Integrating PingFederate: VMware Workspace ONE Operational Tutorial

Overview

Introduction

VMware provides this operational tutorial to help you with your VMware Workspace™ ONE™ environment. Workspace ONE simplifies access to cloud, mobile, and enterprise applications from supported devices. As an IT professional, you can use Workspace ONE to deploy, manage, and secure applications. At the same time, you can offer a flexible, bring-your-own-device (BYOD) initiative to your end users from a central location.

Purpose

This operational tutorial provides you with exercises and discussions to help with your existing VMware Workspace ONE™ production environment. VMware provides operational tutorials to help you with

  • Common procedures or best practices
  • Complex manual procedures
  • Troubleshooting

Note: Before you begin any operational tutorial, you must first deploy a production environment. For information about deployment, see the VMware Workspace ONE Documentation.

Audience

This operational tutorial is intended for IT professionals and Workspace ONE administrators of existing production environments. Both current and new administrators can benefit from using this tutorial. Familiarity with networking and storage in a virtual environment is assumed, including Active Directory, identity management, and directory services. Knowledge of additional technologies such as VMware Identity Manager™ and VMware Workspace ONE™ Unified Endpoint Management (UEM, formerly VMware AirWatch), is also helpful.

Integrating PingFederate with VMware Workspace ONE

Introduction

This tutorial helps you to integrate VMware Workspace ONE® with PingFederate®. Procedures include:

  • Adding Workspace ONE as an identity provider connector in PingFederate
  • Creating authentication policies in PingFederate 
  • Adding applications federated with PingFederate to Workspace ONE
  • Adding PingFederate as a third-party identity provider in Workspace ONE

The steps are sequential and build upon one another, so make sure that you complete each step before going to the next step.

 

Prerequisites

Before you can perform the procedures in this tutorial, you must satisfy the following requirements. For more information, see the VMware Identity Manager Documentation and VMware Workspace ONE UEM Documentation.

Check whether you have the following components installed and configured.

  • Admin access to both a VMware Identity Manager tenant and a PingFederate appliance
  • PingFederate must have both Identity Provider and Service Provider roles enabled
  • Test application federated with PingFederate (to follow the steps in this exercise, use Salesforce)
  • VMware Identity Manager tenant and PingFederate appliance connected to the same Active Directory domain
  • Optional: Mobile device to test redirection to Workspace ONE

Adding Workspace ONE as an Identity Provider Connection in PingFederate

The first step is to add Workspace ONE as an identity provider connector in PingFederate. In this exercise, you test access to a SaaS application that is federated with PingFederate. The test application in this case is Salesforce.

1. Confirm Salesforce is Federated with PingFederate

Before you begin, ensure your Salesforce application is federated with PingFederate.

2. Collect Metadata from VMware Identity Manager

Before configuring Workspace ONE as an identity provider connector, you must collect the appropriate metadata from the VMware Identity Manager tenant.

2.4. Save Metadata File

Click Save to save the idp.xml file locally on your computer.

3. Create Identity Provider Connection

Switch back to the PingFederate admin page.

  1. Click the Service Provider menu.
  2. Click Create New to create a new IDP Connection.

3.1. Begin IdP Connection Configuration

  1. Select BROWSER SSO PROFILES.
  2. Click Next.

 

3.2. Select Connection Options

  1. Select BROWSER SSO for this connection.
  2. Click Next.

3.3. Import Metadata

  1. Select File as the option to import metadata.
  2. Click Choose File.

3.4. Select Metadata File

  1. Select the idp.xml file previously downloaded from the VMware Identity Manager tenant.
  2. Click Open.

3.5. Confirm File Uploaded

  1. Verify that the correct file was uploaded.
  2. Click Next.

3.6. Confirm Entity ID

  1. Verify that the Entity ID matches your tenant.
  2. Click Next

3.7. Review Configuration

Click Next.

4. Configure Browser SSO

Click Configure Browser SSO.

4.1. Select SAML Profiles

  1. Select IDP-INITITATED SSO.
  2. Select SP-INITITATED SSO.
  3. Click Next.

5. Configure User-Session Creation

Click Configure User-Session Creation.

