Integrating PingFederate: VMware Workspace ONE Operational Tutorial

VMware Workspace ONE UEM 9.3 and later VMware Identity Manager 3.2 and later

Overview

Introduction

VMware provides this operational tutorial to help you with your VMware Workspace ONE®environment. In this tutorial, you integrate PingFederate with Workspace ONE. Procedures include adding Workspace ONE as an IdP connector in PingFederate and adding PingFederate as a third-party IdP in Workspace ONE.

Audience

This operational tutorial is intended for IT professionals and Workspace ONE administrators of existing production environments. Both current and new administrators can benefit from using this tutorial. Familiarity with networking and storage in a virtual environment is assumed, including Active Directory, identity management, and directory services. Knowledge of additional technologies such as VMware Workspace ONE® Access (formerly VMware Identity Manager) and VMware Workspace ONE® UEM is also helpful.

Adding Workspace ONE as an IdP Connection in PingFederate

Introduction

This tutorial helps you to integrate VMware Workspace ONE® with PingFederate®. In this section, you add Workspace ONE as an IdP connector in PingFederate. Procedures include:

  • Creating the IdP connector
  • Creating and configuring the authentication policy contract
  • Configuring protocol settings
  • Configuring PingFederate application in Workspace ONE Access
  • Configuring Salesforce in PingFederate
  • Testing authentication to Salesforce using PingFederate

The steps are sequential and build upon one another, so make sure that you complete each step before going to the next step.

Prerequisites

Before you can perform the procedures in this tutorial, you must satisfy the following requirements. For more information, see the VMware Identity Manager Documentation and VMware Workspace ONE UEM Documentation.

Check whether you have the following components installed and configured.

  • Admin access to both a Workspace ONE Access tenant and a PingFederate appliance
  • PingFederate must have both Identity Provider and Service Provider roles enabled
  • Test application federated with PingFederate (to follow the steps in this exercise, use Salesforce)
  • Workspace ONE Access tenant and PingFederate appliance connected to the same Active Directory domain
  • Optional: Mobile device to test redirection to Workspace ONE

Retrieving Metadata from Workspace ONE Access

Before configuring Workspace ONE as an identity provider connector, you must collect the appropriate metadata from the Workspace ONE Access tenant.

4. Save Metadata File

Click Save to save the idp.xml file locally on your computer.

Creating Identity Provider Connection

After you have exported the metadata, you are ready to create the identity provider (IdP) connection.

1. Create New IdP Connection

In the PingFederate admin console:

  1. Click Service Provider.
  2. Click Create New to create a new IdP Connection.

2. Configure Connection Type

  1. Select BROWSER SSO PROFILES.
  2. Click Next.

 

3. Select Connection Options

  1. Select BROWSER SSO for this connection.
  2. Click Next.

4. Import Metadata

  1. Select File as the option to import metadata.
  2. Click Choose File.

5. Select Metadata File

  1. Select the idp.xml file previously downloaded from the Workspace ONE Access tenant.
  2. Click Open.

6. Confirm File Uploaded

  1. Verify that the correct file was uploaded.
  2. Click Next.

7. Confirm Entity ID

  1. Verify that the Entity ID matches your tenant.
  2. Click Next

8. Review Configuration

Click Next to configure Browser SSO settings.

9. Configure Browser SSO

Click Configure Browser SSO.

10. Select SAML Profiles

  1. Select IDP-INITITATED SSO.
  2. Select SP-INITITATED SSO.
  3. Click Next.

11. Configure User-Session Creation

Click Configure User-Session Creation.

12. Select Identity Mapping Mode

  1. Select Account Mapping.
  2. Click Next.

13. Confirm Attribute Contract

In this exercise, Workspace ONE Access sends only a single attribute in the assertion (SAML_SUBJECT).

Click Next to Map a New Authentication Policy.

Creating a New Authentication Policy Contract

In this section, you continue to configure the IdP connection. This connection does not use any local adapter instances for authentication. Instead, you map it to an authentication policy which you create in this exercise.

1. Map New Authentication Policy

Click Map New Authentication Policy.

2. Manage Authentication Policy Contract

Click Manage Authentication Policy Contracts.

3. Create New Contract

Click Create New Contract.

4. Enter Contract Name

  1. Enter a contract name, for example, Workspace ONE.
  2. Click Next.

5. Confirm Attribute Contract

This configuration uses a single attribute (SAML_Subject).

Click Next.

6. Review Contract Details

Click Done.

7. Confirm Contract Creation

Validate that the new contract has been created.

Click Save.

Configuring the Authentication Policy Contract

In this section, continue the IdP Connection wizard to configure the policy contract. 

1. Select the New Policy Contract

  1. Select the new policy contract from the drop-down menu. For example, Workspace ONE.
  2. Click Next.

 

2. Select Authentication Policy Contract Subject

For this setup, Salesforce requires only the attribute provided in the assertion to fulfill the contract. Depending on the SaaS application you are using to test this configuration, you might need to use the assertion to look for additional information.

