-Order the Policy Rules

https://media.screensteps.com/image_assets/assets/001/558/839/original/3d5b37ad-0e76-4310-bdf1-9c00199a4425.png


DOCUMENT | 18

The policy rule that handles AD FS authentication for domain users must be processed first, otherwise the All Users policy that youconfigured for Password (Local Directory) will attempt to apply for your domain users instead of your intended policy.

Click and drag the handle for the policy rule you created for AD FS to the top of the list.1.Note: This is the rule with the Authentication column listed as SAML Kerberos+2.Click Next.2.

6. Save the Updated Policy Rules


DOCUMENT | 19

Click Save.

Configuring Relying Party Trust in AD FSAfter you have configured your third-party identity provider in VMware Identity Manager and retrieved your service provider metadata,the next step is to configure a relying party trust in AD FS for VMware Identity Manager. This configuration uses your service providermetadata to establish trust between AD FS as the identity provider and VMware Identity Manager as the service provider.

1. Log In to AD FSFor this exercise, you must log in to your AD FS server.

2. Add Relying Party Trust

https://media.screensteps.com/image_assets/assets/001/849/678/original/36003bae-b173-45eb-94c4-4ce7495c4521.png


DOCUMENT | 20

Return to AD FS Management. If closed, you can either navigate to Server Manager and select Tools > AD FS Management orsearch for AD FS Management from the Start menu.

Expand Trust Relationships.1.Click Relying Party Trusts.2.Click Add Relying Party Trust.3.

This opens the Add Relying Party Trust Wizard. Click Start to begin this process after the wizard displays.

3. Start the Wizard

Click Start.

4. Select Data Source


DOCUMENT | 21

Provide the Service Provided Metadata URL that you previously copied when creating your third-party identity provider in VMwareIdentity Manager to establish trust between ADFS and VMware Identity Manager.

Select Import data about the relying party published online or on a local network.1.Right-click in the Federation Metadata address text box and click Paste.2.Confirm your Federation Metadata URL that you copied is pasted and matches the shown format of3.https://{yourtenant}.vidmpreview.com/SAAS/API/1.0/GET/metadata/sp.xml.NOTE: Replace {yourtenant} with the name of your actual tenant.Click Next.4.

Note: After clicking Next, it may take a few seconds to query the Federation Metadata XML. Be patient while this loads.

5. Specify Display Name


DOCUMENT | 22

You have the option to change your display name or add any notes about the relying party here. For this exercise, click Next.

6. Configure Multi-Factor Authentication


DOCUMENT | 23

Multi-factor Authentication (MFA) requires a user to complete two or more authentication challenges from multiple categories:Knowledge (something they know, like a password), possession (something they have, like a FOB or device), and inherence(something they are, such as biometrics).

Multi-factor Authentication configuration is out of scope for this exercise, so click Next to continue without configuring it.

7. Choose Issuance Authorization Rules


DOCUMENT | 24

Issuance Authorization Rules specify if a user is permitted to receive claims, or authentication requests, for this relying party. You caneither permit all users or deny all users from accessing this relying party.

Select Permit all users to access this relying party. In our case, we want our domain users to use this relying party to1.authenticate.Click Next.2.

8. Review and Continue with Relying Party Trust Wizard


DOCUMENT | 25

Review information about the relying party before clicking Next. Notice that certificates were also included with the Service ProviderMetadata, which will be used to encrypt the SAML assertions from VMware Identity Manager.

9. Finish Relying Party Trust Wizard


DOCUMENT | 26

Keep the Open the Edit Claim Rules dialog for this relying party trust when the wizard closes option enabled.1.Click Close.2.

Adding Claim Rules for a Relying PartyTo properly authenticate your users, you must add Claim Rules for your relying party. Claim Rules control the flow of claims and areresponsible for taking one or more incoming claims, applying conditions to these claims, and then producing one or more outgoingclaims. Claim Rules and the Claims Engine are responsible for determining if incoming claims should be passed through as they arereceived, filtered to meet specific business logic criteria, or transformed into a new set of claims before they are issued as an outgoingclaim.