5.1. Select Identity Mapping Mode

  1. Select Account Mapping.
  2. Click Next.

5.2. Confirm Attribute Contract

In this exercise, VMware Identity Manager will send only a single attribute in the assertion (SAML_SUBJECT).

Click Next.

5.3. Map New Authentication Policy

This connection will not use any local adapter instances for authentication, instead you will map it to an authentication policy.

Click on Map New Authentication Policy.

6. Create a New Authentication Policy Contract

Click Manage Authentication Policy Contracts.

6.1. Create New Contract

Click Create New Contract.

6.2. Enter Contract Name

  1. Enter a contract name, for example, Workspace ONE.
  2. Click Next.

6.3. Confirm Attribute Contract

This configuration uses a single attribute (SAML_Subject).

Click Next.

6.4. Review Contract Details

Click Done.

6.5. Confirm Contract Creation

Validate that the new contract has been created.

Click Save.

7. Configure the New Policy Contract

  1. Select the new policy contract from the drop-down menu, for example, Workspace ONE.
  2. Click Next.

 

7.1. Select Authentication Policy Contract Subject

In this exercse, Salesforce requires only the attribute provided in the assertion to fulfill the contract. Depending on the SaaS application you are using to test this configuration, you might need to use the assertion to look for additional information.

  1. Select Use only the attributes available in the SSO assertion.
  2. Click Next.

 

7.2. Select Contract Fulfillment Values

  1. Select Assertion from the drop-down menu.
  2. Select SAML_Subject from the drop-down menu.
  3. Click Next.

7.3. Optional Issuance Criteria

Click Next.

7.4. Confirm Authentication Policy Contract Details

Verify the Authentication Policy Contract summary.

Click Done.

8. Confirm Policy Contract is Mapped

  1. Verify that the new Authentication Policy Contract has been mapped.
  2. Click Next.

9. Confirm User-Session Creation Details

Click Done.

10. Continue to Protocol Settings

Click Next.

11. Configure Protocol Settings

Click Configure Protocol Settings.

11.1. Confirm Endpoint URL

  1. The Endpoint URLs for Redirect and Post bindings should be both automatically populated from the metadata. If not you must manually enter the URL. The URL will be the same for both bindings in all tenants: /SAAS/auth/federation/SSO.
  2. Click Next.

11.2. Select SAML Bindings

  1. Select POST.
  2. Select REDIRECT.
  3. Click Next.

11.3. Optional Overrides

Click Next.

11.4. Configure Signature Policy

  1. Select Specify Additional Signature Requirements.
  2. Select Sign Authn Requests Over Post and Redirect Bindings.
  3. Click Next.

 

11.5. Optional Encryption Policy Settings

Encryption of the SAML assertion is optional. For this configuration, it is not required.

Click Next.

11.6. Confirm Protocol Settings Configuration

Click Done.

11.7. Confirm Protocol Settings Applied

Click Next.

11.8. Review Protocol Settings

Review the Browser SSO summary.

  1. Scroll to the bottom.
  2. Click Done.

12. Continue IdP Connection Wizard

Click Next.

12.1. Confirm Credential Requirement Details

  1. The signing certificate should be automatically populated from the metadata.
  2. Click Next.

12.2. Select Connection Status

Select Active.

12.3. Save Configuration

  1. Scroll down to the bottom of the summary.
  2. Click Save.

12.4. Confirm IdP Connection Creation

Validate that the new IDP Connection has been created.

13. Export Metadata from PingFederate

The next step is to add PingFederate as a service provider in VMware Identity Manager. First, export the corresponding metadata file from PingFederate.

  1. Click Server Configuration.
  2. Click Metadata Export.

13.1. Select Metadata Role

  1. Select I am the Service Provider (SP).
  2. Click Next.

13.2. Select Metadata Mode

  1. Select User a Connection for Metadata Generation.
  2. Click Next.

13.3. Review Connection Metadata

Click Next.

13.4. Select Metadata Signing Details

  1. Select the signing certificate for your PingFederate setup from the drop-down menu.
  2. Select RSA SHA256 as the signing algorithm.
  3. Click Next.

13.5. Review Summary and Export Metadata

Click Export.

14. Save Metadata File

Save the metadata.xml file locally on your computer.

Click Save.