  1. Select Use only the attributes available in the SSO assertion.
  2. Click Next.

 

3. Select Contract Fulfillment Values

  1. Select Assertion from the drop-down menu.
  2. Select SAML_Subject from the drop-down menu.
  3. Click Next.

4. Review Optional Issuance Criteria

Click Next.

5. Confirm Authentication Policy Contract Details

Verify the Authentication Policy Contract summary.

Click Done.

6. Confirm Policy Contract is Mapped

  1. Verify that the new Authentication Policy Contract has been mapped.
  2. Click Next.

7. Confirm User-Session Creation Details

Click Done.

Configuring Protocol Settings

In this section, configure the Browser SSO Protocol Settings including SSO service URLs, SAML bindings, and signature and encryption policy settings.

1. Continue to Protocol Settings

Click Next.

2. Configure Protocol Settings

Click Configure Protocol Settings.

3. Confirm SSO Service URLs

  1. The Endpoint URLs for Redirect and Post bindings should be both automatically populated from the metadata. If not, you must manually enter the URL. The URL will be the same for both bindings in all tenants: /SAAS/auth/federation/SSO.
  2. Click Next.

4. Select SAML Bindings

  1. Select POST.
  2. Select REDIRECT.
  3. Click Next.

5. Review Optional Overrides

Click Next.

6. Configure Signature Policy

  1. Select Specify Additional Signature Requirements.
  2. Select Sign Authn Requests Over Post and Redirect Bindings.
  3. Click Next.

 

7. Review Optional Encryption Policy Settings

Encryption of the SAML assertion is optional. For this configuration, it is not required.

Click Next.

8. Confirm Protocol Settings Configuration

Click Done.

9. Confirm Protocol Settings Applied

Click Next.

10. Review Protocol Settings

Review the Browser SSO summary.

  1. Scroll to the bottom.
  2. Click Done.

Completing Identity Provider Connection

In this section, complete the final IdP connection details.

1. Continue to Configure Credentials

Click Next.

2. Confirm Credential Requirement Details

  1. The signing certificate should be automatically populated from the metadata.
  2. Click Next.

3. Select Connection Status

Select Active.

4. Save Configuration

  1. Scroll down to the bottom of the summary.
  2. Click Save.

5. Confirm IdP Connection Creation

Validate that the new IdP Connection has been created.

Exporting Metadata from PingFederate

The next step is to add PingFederate as a service provider in Workspace ONE Access. First, export the corresponding metadata file from PingFederate.

1. Select Metadata Export

In the PingFederate admin console:

  1. Click Server Configuration.
  2. Click Metadata Export.

2. Select Metadata Role

  1. Select I am the Service Provider (SP).
  2. Click Next.

3. Select Metadata Mode

  1. Select User a Connection for Metadata Generation.
  2. Click Next.

4. Review Connection Metadata

Click Next.

5. Select Metadata Signing Details

  1. Select the signing certificate for your PingFederate setup from the drop-down menu.
  2. Select RSA SHA256 as the signing algorithm.
  3. Click Next.

6. Review Summary and Export Metadata

Click Export.

7. Save Metadata File

Save the metadata.xml file locally on your computer.

Click Save.

8. Open Metadata File

Open the metadata.xml file downloaded from PingFederate and copy the contents of the file to the clipboard.

Configuring PingFederate Application Source in Workspace ONE Access

Now that you have exported the metadata from PingFederate, you are ready to configure the PingFederate application source in Workspace ONE Access.

1. Configure PING Application Source

In the Workspace ONE Access administration console:

  1. Click Application Sources.
  2. Click PING.

2. Start PING Application Source Wizard

Click Next.

3. Configure PING Application Source Single Sign-On

  1. Select URL/XML as the configuration method.
  2. Copy the contents from the metadata.xml file downloaded from PingFederate into the text box.
  3. Click Next.

4. Select PING Application Source Access Policies

  1. Select an access policy from your Workspace ONE Access tenant using the drop-down menu. For this setup, we have selected an access policy which challenges for domain credentials to test the configuration.
  2. Click Next.

5. Complete PING Application Source Wizard

Click Save.

Configuring Salesforce in PingFederate

Next, modify the service provider connection (Salesforce) in PingFederate to authenticate with the newly created IdP Connection (Workspace ONE Access).

1. Select Service Provider Connection

Navigate back to the PingFederate admin console.

  1. Click Identity Provider.
  2. Select your test SP Connection.

 

2. Configure Browser SSO

  1. Select Browser SSO.
  2. Click Configure Browser SSO.

3. Configure Assertion Creation

  1. Select Assertion Creation.
  2. Click Configure Assertion Creation.

4. Map New Authentication Policy

Click Map New Authentication Policy.

5. Select Authentication Policy Contract

  1. Select the Workspace ONE authentication policy contract from the drop-down menu.
  2. Click Next.

6. Select Mapping Method

  1. Select Use Only the Authentication Policy Contract Values in the SAML Assertion.
  2. Click Next.

7. Select Attribute Contract Fulfillment Values

  1. Select Authentication Policy Contract from the Source drop-down menu.
  2. Select subject from the Value drop-down menu.
  3. Click Next.

