You can use the AD FS user interface to create an AD FS Relying Party Trust between your AD FS server and VMware Workspace ONE Access. After you establish access to Workspace ONE Access dashboard, an AD FS relying party trust must be created.
Procedure
- On the AD FS server 4.0 or the Windows server 2016 that you use to manage AWS Directory Service, run the AD FS Management console as an administrator.
- In the left pane, right-click Relying Party Trusts and select Add Relying Party Trust.
The Add Relying Party Trust wizard opens.
- Select Claims aware and click Start.
- On the Select Data Source page,
- Select Import data about the relying party from a file.
- Click Browse and browse to the service provider metadata file that you downloaded from Workspace ONE Access in Download Service Provider Metadata from Workspace ONE Access.
- Click Next and configure Access Policies.
- If you cannot open the Claims wizard, then right-click Relying Party trust that was created in Step 4 and select Edit Claim Insurance Policy.
- Add claim rules.
- Add a GET rule.
Option Value Rule Template Send LDAP Attributes as Claims Claim rule name GET Attribute Store Active Directory LDAP Attribute E-mail Addresses Outgoing Claim Type E-mail Addresses - Add a PUT rule.
Option Value Rule Template Send Claims Using a Custom Rule Claim Rule Name PUT Custom Rule c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"] => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier"] = "<XXX>.gc1.vmwareidentity.us"); Replace <xxx> with the tenant URL information provided to you by VMware.
- Add a firstName rule.
Option Value Rule Template Send LDAP Attributes as Claims Claim Rule Name firstName Attribute Store Active Directory Mapping of LDAP attributes to outgoing claim type - In the LDAP Attribute column, enter Given-Name.
- In the Outgoing Claim Type column, enter firstName.
- Add a lastName rule.
Option Value Rule template Send LDAP Attributes as Claims Claim Rule Name lastName Attribute Store Active Directory Mapping of LDAP attributes to outgoing claim type - In the LDAP Attribute column, enter Surname.
- In the Outgoing Claim Type column, enter lastName.
- Create a userName rule.
Option Value Rule Template Send LDAP Attributes as Claims Claim Rule Name userName Attribute Store Active Directory Mapping of LDAP attributes to outgoing claim type - In the LDAP Attribute column, enter SAM-Account-Name.
- In the Outgoing Claim Type column, enter userName.
- Create an email rule.
Option Value Rule Template Send LDAP Attributes as Claims Claim Rule Name email Attribute Store Active Directory Mapping of LDAP attributes to outgoing claim type - In the LDAP Attribute column, enter E-Mail-Addresses.
- In the Outgoing Claim Type column, enter email.
- Add a GET rule.
- Download the AD FS Federation metadata from your AD FS server.
This is available at https:// <ADFSServer>//FederationMetadata/2007-06/FederationMetadata.xml, where <ADFSServer> is the address of your AD FS server.