[Technical How-To] Establish AD FS as a VMware Workspace ONE Identity Provider

Jan 2, 2018


Justin Sheets is a Sr. Technical Marketing Manager in the Technical Marketing team at VMware End-User Computing.

Share This Post On

Today’s post explains the procedure for AD FS integration with VMware Identity Manager. Completing these steps establishes AD FS as a Workspace ONE identity provider.

AD FS for Workspace ONE

VMware Workspace ONE unifies Identity Manager access control and application management and VMware AirWatch unified endpoint management (UEM) technology into a single platform. Available as a cloud service or for on-premises deployments, the Workspace ONE platform enables IT to deliver and manage any app on any device.

Integrating Active Directory Federation Services (AD FS) with VMware Workspace ONE leverages organizational configurations, and creates a consistent authentication experience across platforms and device types.

AD FS  & Identity Manager Integration

AD FS Overview

Using claims-based authorization to implement identity federation, AD FS provides single sign-on access to applications and systems.AD FS Integration

What’s a Claim?

A claim is a statement about a user that can include values like the user principal name (UPN), email address, role, group or windows account name.

Contained in a trusted token, a claim serves as one half of a corresponding pair about the user’s identity. Another trusted party, known as a relying party, evaluates the pair to determine authorization.

AD FS vs. SAML Authentication

By default, Identity Manager uses Security Assertion Markup Language (SAML), which is an assertion-based form of authorization. Conceptually, there are many parallels between SAML and AD FS. The table below outlines these similarities. Use these parallels as a foundation for understanding AD FS integration with Identity Manager.

Security Token Assertion Collection of XML-formatted security information describing users, which is created and consumed during a federated access request.
Claim Provider Identity Provider Partner in a federation that creates security tokens for users.
Relying Party Service Provider Partner in a federation that consumes security tokens for providing access to applications.
Claims Assertion Attributes Data about users that is sent inside security tokens.

Integrate AD FS with Identity Manager

Before You Begin AD FS Integration

  • Identity Manager Tenant: Utilize a Software-as-a-Service (SaaS) or on-premises instance of Identity Manager that you have administrator access to.
  • Synced Domain: Utilize the VMware Enterprise Systems Connector to sync a domain and at least a single domain user to log in.
  • Install AD FS: Install AD FS on a server you have access to. This requires administrator access.

Configure AD FS Integration with Identity Manager

The video at the top of this post provides a how-to demonstration of AD FS integration with Identity Manager. For step-by-step instructions of the processes covered in the video, expand the drop-down menus.

Install AD FS

Install AD FS

  1. Navigate to the server where AD FS gets installed. This example uses Windows Server 2012 R2 to install the AD FS server role.
  2. Open Server Manager.
  3. From the top-right corner, navigate to Manage > Add Roles and Features and configure the settings:
    • Installation Type – Select Role-based or feature-based installation.
    • Server Selection – Select the intended server.
    • Server Roles – Enable Active Directory Federation Services.
    • Features – Click Next to continue with modifications.
  4. Step through the remaining instructions and click Install.

Configure AD FS

Configure AD FS

  1. Within Server Manager, next to Manage, select the Notification Flag.
  2. Under the Post-deployment Configuration Notification, click Configure the federation service on this server and complete the fields:
    • Connect to ADFS – Specify an account with Active Directory domain administrator privileges to perform the federation service configuration.
    • Specify Service Properties – Configure the following settings:
      SSL certificate Select a certificate for AD FS configuration.
      Federation Service Name Provide the AD FS service’s endpoint. For example, adfs.airwlab.com.
      Federation Service Display Name Provide the display name. For example, AIRWLAB Federation Services.
    • Specify Service Account – Select an existing domain user account  for the AD FS service account, or create a new one.  Creating a new account requires appropriate access permissions.
    • Specify Database – Choose between using a Windows Internal Database or providing a SQL Server database.  If prompted to overwrite an existing AD FS configuration database, overwrite before continuing.
  3. Confirm the pre-requisites, and click Configure.

AD FS Management

AD FS Management

  1. From Server Manager, select Tools > AD FS Management.
  2. Navigate to AD FS > Service > Endpoints.
  3. Scroll down to the Metadata section, locate the Federation Metadata object, and note the endpoint. The endpoint uses the format: http://adfs.yourdomain.com/FederationMetadata/2007-06/FederationMetadata.xml
  4. Download a copy of the xml, for later use establishing trust between VMware Identity Manager and AD FS.