8. Review Optional Issuance Criteria

Click Next.

9. Review Summary

Click Save.

10. Confirm Workspace ONE Contract Mapping

  1. Validate that the Workspace ONE contract has been mapped.
  2. Click Delete to delete the HTML Form Adapter mapping.
  3. Click Save.

Testing Authentication to Salesforce using PingFederate

You can now test authentication to your SaaS application. In this exercise, log in to Salesforce using PingFederate. PingFederate redirects you to Workspace ONE Access for authentication and then launches Salesforce. The SAML assertion created by Workspace ONE Access is validated by PingFederate, which in turn issues a SAML assertion for Salesforce.

Navigate to the Salesforce login page and click PingFederate.

2. Enter Domain Credentials for Workspace ONE Access

Enter the domain credentials for your test user in Workspace ONE Access.

  1. Enter the username. For example, user.
  2. Enter the password. For example, VMware1!.
  3. Click Sign in.

3. Confirm Salesforce Launches

After validating the credentials in Workspace ONE Access, you are redirected and logged directly into the Salesforce tenant.

Creating Authentication Policies in PingFederate

Introduction

This section helps you to create authentication policies in PingFederate. Procedures include:

  • Configuring identity provider selectors
  • Configuring authentication policies
  • Configuring HTML form adapter and IdP connection
  • Testing authentication to Salesforce using mobile and non-mobile devices

The steps are sequential and build upon one another, so make sure that you complete each step before going to the next step.

Prerequisites

Before you can perform the procedures in this tutorial, you must satisfy the following requirements. For more information, see the VMware Identity Manager Documentation and VMware Workspace ONE UEM Documentation.

Check whether you have the following components installed and configured.

  • Admin access to both a Workspace ONE Access tenant and a PingFederate appliance
  • PingFederate must have both Identity Provider and Service Provider roles enabled
  • Test application federated with PingFederate (to follow the steps in this exercise, use Salesforce)
  • Workspace ONE Access tenant and PingFederate appliance connected to the same Active Directory domain
  • Optional: Mobile device to test redirection to Workspace ONE

Configuring Identity Provider Selectors

In this exercise, you create a new selector that allows different authentication requests for different applications federated with PingFederate. You can choose to redirect authentication requests to Workspace ONE only for specific applications.

With a selector in PingFederate, you can differentiate mobile traffic versus non-mobile traffic, and decide how each will be authenticated. For this exercise, use the built-in Mobile Client Selector.

For more information, see Selectors in PingFederate documentation.

 

In the PingFederate admin console:

  1. Click Identity Provider.
  2. Click Selectors.

2. Select Mobile Client Selector

Select the Mobile Client Selector.

 

3. Review Authentication Selector Details

This selector checks the user-agent in the authenticator header and returns positive if it matches one of the specified user agents for iOS or Android.

Click Done.

4. Create New Selector Instance

Click Create New Instance.

5. Enter Authentication Selector Values

  1. Enter an instance name. For example, AppSelector.
  2. Enter an instance id. For example, AppSelector.
  3. Select Connection Set Authentication Selector from the Type drop-down menu.
  4. Click Next.

6. Configure Selector Connections

  1. Click Add a new row to Connections.
  2. Select your test application (Salesforce) from the Connections drop-down menu.
  3. Click Update.
  4. Click Next.

7. Review Selector Summary

Verify the selector summary.

Click Done.

8. Save Selector Configuration

Click Save.

Configuring Authentication Policies in PingFederate

Now that you have added Workspace ONE as an identity provider in PingFederate, you can create policies in PingFederate to decide when users will be authenticated in Workspace ONE versus with a local authentication adapter in PingFederate. For more information, see Policies in PingFederate documentation.

 Click Policies.

2. Enable Authentication Policies

  1. Select the Enable IDP Authentication Policies check box.
  2. Select the Enable SP Authentication Policies check box.

3. Add AppSelector

The first action in the policy tree is to identify the target application to which the end user is trying to authenticate into. Add the previously created AppSelector.

  1. Select the Action drop-down menu.
  2. Click Selectors.
  3. Click AppSelector.

4. Define AppSelector Negative Values

If the AppSelector selector returns negative, you can choose to authenticate the end user locally using the HTML Form Adapter.

  1. Select the Action drop-down menu next to the No Result.
  2. Select HTMLFormAdapter.

5. Define HTML Form Adapter Values

If the authentication attempt with the HTML Form Adapter fails, access to the application is denied. If the authentication attempt is successful, the Policy Contract associated with the application/connection is fulfilled.

  1. Click Done next to the Fail result.
  2. Select the Action drop-down menu next to the Success result.
  3. Select Policy Contracts.
  4. Select the Workspace ONE policy contract.

 

6. Define AppSelector Positive Values

Now, return to the first action. If the AppSelector selector returns positive, you will use a second selector (MobileClientSelector) to check if the authentication request is from a mobile device.

  1. Select the Action drop-down menu next to the Yes result.
  2. Click Selectors.
  3. Select the Mobile Client Selector.

7. Define Mobile Client Selector Values

If the Mobile Client Selector returns negative, authenticate the requests locally with the HTML Form Adapter.