15. Open Metadata File

Open the metadata.xml file downloaded from PingFederate and copy the contents of the file to the clipboard.

16. Select Application Sources in VMware Identity Manager

Return to the VMware Identity Manager administration console.

  1. Click Application Sources.
  2. Click PING.

16.1. Begin PING Application Source Configuration

Click Next.

16.2. Enter Configuration Details

  1. Select URL/XML as the configuration method.
  2. Copy the contents from the metadata.xml file downloaded from PingFederate into the text box.
  3. Click Next.

16.3. Select Access Policies

  1. Select an access policy from your VMware Identity Manager tenant using the drop-down menu. For this configuration we have selected an access policy which simply challenges for domain credentials to test the configuration.
  2. Click Next

16.4. Review PING Application Summary

Click Save.

18. Log In to Salesforce Using PingFederate

You can now test authentication to your SaaS application. In this case, Salesforce is federated with PingFederate.

Navigate to Salesforce login page and click PingFederate.

18.1. Enter Domain Credentials for VMware Identity Manager

PingFederate automatically redirects to VMware Identity Manager for authentication.

Enter the domain credentials for your test user in VMware Identity Manager.

  1. Enter the username, for example, user.
  2. Enter the password, for example, VMware1!.
  3. Click Sign in.

18.2. Confirm Salesforce Launches

After validating the credentials in VMware Identity Manager, we are redirected and logged directly into the Salesforce tenant.

The SAML assertion created by VMware Identity Manager is validated by PingFederated, which in turn issues a SAML assertion for the target application (Salesforce).

Creating Authentication Policies in PingFederate

Now that you have added Workspace ONE as an identity provider in PingFederate, you can create policies in PingFederate to decide when users will be authenticated in Workspace ONE versus with a local authentication adapter in PingFederate.

For more information about authentication policies, see Policies in PingFederate documentation.

3. Configure Contract Mapping (HTML Form Adapter)

Finally, check the configuration of the Policy Contracts used in the policies. Although the settings are very similar for all Policy Contracts used, there is a slight variation between the Policy Contracts used after a HTML Form Adapter versus the one used after the IDP Connection. We will take a look at both.

Click Contract Mapping under the Workspace ONE Policy Contract used after one of the HTML Form Adapters.

3.1. Optional Add Attribute Source

For this setup, the policy contract associated with our test application can be fulfilled using the default values from the authentication policy, therefore we will not be adding an Attribute Source to retrieve additional attributes. This might be required in your setup depending on the type of application you are testing with.

Click Next.

3.2. Define Contract Fulfillment Values

You will use the HTML Form Adapter result to fulfill this policy contract. Note that the userPrincipalName value used in this example is the value required by the test application. This might be different in your setup.

  1. Select Adapter (HTMLFormAdapter) from the Source drop-down menu.
  2. Select userPrincipalName from the Value drop-down menu.
  3. Click Next.

3.3. Optional Issuance Criteria

Click Next.

3.4. Review Authentication Policy Summary

Verify the Contract Mapping summary.

Click Next.

4. Configure Contract Mapping (IdP Connection)

Next, check the Contract Mapping for a Policy Contract used after an IDP Connection.

Click Contract Mapping.

4.1. Optional Add Attribute Source

Click Next.

4.2. Define Contract Fulfillment Values

In this case, you use the IDP Connection to fulfill the Policy Contract. Note that the value being used is not retrieved from the user profile but rather from the SAML assertion issued by the IDP Connection. If your test application requires a different or additional attributes from that provided in the SAML assertion, you can either change the value(s) provided by the IDP Connection or configure the Contract Mapping to retrieve the attributes from AD.

  1. Select IDP Connection from the Source drop-down menu.
  2. Select SAML_SUBJECT from the Value drop-down menu.
  3. Click Next.

4.3. Optional Issuance Criteria

Click Next.

4.4. Review Authentication Policy Summary

Validate the Policy Contract Mapping summary.

Click Next.

4.5. Review Authentication Policies Configuration

Click Save.

5. Test Authentication to Salesforce

You can now test authenticating into your test application using different device types.

5.1. Log In to Salesforce from Non-Mobile Device

If you are authenticating with a non-mobile device, you should be presented with the PingFederate HTML Form Adapter.