In short, think of Claim Rules as the logic that inspects, processes, and transforms incoming claims to outgoing claims whichdetermine who and how users are authenticated. For more detailed documentation, check out the Role of Claim Rules.

In this exercise, you must create two types of Claim Rules.

Send LDAP Attributes as Claims: The outgoing claim contains LDAP attribute values from your attribute store (Active1.Directory, in this case) that can be used for authentication.Send Claims using a Custom Rule: Uses the claim rule language to generate and transform your claim to handle specific2.business logic requirements needed to authenticate the user in VMware Identity Manager.

1. Add Issuance Transform Rules for LDAP AttributesClaim Rules are processed in chronological order by the claims engine, so the order of our rules is important. For example, the outputof one rule can be used as the input of the next rule, so depending on your business logic, you may need to carefully craft how yourclaims will be passed through, processed, or transformed.

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/technical-reference/the-role-of-claim-rules


DOCUMENT | 27

1.1. Add Issuance Transform Rule

From the Edit Claim Rules dialog:

Ensure the Issuance Transform Rules tab is selected.1.Click Add Rule.2.

1.2. Choose Rule Type


DOCUMENT | 28

Select Send LDAP Attributes as Claims for the Claim Rule Template.1.Click Next.2.

1.3. Configure Claim Rule


DOCUMENT | 29

Enter Get Attribute Email Address for the Claim Rule Name.1.Select Active Directory as the Attribute Store.2.Select E-Mail-Addresses from the LDAP Attribute drop-down menu.3.Select E-Mail Address from the Outgoing Claim Type drop-down menu.4.Click Finish.5.

For this claim rule, you have mapped the E-Mail-Addresses LDAP attribute as E-Mail Address to your outgoing claim type and haveissued the claim.

2. Add Issuance Transform Rules for Custom Claims Rule


DOCUMENT | 30

The Get Attribute Email Address Claims Rule is now created. Next, create a Custom Claims Rule.

Click Add Rule to get started.

2.1. Choose Rule Type


DOCUMENT | 31

Select Send Claims Using a Custom Rule as the Claim Rule Template.1.Click Next.2.

2.2. Configure Claim Rule


DOCUMENT | 32

Enter Transform Email Address as the Claim Rule Name.1.Enter the following text for the Custom rule. 2.Note: Replace the {YOUR_TENANT_NAME}.vidmpreview.com text at the end for the spnamequalifier with your VMwareIdentity Manage tenant. This rule transforms the outgoing Email Address claim and issues both the email.c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"] =>issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer =c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType,Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] ="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier"]= "{YOUR_TENANT_NAME}.vidmpreview.com");

Click Finish.3.

3. Apply Claim Rules


DOCUMENT | 33

Click Apply.1.Click OK to close the Edit Claim Rules dialog box.2.

Verifying ConfigurationsTo confirm that the previous configurations are working, log in to Workspace ONE on a Windows machine using a domain user.

1. Authenticate as a Domain User in the Browser


DOCUMENT | 34

Open Google Chrome.1.Navigate to your VMware Identity Manager tenant URL (https://{yourtenant}.vidmpreview.com).2.Note: Replace {yourtenant} with the name of your tenant.Enter a username which is one of the domain users you synced.3.Deselect Remember this setting.4.Click Next.5.

Note: The authentication may take several seconds to process, be patient after clicking Next.

2. Confirm Authentication was Successful


DOCUMENT | 35

Notice that the user was logged into the VMware Identity Manager tenant without having to enter their credentials. Upon logging in asa domain user, the third-party identity provider attempted to authenticate the user using Kerberos first. After the Claim is processed inAD FS, the claim is transformed using the Claim Rules created earlier and responds in a manner that VMware Identity Manager is ableto process, as a result, authorizing the user to login using SAML.