  1. Select the Action drop-down menu next to the No result.
  2. Select the HTMLFormAdapter.

8. Define HTML Form Adapter Values

Use the same settings for the result of this HTML Form Adapter as the previous one.

  1. Click Done if the authentication fails.
  2. Select the Workspace ONE - (Policy Contract) if the authentication is successful.

9. Define Mobile Client Selector Positive Values

If the Mobile Client Selector returns positive, redirect the authentication request to Workspace ONE using the previously configured IdP Connection.

  1. Select the Action drop-down menu next to the Yes result.
  2. Select IdP Connections.
  3. Select the previously configured IdP Connection (your VMware Identity Manager tenant URL).

10. Define IdP Connection Values

The final policy decision is based on the response from Workspace ONE. If the authentication with Workspace ONE fails, access to the application is denied. If the authentication is successful, fulfill Policy Contract (Workspace ONE) associated with the application.

  1. Click Done next to the Fail result.
  2. Select the Action drop-down menu next to the Success result.
  3. Select Policy Contracts.
  4. Select the Workspace ONE policy contract.

11. Confirm Policy Tree Values

The policy tree should now look similar to the screenshot shown.

12. Select HTML Form Adapter Options

Next, finalize the configuration for each adapter and contract used in the policies. First, check the HTML Form Adapter options.

Click Options.

13. Define Incoming User ID

For the HTML Form Adapter, select one of the user credentials that are provided in the HTML form.

  1. Select Context from the Source drop-down menu.
  2. Select Requested User from the Attribute drop-down menu.

Copy the same settings to the other HTML Form Adapter options used in the policies.

14. Select IdP Connection Options

Next, check the options for the IdP Connection used in the policies.

Click Options under the IdP Connection action.

 

15. Define Incoming User ID

Similar to the HTML Form Adapter, select a user ID that is authenticated into the IdP Connection.

  1. Select Context from the Source drop-down menu.
  2. Select Requested User from the Attribute drop-down menu.
  3. Click Done.

Configuring HTML Form Adapter

Finally, check the configuration of the Policy Contracts used in the policies. Although the settings are very similar for all Policy Contracts used, there is a slight variation between the Policy Contracts used after a HTML Form Adapter versus the one used after the IdP Connection. In this exercise, check the contract mapping used after HTML Form Adapter.

In this tutorial, the policy contract associated with our test application can be fulfilled using the default values from the authentication policy— so there is no need to add an Attribute Source to retrieve additional attributes. This might be required in your setup depending on the type of application you are testing with.

1. Select Contract Mapping

Click Contract Mapping under the Workspace ONE Policy Contract used after one of the HTML Form Adapters.

2. Skip Attribute Source

Click Next.

3. Define Contract Fulfillment Values

Use the HTML Form Adapter result to fulfill this policy contract. Note that the userPrincipalName value used in this example is the value required by Salesforce. This might be different in your setup.

  1. Select Adapter (HTMLFormAdapter) from the Source drop-down menu.
  2. Select userPrincipalName from the Value drop-down menu.
  3. Click Next.

4. Skip Optional Issuance Criteria

Click Next.

5. Review Authentication Policy Summary

Verify the Contract Mapping summary.

Click Done.

Configuring Identity Provider Connection

After you have configured the contract mapping used after HTML Form Adapter, configure the contract mapping for a policy contract used after the IdP connection.

1. Select Contract Mapping

In the IdP section, click Contract Mapping.

2. Skip Attribute Source

Click Next.

3. Define Contract Fulfillment Values

In this example, use the IdP Connection to fulfill the Policy Contract. Note that the value being used is not retrieved from the user profile but rather from the SAML assertion issued by the IdP Connection. If your test application requires different or additional attributes from that provided in the SAML assertion, you can either change the value(s) provided by the IdP Connection or configure the Contract Mapping to retrieve the attributes from AD.

  1. Select IdP Connection from the Source drop-down menu.
  2. Select SAML_SUBJECT from the Value drop-down menu.
  3. Click Next. 

4. Skip Issuance Criteria

Click Next.

5. Review Authentication Policy Summary

Validate the Policy Contract Mapping summary.

Click Next.

6. Review Authentication Policies Configuration

Click Save.

Testing Authentication to Salesforce

After you have created and configured authentication policies in PingFederate, you are ready to test authentication to Salesforce using different device types.

If you are authenticating with a non-mobile device, you should be presented with the PingFederate HTML Form Adapter.

If you are authenticating with a mobile device, you should be redirected to Workspace ONE for authentication.

1. Log In to Salesforce from Non-Mobile Device

On a non-mobile device, launch the Salesforce application. Authentication is required through the PingFederate HTML Form.

2. Log In to Salesforce from a Mobile Device

On a mobile device, launch the Salesforce application. Authentication is required through Workspace ONE.

Adding PingFederate Applications to the Workspace ONE Catalog

Introduction

This section helps you to add PingFederate applications to the Workspace ONE catalog. Procedures include:

  • Retrieving the Salesforce entity ID from PingFederate
  • Adding Salesforce to the Workspace ONE catalog
  • Testing authentication to Salesforce from Workspace ONE catalog

The steps are sequential and build upon one another, so make sure that you complete each step before going to the next step.