5.2. Log In to Salesforce from a Mobile Device

If you are authenticating with a mobile device, you should be redirected to Workspace ONE for authentication.

Adding Applications Federated with PingFederate in the Workspace ONE Catalog

Now that you have configured Workspace One as an identity provider within PingFederate, you can add applications that are federated with PingFederate into the Workspace ONE catalog. This allows users to do an IdP-initiated launch of the target application from within their unified application catalog view.

1. Retrieve Salesforce Entity ID from PingFederate

Retrieve the Salesforce entity ID value from the PingFederate admin console. You need this entity ID value when configuring the Salesforce application in VMware Identity Manager.

1.1. Select Salesforce Application in PingFederate

  1. Click Identity Provider.
  2. Select the IdP Connection or application that you want to add into the Workspace One Catalog (in this example, Salesforce).

1.2. Copy Entity ID Value

Copy the Entity ID value of the application.

2. Add New Application to Workspace ONE Catalog

Navigate back to your VMware Identity Manager tenant.

  1. Click the Catalog tab.
  2. Click the Web Apps menu.
  3. Click New to add a new application to the catalog.

2.1. Enter Application Name

  1. Enter a Name for the application, for example, Salesforce (Ping).
  2. Click Next.

2.2. Enter Single Sign-On Details

With application sources we can inherit the configuration from the PING application source that was previously configured when adding new applications.

  1. Select PING (Application Source) from the Authentication Type drop-down menu.
  2. Paste the EntityID that was copied from your test application in PingFederate into the TargetURL box.
  3. Click Next.

2.3. Select Access Policies

  1. Select an access policy for your application from the drop-down menu.
  2. Click Next.

2.4. Review the Configuration Summary

Verify the configuration summary.

Click Save & Assign.

3. Assign Users to the Application

  1. Search for your user or user group to assign the application.
  2. Select the user or user group from the drop-down menu.
  3. Click Save.

4. Log In to Workspace ONE

You can now confirm access to your test application from the Workspace ONE catalog.

Navigate to your VMware Identity Manager tenant and log in with your test user.

5. Launch Salesforce Application

Select the Ping Salesforce application. This should redirect you to PingFederate with a valid SAML assertion, which will in turn, redirect you seamlessly to the target application.

Adding PingFederate as Third-Party Identity Provider in Workspace ONE

In the previous exercises, you configured Workspace ONE to act as an identity provider to PingFederate. This allows administrators to use Workspace ONE authentication methods to authenticate applications federated with PingFederate. In this exercise, you will look at an inverse integration flow through which PingFederate can be used as an identity provider within Workspace ONE. This allows administrators to use PingFederate to authenticate users accessing the Workspace One catalog.

1. Exporting SAML Metadata

The first step is to export the SAML metadata.

1.2. Access SAML Metadata

  1. Click SAML Metadata.
  2. Right-click Service Provider (SP) metadata.
  3. Select Save link as.

1.3. Save Locally

Click Save.

2. Adding a Service Provider Connection

This exercise helps you to add a service provider connection in PingFederate.

2.1. Open Configuration Settings

In the PingFederate Console:

  1. Click Identity Provider.
  2. Click Create New.

2.2. Review the Connection Type

Click Next.

2.3. Review Connection Options

Click Next.

2.4. Import Metadata

  1. Select File as the method to input the connection metadata.
  2. Click Choose File.
  3. Select sp, the metadata file you downloaded from VMware Identity Manager.
  4. Click Open.
  5. Click Next.

2.5. Review the Metadata Summary

Verify that the Entity ID is the VMware Identity Manager metadata xml URL, and click Next.

2.6. Review General Info

Click Next.

2.7. Configure Browser SSO

Click Configure Browser SSO.

2.8. Assign SSO Profiles

  1. Select the SP-Initiated SSO check box, to apply SSO to applications launched from within the Workspace ONE catalog.
  2. Click Next.

2.9. Review Assertion Lifetime Settings

Click Next.

2.10. Create an Assertion

Click Configure Assertion Creation.

2.11. Select the Attribute Contract Type

For this configuration, you send the SP (Workspace ONE) a standard attribute (userPrincipalName) as the main identifier in the assertion therefore select a Standard Attribute Contract.