Click the user drop-down menu.1.Click Sign Out.2.

Note: Signing out may take several seconds to process from AD FS. Wait until you are taken back to the VMware Identity Managerlogin page.

This clears the login cookie for the user you logged in as. The next exercise demonstrates using the VMware Workspace ONE App tologin, so the cookie needs to be cleared first.

3. Authenticate as a Domain User in the VMware WorkspaceONE App

https://media.screensteps.com/image_assets/assets/001/849/704/original/0e75fc17-66f2-4156-8850-edaf6e76652e.png


DOCUMENT | 36

Launch the VMware Workspace ONE app.1.Enter your VMware Identity Manager tenant URL.2.Click Continue.3.

4. Log In as a Domain User


DOCUMENT | 37

Enter a domain user, for example, holuser. 1.Click Next.2.

5. Confirm Authentication was Successful


DOCUMENT | 38

As seen in your browser session, the claim is transformed and the outgoing claim authorizes the user to access Workspace ONEusing SAML without having to enter their credentials.

After successfully authenticating, you should see a message indicating that your workspace is being configured, and eventually thatthe workspace is ready. Click Enter.

Clear Authorization Cookies (If Needed)


DOCUMENT | 39

The authorization cookies last 8 hours after you authenticate to VMware Identity Manager. If you need to re-authenticate again to test,you can either shorten the re-authentication timers of the Access Policy rules you configured, or you can clear your authorizationcookies so that the browser and VMware Workspace ONE app sessions are removed which forces the user to authenticate again.

Open Google Chrome and click the Options icon.1.Click Settings.2.

1. Navigate to Clear Browser History


DOCUMENT | 40

Enter Clear Browsing Data in the search box.1.Scroll down and click Clear Browsing Data.2.

2. Clear Cookies


DOCUMENT | 41

Select the beginning of time for the period.1.Ensure Cookies and other site data is selected.2.Click Clear Browsing Data.3.

3. Confirm or Inspect Cookies


DOCUMENT | 42

To check if any cookies exist or to see which cookies are being stored for your VMware Identity Manager session, navigate back toGoogle Chrome:

Right-click anywhere to pull up the options menu.1.Click Inspect. Alternatively, you can use Ctrl + Shift + i to view the console.2.Select the Application tab.3.Find the Cookies section under Storage. If there are no cookies listed, then you currently have no authorization cookies for4.your VMware Identity Manager tenant. If they do exist, you can see them after you select your tenant URL under Cookies.You can also use the Delete button to remove all cookies for this page.5.

TroubleshootingThis section reviews some issues you may experience while attempting to integrate a third-party identity provider with VMware IdentityManager and what troubleshooting steps you can take.

Cannot Log In to the VMware Identity Manager TenantProblem:

When the Access Policies are configured incorrectly, authentication may fail for some or all users. This can cause even your localaccounts to be unable to log in to the tenant to resolve the issue.

Solution:


DOCUMENT | 43

To log in to the tenant and bypass the configured Access Policies causing the authentication issue, append ?login to your defaultlogin URL:

https:///SAAS/auth/login?login

VMware Identity Manager: Cannot Update Identity ProviderProblem:

While adding or editing an identity provider and attempting to add or update an authentication method, you see the error “Cannotupdate Identity Provider”. This prevents you from adding or editing authentication methods when you click save.

Solution:

The SAML context name must be unique in your VMware Identity Manager tenant, including names used by the default authenticationmethods. Rename your SAML context name for the chosen authentication method and click save.

VMware Identity Manager: Federation Artifact not foundProblem:

When attempting to login to VMware Identity Manager, you see the error 404.idp.not.found,federationArtifact.not.found Federation Artifact not found, or another error that indicates that an identity provideror federation artifact could not be found to authenticate the users . This occurs when no access policies are set up to handleauthenticating the network range, device type, user group, or attempted authentication methods or if the claim rules for the relyingparty are misconfigured.