Prerequisites

Before you can perform the procedures in this tutorial, you must satisfy the following requirements. For more information, see the VMware Identity Manager Documentation and VMware Workspace ONE UEM Documentation.

Check whether you have the following components installed and configured.

  • Admin access to both a Workspace ONE Access tenant and a PingFederate appliance
  • PingFederate must have both Identity Provider and Service Provider roles enabled
  • Test application federated with PingFederate (to follow the steps in this exercise, use Salesforce)
  • Workspace ONE Access tenant and PingFederate appliance connected to the same Active Directory domain
  • Optional: Mobile device to test redirection to Workspace ONE

Retrieving Salesforce Entity ID from PingFederate

Retrieve the Salesforce entity ID value from the PingFederate admin console. You need this entity ID value when configuring the Salesforce application in Workspace ONE Access.

1. Select Salesforce Application in PingFederate

In the PingFederate admin console:

  1. Click Identity Provider.
  2. Select the IdP Connection or application (Salesforce) that you want to add to the Workspace One Catalog.

2. Copy Entity ID Value

  1. Select Activation & Summary.
  2. Copy the Entity ID value of the application.

Adding Salesforce to Workspace ONE Catalog

After you have retrieved the Salesforce entity ID from PingFederate, use this entity ID to add Salesforce to the Workspace ONE Catalog and assign users to the application.

1. Add New Application

In the Workspace ONE Access admin console:

  1. Click Catalog.
  2. Click Web Apps.
  3. Click New to add a new application to the catalog.

2. Name the Application

  1. Enter a Name for the application, for example, Salesforce (Ping).
  2. Click Next.

3. Configure Single Sign-On Details

With application sources, we can inherit the configuration from the PING application source that was previously configured when adding new applications.

  1. Select PING (Application Source) from the Authentication Type drop-down menu.
  2. Paste the EntityID copied in the previous exercise into the TargetURL box.
  3. Click Next.

4. Select Access Policies

  1. Select an access policy for your application from the drop-down menu.
  2. Click Next.

5. Review the Configuration Summary

Review the configuration summary.

Click Save & Assign.

6. Assign Users to Salesforce

  1. Search for your user or user group to assign the application.
  2. Select the user or user group from the drop-down menu.
  3. Click Save.

Testing Authentication to Salesforce from Workspace ONE Catalog

After you have added Salesforce to the Workspace ONE catalog, confirm authentication to Salesforce from the Workspace ONE catalog.

1. Log in to Workspace ONE Access Tenant

Navigate to your Workspace ONE Access tenant and log in with your test user.

2. Launch Salesforce Application

Select the Ping Salesforce application. This should redirect you to PingFederate with a valid SAML assertion, which in turn, redirects you seamlessly to the target application.

Adding PingFederate as Third-Party IdP in Workspace ONE

Introduction

In the previous exercises, you configured Workspace ONE to act as an IdP to PingFederate. This allows administrators to use Workspace ONE authentication methods to authenticate PingFederate applications. 

This section helps you to configure the inverse integration flow—where PingFederate is used as a third-party IdP within Workspace ONE. This allows administrators to use PingFederate to authenticate users accessing the Workspace One catalog.

Procedures include:

  • Exporting the SAML metadata from Workspace ONE Access
  • Adding and configuring the SP connection in PingFederate
  • Exporting metadata from PingFederate
  • Adding PingFederate as an IdP in Workspace ONE
  • Modifying authentication policies in Workspace ONE Access
  • Testing SSO from Workspace ONE to PingFederate

The steps are sequential and build upon one another, so make sure that you complete each step before going to the next step.

Prerequisites

Before you can perform the procedures in this tutorial, you must satisfy the following requirements. For more information, see the VMware Identity Manager Documentation and VMware Workspace ONE UEM Documentation.

Check whether you have the following components installed and configured.

  • Admin access to both a Workspace ONE Access tenant and a PingFederate appliance
  • PingFederate must have both Identity Provider and Service Provider roles enabled
  • Test application federated with PingFederate (to follow the steps in this exercise, use Salesforce)
  • Workspace ONE Access tenant and PingFederate appliance connected to the same Active Directory domain
  • Optional: Mobile device to test redirection to Workspace ONE

Exporting SAML Metadata from Workspace ONE Access

Before adding the service provider connection in PingFederate, you need to export the SAML metadata from Workspace ONE Access.

2. Navigate to SAML Metadata

  1. Click SAML Metadata.
  2. Right-click Service Provider (SP) metadata.
  3. Select Save link as.

3. Save Metadata File

Click Save to save the metadata file on your local machine.

Adding Service Provider Connection in PingFederate

After you have exported the SAML metadata from Workspace ONE Access, you are ready to add a service provider connection in PingFederate.

1. Create New SP Connection

In the PingFederate Console:

  1. Click Identity Provider.
  2. Click Create New.

2. Review the Connection Type

Click Next.

