To enable identity and access management in the SDDC, you integrate your Active Directory with the clustered Workspace ONE Access instance and configure attributes to synchronize users and groups.


  1. In a web browser, log in to the clustered Workspace ONE Access instance by using the administration interface to the System Domain with configadmin user (https://<wsa_cluster_fqdn>/admin).
  2. On the main navigation bar, click Identity and access management.
  3. Click the Directories tab, and from the Add directory drop-down menu, select Add Active Directory over LDAP/IWA.
  4. On the Add directory page, configure the following settings, click Test connection and click Save and next.



    Directory name

    Enter a name for directory.

    For example,

    Active Directory over LDAP


    Sync connector

    Select the FQDN of vidm-primary

    Do you want this connector to also perform authentication?


    Directory search attribute


    This Directory requires all connections to use STARTTLS (Optional)

    If you want to secure communication between Workspace ONE Access and Active Directory select this option and paste the Root CA certificate in the SSL Certificate box.

    Base DN

    Enter the Base Distinguished Name from which to start user searches.

    For example, cn=Users,dc=sfo,dc=rainpole,dc=io.

    Bind DN

    Enter the DN for the user to connect to Active Directory.

    For example, cn=svc-wsa-ad,ou=Service Accounts,dc=sfo,dc=rainpole,dc=io.

    Bind user password

    Enter the password for the Bind user.

    For example: svc-wsa-ad_password.

  5. On the Select the domains page, review the domain name and click Next.
  6. On the Map user attributes page, review the attribute mappings and click Next.
  7. On the Select the groups (users) you want to sync page, enter the distinguished name for the folder containing your groups (For example OU=Security Groups,DC=sfo,DC=rainpole,DC=io) and click Select.
  8. For each Group DN you want to include, select the group to use by the clustered Workspace ONE Access instance for each of the roles, and click Save then Next.


    Role Assigned via Group

    Workspace ONE Access

    Super Admin

    Directory Admin

    ReadOnly Admin

    vRealize Suite Lifecycle Manager

    VCF Role

    Content Admin

    Content Developers

  9. On the Select the Users you would like to sync page, enter the distinguished name for the folder containing your users (e.g. OU=Users,DC=sfo,DC=rainpole,DC=io) and click Next.
  10. On the Review page, click Edit, from the Sync frequency drop-down menu, select Every 15 minutes, and click Save.
  11. To initialize the directory import, click Sync directory.