Solution:

In the access policy rules, create an access policy that includes the network range, device type, user group and authenticationmethod you are attempting to log in with. Ensure these authentication methods are enabled and active for your identityproviders and that they are applying to the network range and user group you are expecting.Ensure your relying party trust claim rules were properly configured based on the examples provided. The claim values arecase sensitive. Also, ensure you properly replaced your spnamequalifier in the custom claims rule with your VMwareIdentity Manager tenant.

AD FS Error: Contact your AdministratorProblem:

When users attempt to authenticate using claims-based authentication to AD FS, they see a login page that displays Error:Contact your administrator. This occurs because AD FS cannot properly authenticate the claim.

Solution:

Ensure you properly established trust between AD FS as the identity provider and VMware Identity Manager as the serviceprovider. Re-export the FederationMetadata.xml files or URLs and ensure you uploaded the correct metadata for eachcomponent.Ensure your relying party trust claim rules were properly configured based on the examples provided. The claim values arecase sensitive, and ensure you properly replaced your spnamequalifier in the custom claims rule with your VMwareIdentity Manager tenant.Ensure your authentication methods configured for the access policies applied to your domain users are correctly using theauthentication methods setup for the AD FS identity provider.Ensure you are not attempting to authenticate local users from VMware Identity Manager that do not exist within your ActiveDirectory. Local users should be authenticated using the Password (Local Directory) authentication method, not authenticationmethods configured for AD FS because AD FS will fail to find these local user accounts in AD.


DOCUMENT | 44

AD FS: Failed Authentication Requests and Viewing Logs


DOCUMENT | 45

Problem:

When users attempt to authenticate using claims-based authentication to AD FS from VMware Identity Manager, they are beingredirected to AD FS for their credentials appropriately but then receive an error that they could not be authenticated. AD FS may beconfigured incorrectly, causing issues with consuming incoming claims, generating outgoing claims, or other issues that would causeauthentication to fail.

Solution:

After installing and configuring AD FS, Server Manager will contain an AD FS Dashboard from the left menu. From here, anEvents view is available which can be configured to log events of different severities (Informational, Warning, Error, or Critical)within a certain time period. This view can be configured by clicking Tasks > Configure Event Data, which is next to theEvents view from this AD FS Dashboard.Alternatively, you can use Event Viewer to view the AD FS logs. From Event Viewer, find the logs by navigating toApplications and Services Logs > AD FS Tracing > Debug. To begin receiving logs, right-click the Debug file and selectEnable Log. If you want to stop tracking events this way, you can right-click the Debug file and select Disable Log to return itto the original state.

Both solutions allow you to see traces of your authentication attempts. Failures and issues are typically noted with the severity levelsof Error or Critical, so try inspecting your logs to see what is causing your authentication to fail. Typical authenticate issues could be:

The third-party identity provider configuration in VMware Identity Manager is not sending a name ID format that the identityprovider (AD FS) is expecting to query a user from the attribute store with.The third-party identity provider and/or access policies in VMware Identity Manager are using authentication methods that theidentity provider (AD FS) is not handling or cannot handle due to the authentication methods allowed for intranet versusextranet. These intranet versus extranet authentication methods can be viewed in AD FS by navigating to AD FSManagement > AD FS > Authentication Policies > Primary Authentication. By default, extranet authentication uses forms


DOCUMENT | 46

authentication whereas intranet uses Windows authentication. Therefore, if you are attempting to authenticate users in yourIntranet by using forms authentication, this will fail until you update the Primary Authentication settings to also allow formsauthentication for intranet requests.The relying party trust was misconfigured in AD FS. If you imported the service provider metadata from VMware IdentityManager, this should not be an issue.The relying party claim rules were misconfigured. The exact configuration issues depend on what claim rule templates youused, but double-check that you have access to the attributes you are expecting in the claim as well as your attribute store. Ifyou are using custom claim rules, double-check that your claim engine logic is correct and without syntax issues and that it isreturning an outgoing claim that your service provider is expecting. Service providers will require different configurations, so itis best to find documentation for that service (for example, VMware Identity Manager, Okta, Ping) and see what they areexpecting in their claims from AD FS to properly authenticate users.