3. Review Connection Options

Click Next.

4. Import Metadata

  1. Select File as the method to input the connection metadata.
  2. Click Choose File.
  3. Select the metadata file you downloaded from Workspace ONE Access. For example, sp.
  4. Click Open.
  5. Click Next.

5. Review the Metadata Summary

Verify that the Entity ID is the Workspace ONE Access metadata xml URL, and click Next.

6. Review General Info

Click Next to continue configuring Browser SSO settings.

Configuring Browser SSO Settings

In this section, continue configuring the SP Connection - Browser SSO settings.

1. Configure Browser SSO

Click Configure Browser SSO.

2. Assign SSO Profiles

  1. Select the SP-Initiated SSO check box, to apply SSO to applications launched from within the Workspace ONE catalog.
  2. Click Next.

3. Review Assertion Lifetime Settings

Click Next.

4. Create an Assertion

Click Configure Assertion Creation.

5. Select the Attribute Contract Type

For this configuration, you send the SP (Workspace ONE) a standard attribute (userPrincipalName) as the main identifier in the assertion therefore select a Standard Attribute Contract.

  1. Select Standard as the Attribute Contract type.
  2. Click Next.

6. Review the Attribute Contract

  1. For the Subject Name Format, keep the default Unspecified format in this configuration.
  2. Click Next.

7. Configure Authentication Source Mapping

  1. Click Map New Adapter Instance.
  2. Select HTML Form Adapter from the Adapter Instance drop-down menu.
  3. Click Next.

8. Configure Mapping Method

  1. Select Use Only The Adapter Contract Values in the SAML Adapter. Because userPrincipalName is already a part of the Adapter Contract, we can choose to only use the values included in the contract.
  2. Click Next.

9. Configure Attribute Contract Values

  1. Select Adapter from the Source drop-down menu.
  2. Select userPrincipalName from the Value drop-down menu. PingFederate passes userPrincipalName as the SAML_Subject value in the SAML assertion passed to Workspace ONE.
  3. Click Next.

10. Configure SAML Bindings

  1. Select the Post binding.
  2. Select the Redirect binding.
  3. Click Next.

11. Configure Signature Policy

  1. Select Always Sign the SAML Assertion.
  2. Click Next.

12. Select Encryption Policy

  1. Select None to opt-out of encrypting the SAML messages.
  2. Click Next.

Reviewing Browser SSO Settings

In this section, review the Browser SSO settings before completing the service provider connection details.

1. Review Protocol Settings Summary

Review the Protocol Settings and click Done.

2. Continue to Browser SSO Summary

On the Protocol Settings tab, click Next.

3. Review Browser SSO Summary

Review the Browser SSO summary and click Done.

Completing Service Provider Connection Details

In this section, continue through the wizard to complete the SP Connection details.

1. Continue Configuring the SP Connection

Click Next.

2. Review IdP Adapter Mapping

  1. Click Next.
  2. Review the IDP Adapter Mapping summary, and click Done.

3. Review Assertion Creation

  1. Click Next.
  2. Review the Assertion Creation summary, and click Done.

4. Continue to Protocol Settings

On the Assertion Creation tab, click Next.

5. Configure Protocol Settings

  1. Click Configure Protocol Settings.
  2. Delete all pre-configured bindings except for POST.
  3. Click Next.

6. Configure Credentials

Click Configure Credentials.

7. Select a Certificate

  1. Select your signing certificate from the Signing Certificate drop-down menu.
  2. Click Next.

8. Review Certificate Summary

Click Done.

9. Continue Configuring the SP Connection

Click Next.

10. Activate the Connection

  1. Select Active as the Connection Status.
  2. Click Save.

11. Verify the Connection

Verify that the new SP Connection for Workspace ONE has been created.

Exporting Metadata from PingFederate

Now that you have configured the SP connection for Workspace ONE in PingFederate, you must create and configure the PingFederate IdP in Workspace ONE. First, export the appropriate metadata file from PingFederate.

1. Begin Metadata Export

  1. Click Server Configuration.
  2. Click Metadata Export.

2. Select the Metadata Role

  1. Select I am the Identity Provider.
  2. Click Next.

3. Select the Metadata Mode

  1. Select Use a Connection for Metadata Generation.
  2. Click Next.

4. Configure Connection Metadata

  1. Select the Workspace ONE SP Connection from the drop-down menu.
  2. Click Next.

5. Configure Metadata Signing

  1. Select the signing certificate for your PingFederate setup from the Signing Certificate drop-down menu.
  2. Select RSA SHA256 as the Signing Algorithm from the drop-down menu.
  3. Click Next.

6. Begin Metadata Export

Click Export.

7. Save Metadata File

Save the metadata file locally on your computer.

Click Save.

8. Copy Contents of Metadata File

Copy the contents of the metadata file downloaded from PingFederate to your clipboard.

Adding PingFederate as an IdP in Workspace ONE

Next, add PingFederate as an identity provider in Workspace ONE.

1. Create Third-Party Identity Provider

In the Workspace ONE Access admin console:

  1. Click Identity & Access Management.
  2. Click Identity Providers.
  3. Click Add Identity Provider.
  4. Click Create Third Party IDP.

