You integrate your enterprise directory with Workspace ONE Access to synchronize users and groups to provide role based access control to enterprise users.

Directories

Workspace ONE Access has its own concept of a directory, corresponding to Active Directory or LDAP directories in your environment. This internal Workspace ONE Access directory uses attributes to define users and groups. You create one or more directories in the identity and access management service and then synchronize each directory with your corresponding Active Directory or LDAP directory. Workspace ONE Access integrates with the following types of directories:

Table 1. Supported External Directories in Workspace ONE Access

Directory Type

Considerations

Active Directory over LDAP

  • Supports connecting to a single Active Directory domain.

  • The native connector binds to Active Directory using simple bind authentication.

  • If you have more than one domain in a forest, you must create a directory for each domain.

Active Directory over Integrated Windows Authentication

  • Supports connecting to a multi-domain or multi-forest Active Directory environment.

  • The native connector binds to Active Directory using Integrated Windows Authentication.

  • The type and number of directories that you create vary according to your Active Directory environment, such as single-domain or multi-domain, and on the type of trust used between domains.

  • In most environments, you create a single directory.

LDAP directory

  • Supports integrating enterprise LDAP directories with Workspace ONE Access.

  • You can integrate only a single-domain LDAP directory.

  • Workspace ONE Access supports only OpenLDAP implementations that support paged search queries.

During the integration of Workspace ONE Access, you must:

  • Specify the attributes for users required in the Workspace ONE Access service.

  • Add a directory in Workspace ONE Access for the directory type for your organization.

  • Map user attributes between your enterprise directory and Workspace ONE Access.

  • Specify and synchronize directory users and groups.

  • Establish a synchronization schedule or synchronize on-demand.

This design uses Active Directory over LDAP.

Table 2. Design Decisions on Directories for Workspace ONE Access

Decision ID

Design Decision

Design Justification

Design Implication

VCF-VRS-WSA-CFG-008

Connect the clustered Workspace ONE Access instance to Active Directory.

You can integrate your enterprise directory with Workspace ONE Access to synchronize users and groups to the Workspace ONE Access identity and access management services.

None.

VCF-VRS-WSA-CFG-009

Use Active Directory over LDAP as the Directory Service connection option.

The native (embedded) Workspace ONE Access connector binds to Active Directory over LDAP using a standard bind authentication.

  • In a multi-domain forest, where the Workspace ONE Access instance connects to a child-domain, Active Directory security groups must have global scope. Therefore, members added to the Active Directory global security group must reside within the same Active Directory domain.

  • If authentication to more than one Active Directory domains is required, additional Workspace ONE Access directories are required.

VCF-VRS-WSA-CFG-010

Use an Active Directory user account with the minimum of read-only access to Base DNs for users and groups as the service account for the Active Directory bind.

Provides the following access control features:

  • Workspace ONE Access connects to the Active Directory with the minimum set of required permissions to bind and query the directory.

  • You can introduce an improved accountability in tracking request-response interactions between the Workspace ONE Access and Active Directory.

  • You must manage the password life cycle of this account.

  • If authentication to more than one Active Directory domains is required, additional accounts are required for the Workspace ONE Access connector bind to each Active Directory domain over LDAP.

VCF-VRS-WSA-CFG-011

Configure the directory synchronization to synchronize only groups required for the integrated SDDC solutions.

  • Limits the number of replicated groups required for each product.

  • Reduces the replication interval for group information.

You must manage the groups from your enterprise directory selected for synchronization to Workspace ONE Access.

VCF-VRS-WSA-CFG-012

Enable the synchronization of enterprise directory group members when a group is added to the Workspace ONE Access directory.

When enabled, members of the enterprise directory groups are synchronized to the Workspace ONE Access directory when groups are added. When disabled, group names are synchronized to the directory, but members of the group are not synchronized until the group is entitled to an application or the group name is added to an access policy.

None.

VCF-VRS-WSA-CFG-013

Enable Workspace ONE Access to synchronize nested group members by default.

Allows Workspace ONE Access to update and cache the membership of groups without querying your enterprise directory.

Changes to group membership are not reflected until the next synchronization event.

VCF-VRS-WSA-CFG-014

Add a filter to the Workspace ONE Access directory settings to exclude users from the directory replication.

Limits the number of replicated users for Workspace ONE Access within the maximum scale.

To ensure that replicated user accounts are managed within the maximums, you must define a filtering schema that works for your organization based on your directory attributes.

VCF-VRS-WSA-CFG-015

Configure the mapped attributes included when a user is added to the Workspace ONE Access directory.

You can configure the minimum required and extended user attributes to synchronize directory user account for the Workspace ONE Access cluster to be used as an authentication source for cross-instance vRealize Suite solutions.

User accounts in your organization's enterprise directory must have the following required attributes mapped:

  • firstname, for example, givenname for Active Directory

  • lastName, for example, sn for Active Directory

  • email, for example, mail for Active Directory

  • userName, for example,sAMAccountName for Active Directory

  • If you require users to sign in with an alternate unique identifier, for example, userPrincipalName, you must map the attribute and update the identity and access management preferences.

VCF-VRS-WSA-CFG-016

Configure the Workspace ONE Access directory synchronization frequency to a reoccurring schedule, for example, 15 minutes.

Ensures that any changes to group memberships in the corporate directory are available for integrated solutions in a timely manner.

Schedule the synchronization interval to be longer than the time to synchronize from the enterprise directory. If users and groups are being synchronized to Workspace ONE Access when the next synchronization is scheduled, the new synchronization starts immediately after the end of the previous iteration. With this schedule, the process is continuous.

Identity Providers and Connectors

Workspace ONE Access synchronizes with the organization's Active Directory by using the native connector component. Any required users and groups that are provided access to the SDDC components that are connected to Workspace ONE Access are synchronized into Workspace ONE Access. In addition, the connector is the default identity provider and authenticates users to the identity and access management service. Authentication uses your organization's enterprise directory, but searches are made against the local Workspace ONE Access directory mirror. You can configure high availability for directory synchronization by associating the directory with multiple connector instances.

Table 3. Design Decisions on Identity Providers and Connectors in Workspace ONE Access

Decision ID

Design Decision

Design Justification

Design Implication

VCF-VRS-WSA-CFG-017

Configure second and third native connectors that correspond to the second and third Workspace ONE Access cluster nodes to support the high availability of directory services access.

High availability is achieved by installing three Workspace ONE Access cluster nodes load-balanced by an NSX load balancer. Adding the additional native connectors provides redundancy and improves performance by load-balancing authentication requests.

Each of the Workspace ONE Access cluster nodes must be joined to the Active Directory domain to use Active Directory with Integrated Windows Authentication with the native connector.