Summary and Additional ResourcesConclusionThis operational tutorial provided steps to add AD FS as a third-party IdP in VMware Identity Manager, configure access policies inVMware Identity Manager, and configure a relying party trust in AD FS. It also reviewed how to install and configure AD FS.

Terminology Used in This TutorialThe following terms are used in this tutorial:

application storeA user interface (UI) framework that provides access to a self-service catalog, public examples ofwhich include the Apple App Store, the Google Play Store, and the Microsoft Store.

auto-enrollmentAuto-enrollment simplifies the enrollment process by automatically enrolling registered devicesfollowing the Out-of-Box-Experience.

catalogA user interface (UI) that displays a personalized set of virtual desktops and applications to usersand administrators. These resources are available to be launched upon selection.

cloudAsset of securely accessed, network-based services and applications. A cloud can also host datastorage. Clouds can be private or public, as well as hybrid, which is both private and public.

device enrollmentThe process of installing the mobile device management agent on an authorized device. Thisallows access to VMware products with application stores, such as Workspace ONE Access(formerly VMware Identity Manager).

identity provider (IdP)A mechanism used in a single-sign-on (SSO) framework to automatically give a user access to aresource based on their authentication to a different resource.

mobile devicemanagement(MDM) agent

Software installed on an authorized device to monitor, manage, and secure end-user access toenterprise resources.

one-touch loginA mechanism that provides single sign-on (SSO) from an authorized device to enterpriseresources.

service provider (SP) A host that offers resources, tools, and applications to users and devices.

virtual desktop The user interface of a virtual machine that is made available to an end user.

virtual machineA software-based computer, running an operating system or application environment, that islocated in the data center and backed by the resources of a physical computer.

For more information, see the VMware Glossary.

https://www.vmware.com/support/pubs/


DOCUMENT | 47

Additional ResourcesFor more information about Workspace ONE, explore the VMware Workspace ONE Activity Path. The activity path provides step-by-step guidance to help you level-up in your Workspace ONE knowledge. You will find everything from beginner to advanced curatedassets in the form of articles, videos, and labs.

Additionally, you can check out the VMware Workspace ONE and VMware Horizon Reference Architecture which provides aframework and guidance for architecting an integrated digital workspace using VMware Workspace ONE and VMware Horizon.

About the AuthorsThis tutorial was written by:

Shardul Navare, Senior Technical Marketing Architect, End-User-Computing Technical Marketing, VMwareJustin Sheets, Senior Technical Marketing Manager, End-User-Computing Technical Marketing, VMwareCamilo Lotero, Senior Solutions Engineer, End-User Computing Identity & Access Management, VMware

FeedbackThe purpose of this tutorial is to assist you. Your feedback is valuable. To comment on this tutorial, contact VMware End-User-Computing Technical Marketing at [email protected].

https://techzone.vmware.com/becoming-workspace-one-hero

https://techzone.vmware.com/resource/workspace-one-and-horizon-reference-architecture

https://techzone.vmware.com/users/shardul-navare

https://techzone.vmware.com/users/justin-sheets

mailto:[email protected]

VMware, Inc. 3401 Hillview Avenue Palo Alto CA 94304 USA Tel 877-486-9273 Fax 650-427-5001

www.vmware.com

Copyright © 2019 VMware, Inc. All rights reserved. This product is protected by U.S. and international

copyright and intellectual property laws. VMware products are covered by one or more patents listed at

http://www.vmware.com/go/patents. VMware is a registered trademark or trademark of VMware, Inc. in

the United States and/or other jurisdictions. All other marks and names mentioned herein may be

trademarks of their respective companies.