2. Provide Identity Provider Details

  1. Enter a name for Identity Provider Name. For example, PING.
  2. Paste the contents of the metadata file into the text box.
  3. Click Process IdP Metadata.
  4. Select Unspecified as the Name ID format.
  5. Select userPrincipalName as the Name ID Value.

3. Continue Entering Identity Provider Details

  1. Enable the IdP for the same set of users (domain) configured in PingFederate.
  2. Enable the IdP configuration for All Ranges.
  3. Create a new Authentication Method with an appropriate name. For example, PingPassword.
  4. Select urn:oasis:names:tc:SAML:2.0:ac:classes:Password as the SAML Context for the Authentication Method.
  5. Click Add.

Modifying Authentication Policies in Workspace ONE Access

To authenticate users with the new PING IdP configuration, you must modify the authentication policies in Workspace ONE Access to make use of the authentication method associated with the IdP. In this section, you modify the default policy set because this is used when accessing the Workspace ONE catalog.

1. Select Default Policy

 

  1. Click Identity & Access Management.
  2. Click Policies.
  3. Click default_access_policy_set.

2. Edit Default Access Policy Set

Click Edit.

3. Select All Ranges Policy Rule

  1. Click Configuration.
  2. For this setup, modify the last policy in the policy set as this is being used to authenticate desktop browsers in public networks. You might need to modify a different policy depending on the device type and source network you are using to test this configuration.

4. Select Authentication Method

  1. Select PingPasswords from the ...authenticate using.. drop-down menu. This is the Authentication Method associated with the PING IdP.
  2. Click Save.

5. Review Configuration Changes

Click Next.

6. Review Summary Details

Click Save.

Testing Single Sign-On to Workspace ONE

You can now test authentication into the Workspace ONE catalog. You should be automatically redirected to PingFederate for authentication if using a device that matches the policy changes made.

1. Navigate to Workspace ONE URL and Confirm Redirect to PingFederate

Navigate to your Workspace ONE tenant URL and confirm redirection to PingFederate. Enter your PingFederate credentials.

  1. Enter a username. For example, user.
  2. Enter a password. For example, password.
  3. Click Sign On.

2. Confirm Redirect to Workspace ONE App Catalog

After you have successfully authenticated with PingFederate, you should be redirected back and given access to the Workspace ONE catalog.

Configuring Authentication Failure Notification

Introduction

The latest update to SaaS-based Workspace ONE Access includes a new feature that allows Workspace ONE Access to send feedback to PingFederate when authentication fails through a parameter in the SAML assertion. PingFederate administrators can implement more flexible authentication policies for those cases in which authentication fails in Workspace ONE Access.

Policy Rules Recap

This screenshot depicts a recap of the policy rules that have been created throughout this tutorial. The new feature allows you to modify the lower section where Workspace ONE Access is involved as an IdP within Ping.

Authentication Fail Options

With the current policies, when authentication fails at Workspace ONE Access, the policy is set to fail the authentication. Because no action has been defined in the Fail section, there is no other option.

Authentication Failure Message

The expected experience is that when an un-managed device fails to authenticate with Workspace ONE Access, it is presented with an authentication failure message in Workspace ONE Access.

This section helps you to configure authentication failure notification. Procedures include:

  • Enabling authentication failure notification
  • Modifying the authentication policies
  • Testing SSO to MS Office 365

The steps are sequential and build upon one another, so make sure that you complete each step before going to the next step.

Prerequisites

Before you can perform the procedures in this tutorial, you must satisfy the following requirements. For more information, see the VMware Identity Manager Documentation and VMware Workspace ONE UEM Documentation.

Check whether you have the following components installed and configured.

  • Cloud-based Workspace ONE Access tenant
  • Admin access to a PingFederate appliance
  • PingFederate must have both Identity Provider and Service Provider roles enabled
  • Test application federated with PingFederate (to follow the steps in this exercise, use MS Office 365)
  • Workspace ONE Access tenant and PingFederate appliance connected to the same Active Directory domain
  • Unmanaged device to test redirection to Workspace ONE

Logging In to the Workspace ONE Access Console

To perform most of the steps in this exercise, you must first log in to the Workspace ONE Access console.

1. Launch Google Chrome (If Needed)

If Google Chrome is not already open, launch Google Chrome by double-clicking the icon from the desktop.

2. Open a New Browser Tab

Click the Tab space to open a new tab.

4. Login to Your Workspace ONE Access Tenant

  1. Enter the Username, for example, Administrator.
  2. Enter the Password, for example, VMware1!.
  3. Click Sign In.

Enabling Authentication Failure Notification

This section helps you to configure the authentication failure notification feature.

1. Navigate to Web Apps

In the Workspace ONE Access tenant:

  1. Select the Catalog drop-down menu.
  2. Select Web Apps.

2. Open Web Apps Settings Menu

Click Settings.