VMware Identity Manager Configuration

Identity Manager Configuration

    1. Login to your Identity Manager tenant with an administrator account.
    2. Navigate to Identity & Access Management > Identity Providers > Add Identity Provider > Create Third Party IDP.
      • Identity Provider Name – Use any name as desired. For example, ADFS.
      • SAML Metadata – Copy and paste the previously downloaded FederationMetadata.xml file into the field, and click Process IdP Metadata.  The Name ID format mappings use the imported xml to establish. This creates trust with AD FS as an Identity Provider for VMware Identity Manager.
      • Just-in-Time User Provisioning – Leave this setting disabled, because this guide does not cover this implementation.
      • Users – Select the Directory that this Identity Provider applies to. For example, select the synced corp.local directory, which contains the corp.local domain users.
      • Network – If setup, choose the network range this Identity Provider applies to. Use the default value, ALL RANGES,  to apply the identity provider across all networks.
      • Authentication Methods – Choose the method used to authenticate users processed by this identity provider. For example, review the table below:
        Authentication Methods
        SAML Context
        SAML Password urn:oasis:names:tc:SAML:2.0:ac:classes:Password
        SAML Kerberos urn:oasis:names:tc:SAML:2.0:ac:classes:Password
        Windows Auth urn:federation:authentication:windows
      • Single Sign-Out Configuration – Allow users to end their IdP session when they sign out from the Workspace ONE apps portal.
      • Service Provider Metadata – Open a URL that contains the metadata required to establish trust between AD FS and the VMware Identity Manager tenant.
    3. Click Save.

Configure Relying Party Trust in AD FS

Configure Relying Party Trust in AD FS

  1. Return to AD FS Management and navigate to AD FS > Trust Relationships > Relying Party Trusts > Add Relying Party Trust.
    • Select Data Source – Import the Metadata file using the URL or the file. For example, provide the Service Provider Metadata URL from the previous step.
    • Multi-Factor Authentication – Configuring Multi-Factor Authentication (MFA) is beyond the scope of these instructions, so leave this option disabled.
    • Issuance Authorization Rules – Permit all users to access this relying party.
    • Ready to Add Trust – Review the settings, and click Next to add the trust.
  2. Select the option, Open the Edit Claim Rules dialog for this relying trust when the wizard closes, and add the following claims rules.
    Add the Get Attributes Email Address Rule
    1. Click Add Rule.
    2. Select Send LDAP Attributes as Claims, and click Next.
      • Claim Rule Name – Get Attributes Email Address
      • Attribute Store – Active Directory
      • LDAP Attribute – E-Mail-Address
      • Outgoing Claim Type – E-Mail Address
    3. Click Finish.
    Add the Transform Email Address Rule
    1. Click Add Rule.
    2. Select Send Claims using a Custom Rule, and click Next.
      • Claim Rule Name – Transform Email Address
      • Custom Rule – Enter the below text and change the spnamequalifier to your VMware Identity Manager URL:c:[Type == “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress”] => issue(Type = “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier”, Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties[“http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format”] = “urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress”, Properties[“http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier“] = “yourtenant.vmwareidentity.com“);
    3. Click Finish.

Identity Manager Policy Configuration

Identity Manager Policy Configuration

  1. Return to your VMware Identity Manager tenant. In the Administration Console, navigate to Identity & Access Management > Policies.
  2. Click the default_access_policy_set
  3. Add new Policy Rules:
    Handle Local Users Authenticating into the Workspace ONE Portal
    1. Under Policy Rules, click the + button.
    2. Configure the specified settings:
      • Network Range – ALL RANGES.
      • Device Types – All Device Types
      • Authentication Methods – Password (Local Directory)–Select Authentication Method.
    3. Click OK.
    4. Use the handle on the left of the newly created policy rule to drag it to the top of the current Policy Rules list.
    Handle Domain Users Authenticating into the Workspace ONE Portal through AD FS
    1. Under Policy Rules, click the + button.
    2. Configure the specified settings:
      • Network Range – ALL RANGES.
      • Device Types – All Device Types.
      • User Groups – Click Edit Groups and select the user group for your domain users.
      • Authentication Methods – Select SAML Kerberos, Select Windows Auth, Click + fallback method(s), Select SAML Password
    3. Click OK.
    4. Use the handle on the left of the newly created policy rule to drag it to the top of the current Policy Rules list.


468 ad