  1. Select Standard as the Attribute Contract type.
  2. Click Next.

2.12. Review the Attribute Contract

  1. For the Subject Name Format, keep the default Unspecified format in this configuration.
  2. Click Next.

2.13. Configure Authentication Source Mapping

  1. Click Map New Adapter Instance.
  2. Choose HTML Form Adapter from the Adapter Instance drop-down menu.
  3. Click Next.

2.14. Define Mapping Method and Attribute Contract

  1. Select Use Only The Adapter Contract Values in the SAML Adapter. Because userPrincipalName is already a part of the Adapter Contract, we can choose to only use the values included in the contract.
  2. Click Next.
  3. Select Adapter from the Source drop-down menu.
  4. Select userPrincipalName from the Value drop-down menu. PingFederate will pass userPrincipalName as the SAML_Subject value in the SAML assertion passed to Workspace ONE.
  5. Click Next.

2.15. Define SAML Bindings and Signature Policy

  1. Select the Post binding.
  2. Select the Redirect binding.
  3. Click Next.
  4. Select Always Sign the SAML Assertion.
  5. Click Next.

2.16. Select Encryption Policy

  1. Select None to opt-out of encrypting the SAML messages.
  2. Click Next.

2.17. Review Protocol Settings

Review the Protocol Settings summary, and click Done.

2.18. Continue to Browser SSO Summary

On the Protocol Settings tab, click Next.

2.19. Review Browser SSO Summary

Review the Browser SSO summary, and click Done.

2.20. Continue Configuring the SP Connection

Click Next.

2.21. Review IdP Adapter Mapping

  1. Click Next.
  2. Review the IDP Adapter Mapping summary, and click Done.

2.22. Review Assertion Creation

  1. Click Next.
  2. Review the Assertion Creation summary, and click Done.

2.23. Continue to Protocol Settings

On the Assertion Creation tab, click Next.

2.24. Configure Protocol Settings

  1. Click Configure Protocol Settings.
  2. Delete all pre-configured bindings except for POST.
  3. Click Next.

2.25. Configure Credentials

Click Configure Credentials.

2.26. Select a Certificate

  1. Select your signing certificate from the Signing Certificate drop-down menu.
  2. Click Next.

2.27. Review Certificate Summary

Click Done.

2.28. Continue Configuring the SP Connection

Click Next.

2.29. Activate the Connection

  1. Select Active as the Connection Status.
  2. Click Save.

2.30. Verify the Connection

Verify that the new SP Connection for Workspace ONE has been created.

3. Exporting Metadata from PingFederate

Now that you have created the SP configuration for Workspace ONE in PingFederate, you must create the IdP configuration in Workspace ONE for PingFederate. This exercise helps you to export the appropriate metadata file from PingFederate.

3.1. Begin Metadata Export

  1. Click Server Configuration.
  2. Click Metadata Export.

3.2. Select the Metadata Role

  1. Select I am the Identity Provider.
  2. Click Next.

3.3. Select the Metadata Mode

  1. Select Use a Connection for Metadata Generation.
  2. Click Next.

3.4. Configure Connection Metadata

  1. Select the Workspace ONE SP Connection from the drop-down menu.
  2. Click Next.

3.5. Configure Metadata Signing

  1. Select the signing certificate for your PingFederate setup from the Signing Certificate drop-down menu.
  2. Select RSA SHA256 as the Signing Algorithm from the drop-down menu.
  3. Click Next.

3.6. Begin Metadata Export

Click Export.

3.7. Save Metadata File

Save the metadata file locally on your computer.

Click Save.

3.8. Copy Contents of Metadata File

Copy the contents of the metadata file downloaded from PingFederate to your clipboard.

4. Creating Third-Party Identity Provider

Next, add PingFedarate as an identity provider in Workspace ONE.

4.1. Begin Third-Party Identity Provider Creation

Navigate to the VMware Identity Manager tenant.

  1. Click Identity & Access Management.
  2. Click Identity Providers.
  3. Click Add Identity Provider.
  4. Click Create Third Party IDP.

4.2. Provide Identity Provider Details

  1. Enter a name for Identity Provider Name, for example, PING.
  2. Paste the contents of the metadata file into the text box.
  3. Click Process IdP Metadata.
  4. Select Unspecified as the Name ID format.
  5. Select userPrincipalName as the Name ID Value.