3. Configure PING Application Source

  1. Click Application Sources.
  2. Click PING.

4. Select Advanced Properties

  1. Click Configuration.
  2. Click Advanced Properties.

5. Enable Authentication Failure Notification

  1. Click the button to Enable Authentication Failure Notification.
  2. Click Next.

6. Complete PING Application Source Wizard

  1. Click Summary.
  2. Click Save.

Confirm SAML Assertion

After the feature is enabled, when authentication fails in Workspace ONE Access, a SAML assertion is sent to PingFederate containing an AuthFailed status code, a status message, and detail.

You can verify the SAML assertion using a SAML plugin for your web browser, such as SAML Chrome Panel

Modifying the Authentication Policy in PingFederate

After you have enabled authentication failure notification, you are ready to modify the authentication policy in PingFederate to account for the AuthFailed SAML assertion that is sent from Workspace ONE Access. You must log in to the PingFederate admin console to complete this exercise.

Note: For the purpose of this exercise, the HTMLFormAdapter is selected as a simple example. Downgrading enrollment/compliance authentication to a username/password-only challenge is not best practice in most use cases.

2. Select HTMLFormAdapter

  1. Scroll down to the Workspace ONE Access section, click the action drop-down menu next to Fail.
  2. Select IdP Adapters.
  3. Select HTMLFormAdapter.

3. Select the Workspace ONE Policy Contract

  1. Click the action drop-down menu next to Success.
  2. Select Policy Contracts.
  3. Select Workspace ONE as the policy contact.

4. Skip Attribute Sources

Click Next.

5. Configure Contract Fulfillment

  1. Select Adapter (HTMLFormAdapter) as the source.
  2. Select userPrincipalName as the value.
  3. Click Next.

6. Skip Issuance Criteria

Click Next.

7. Complete Authentication Policy Configuration

Review the summary and click Done.

8. Review the Authentication Policy

The authentication policy in PingFederate should now resemble the example shown—with an action for both a successful and failed authentication in Workspace ONE Access.

Testing Single Sign-On to MS Office 365

After you have enabled authentication failure notification and modified the authentication policy in PingFederate, you are ready to test SSO from an unmanaged device to a federated application, such as MS Office 365. The result of this authentication flow is a HTML form authentication challenge from PingFederate.

1. Log in to MS Office 365

Open MS Office 365.

2. Enter User Credentials for PingFederate

You should be redirected to PIngFederate for authentication. Enter your user details for PingFederate.

3. Validate Successful Authentication

Validate the the end user is successfully authenticated into the target application.

Summary and Additional Resources

Conclusion

This tutorial provided steps to integrate PingFederate with Workspace ONE. Procedures included:

  • Adding Workspace ONE as an IdP connector in PingFederate
  • Creating authentication policies in PingFederate
  • Adding PingFederate applications to the Workspace ONE catalog
  • Adding PingFederate as a third-party IdP in Workspace ONE
  • Configuring authentication failure notification in SaaS-based Workspace ONE Access

Terminology Used in This Tutorial

The following terms are used in this tutorial:

application store A user interface (UI) framework that provides access to a self-service catalog, public examples of which include the Apple App Store, the Google Play Store, and the Microsoft Store.
auto-enrollment Auto-enrollment simplifies the enrollment process by automatically enrolling registered devices following the Out-of-Box-Experience.
catalog A user interface (UI) that displays a personalized set of virtual desktops and applications to users and administrators. These resources are available to be launched upon selection.
cloud Asset of securely accessed, network-based services and applications. A cloud can also host data storage. Clouds can be private or public, as well as hybrid, which is both private and public.
device enrollment The process of installing the mobile device management agent on an authorized device. This allows access to VMware products with application stores, such as Workspace ONE Access (formerly VMware Identity Manager).
identity provider (IdP) A mechanism used in a single-sign-on (SSO) framework to automatically give a user access to a resource based on their authentication to a different resource.
mobile device management
(MDM) agent
Software installed on an authorized device to monitor, manage, and secure end-user access to enterprise resources.
one-touch login A mechanism that provides single sign-on (SSO) from an authorized device to enterprise resources.
service provider (SP)
A host that offers resources, tools, and applications to users and devices.
virtual desktop The user interface of a virtual machine that is made available to an end user.
virtual machine A software-based computer, running an operating system or application environment, that is located in the data center and backed by the resources of a physical computer.

For more information, see the VMware Glossary.

Additional Resources

For more information about Workspace ONE, explore the VMware Workspace ONE Activity Path. The activity path provides step-by-step guidance to help you level-up in your Workspace ONE knowledge. You will find everything from beginner to advanced curated assets in the form of articles, videos, and labs.

Additionally, you can check out the VMware Workspace ONE and VMware Horizon Reference Architecture which provides a framework and guidance for architecting an integrated digital workspace using VMware Workspace ONE and VMware Horizon. 

 

About the Author

This tutorial was written by:

  • Camilo Lotero, Senior Technical Marketing Manager, End-User-Computing Technical Marketing, VMware

Feedback

The purpose of this tutorial is to assist you. Your feedback is valuable. To comment on this tutorial, contact VMware End-User-Computing Technical Marketing at euc_tech_content_feedback@vmware.com.