You can use the AD FS user interface to create an AD FS Relying Party Trust between your AD FS server and VMware Workspace ONE Access. After you establish access to Workspace ONE Access dashboard, an AD FS relying party trust must be created.

The UI instructions below are based on Windows Server 2016 with AD FS 4.0. Windows Server 2012 R2 with ADFS 3.0 lists the Relying Party Trusts within the Trust Relationships folder.

Procedure

  1. On the AD FS server 4.0 or the Windows server 2016 that you use to manage AWS Directory Service, run the AD FS Management console as an administrator.
  2. In the left pane, right-click Relying Party Trusts and select Add Relying Party Trust.
    The Add Relying Party Trust wizard opens.
  3. Select Claims aware and click Start.
  4. On the Select Data Source page,
    1. Select Import data about the relying party from a file.
    2. Click Browse and browse to the service provider metadata file that you downloaded from Workspace ONE Access in Download Service Provider Metadata from Workspace ONE Access.
  5. Click Next and configure Access Policies.
  6. If you cannot open the Claims wizard, then right-click Relying Party trust that was created in Step 4 and select Edit Claim Insurance Policy.
  7. Add claim rules.
    1. Add a GET rule.
      Option Value
      Rule Template Send LDAP Attributes as Claims
      Claim rule name GET
      Attribute Store Active Directory
      LDAP Attribute E-mail Addresses
      Outgoing Claim Type E-mail Addresses
    2. Add a PUT rule.
      Option Value
      Rule Template Send Claims Using a Custom Rule
      Claim Rule Name PUT
      Custom Rule c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"] => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier"] = "<XXX>.gc1.vmwareidentity.us");

      Replace <xxx> with the tenant URL information provided to you by VMware.
    3. Add a firstName rule.
      Option Value
      Rule Template Send LDAP Attributes as Claims
      Claim Rule Name firstName
      Attribute Store Active Directory
      Mapping of LDAP attributes to outgoing claim type
      1. In the LDAP Attribute column, enter Given-Name.
      2. In the Outgoing Claim Type column, enter firstName.
    4. Add a lastName rule.
      Option Value
      Rule template Send LDAP Attributes as Claims
      Claim Rule Name lastName
      Attribute Store Active Directory
      Mapping of LDAP attributes to outgoing claim type
      1. In the LDAP Attribute column, enter Surname.
      2. In the Outgoing Claim Type column, enter lastName.
    5. Create a userName rule.
      Option Value
      Rule Template Send LDAP Attributes as Claims
      Claim Rule Name userName
      Attribute Store Active Directory
      Mapping of LDAP attributes to outgoing claim type
      1. In the LDAP Attribute column, enter SAM-Account-Name.
      2. In the Outgoing Claim Type column, enter userName.
    6. Create an email rule.
      Option Value
      Rule Template Send LDAP Attributes as Claims
      Claim Rule Name email
      Attribute Store Active Directory
      Mapping of LDAP attributes to outgoing claim type
      1. In the LDAP Attribute column, enter E-Mail-Addresses.
      2. In the Outgoing Claim Type column, enter email.
  8. Download the AD FS Federation metadata from your AD FS server.
    This is available at https:// <ADFSServer>//FederationMetadata/2007-06/FederationMetadata.xml, where <ADFSServer> is the address of your AD FS server.