4.3. Continue Entering Identity Provider Details

  1. Enable the IDP for the same set of users (domain) configured in PingFederate.
  2. Enable the IDP configuration for All Ranges.
  3. Create a new Authentication Method with an appropriate name, for example, PingPassword.
  4. Select urn:oasis:names:tc:SAML:2.0:ac:classes:Password as the SAML Context for the Authentication Method
  5. Click Add.

5. Editing Default Access Policy Set

To authenticate users with the new PING IDP configuration, you must modify the authentication policies in VMware Identity Manager to make use of the authentication method associated with the identity provider. You will modify the default policy set because this is used when accessing the Workspace ONE catalog.

5.1. Select Default Policy

 

  1. Click Identity & Access Management.
  2. Click Policies.
  3. Click default_access_policy_set.

5.2. Edit Default Access Policy Set

Click Edit.

5.3. Select All Ranges Policy Rule

  1. Click Configuration.
  2. For this setup, modify the last policy in the policy set as this is being used to authenticate desktop browser in public networks. You may need to modify a different policy depending on the device type and source network you are using to test this configuration.

5.4. Select Authentication Method

  1. Select PingPasswords from the ...authenticate using.. drop-down menu. This is the Authentication Method associated with the PING IDP.
  2. Click Save.

5.5. Review Configuration Changes

Click Next.

5.6. Review Summary Details

Click Save.

6. Test Single Sign-On to Workspace ONE

You can now test authentication into the Workspace ONE catalog. You should be automatically redirected to PingFederate for authentication if using a device that matches the policy changes made.

6.1. Navigate to Workspace ONE URL and Confirm Redirect to PingFederate

Navigate to your Workspace ONE tenant URL and confirm redirection to PingFederate. Enter your PingFederate credentials.

  1. Enter a username, for example, user.
  2. Enter a password, for example, password.
  3. Click Sign On.

6.2. Confirm Redirect to Workspace ONE App Catalog

After you have successfully authenticated with PingFederate, you should be redirected back and given access to the Workspace ONE catalog.

Summary and Additional Resources

Conclusion

This tutorial provided steps to add Workspace ONE as an identity provider connector and create authentication policies in PingFederate. It also provided steps to add applications federated with PingFederate to Workspace ONE and add PingFederate as a third-party identity provider in Workspace ONE.

Terminology Used in This Tutorial

The following terms are used in this tutorial:

application store A user interface (UI) framework that provides access to a self-service catalog, public examples of which include the Apple App Store, the Google Play Store, and the Microsoft Store.
auto-enrollment Auto-enrollment simplifies the enrollment process by automatically enrolling registered devices following the Out-of-Box-Experience.
catalog A user interface (UI) that displays a personalized set of virtual desktops and applications to users and administrators. These resources are available to be launched upon selection.
cloud Asset of securely accessed, network-based services and applications. A cloud can also host data storage. Clouds can be private or public, as well as hybrid, which is both private and public.
device enrollment The process of installing the mobile device management agent on an authorized device. This allows access to VMware products with application stores, such as VMware Identity Manager.
identity provider (IdP) A mechanism used in a single-sign-on (SSO) framework to automatically give a user access to a resource based on their authentication to a different resource.
mobile device management
(MDM) agent
Software installed on an authorized device to monitor, manage, and secure end-user access to enterprise resources.
one-touch login A mechanism that provides single sign-on (SSO) from an authorized device to enterprise resources.
service provider (SP) A host that offers resources, tools, and applications to users and devices.
virtual desktop The user interface of a virtual machine that is made available to an end user.
virtual machine A software-based computer, running an operating system or application environment, that is located in the data center and backed by the resources of a physical computer.

For more information, see the VMware Glossary.

Additional Resources

About the Author

This tutorial was written by:

  • Camilo Lotero, Senior Technical Marketing Manager, End-User-Computing Technical Marketing, VMware

Feedback

The purpose of this tutorial is to assist you. Your feedback is valuable. To comment on this tutorial, contact VMware End-User-Computing Technical Marketing at euc_tech_content_feedback@vmware.com.