You integrate your enterprise directory with Workspace ONE Access to synchronize users and groups to provide role based access control to enterprise users.
Directories
Workspace ONE Access has its own concept of a directory, corresponding to Active Directory or LDAP directories in your environment. This internal Workspace ONE Access directory uses attributes to define users and groups. You create one or more directories in the identity and access management service and then synchronize each directory with your corresponding Active Directory or LDAP directory. Workspace ONE Access integrates with the following types of directories:
Directory Type |
Considerations |
---|---|
Active Directory over LDAP |
|
Active Directory over Integrated Windows Authentication |
|
LDAP directory |
|
During the integration of Workspace ONE Access, you must:
Specify the attributes for users required in the Workspace ONE Access service.
Add a directory in Workspace ONE Access for the directory type for your organization.
Map user attributes between your enterprise directory and Workspace ONE Access.
Specify and synchronize directory users and groups.
Establish a synchronization schedule or synchronize on-demand.
This design uses Active Directory over LDAP.
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
VCF-VRS-WSA-CFG-008 |
Connect the clustered Workspace ONE Access instance to Active Directory. |
You can integrate your enterprise directory with Workspace ONE Access to synchronize users and groups to the Workspace ONE Access identity and access management services. |
None. |
VCF-VRS-WSA-CFG-009 |
Use Active Directory over LDAP as the Directory Service connection option. |
The native (embedded) Workspace ONE Access connector binds to Active Directory over LDAP using a standard bind authentication. |
|
VCF-VRS-WSA-CFG-010 |
Use an Active Directory user account with the minimum of read-only access to Base DNs for users and groups as the service account for the Active Directory bind. |
Provides the following access control features:
|
|
VCF-VRS-WSA-CFG-011 |
Configure the directory synchronization to synchronize only groups required for the integrated SDDC solutions. |
|
You must manage the groups from your enterprise directory selected for synchronization to Workspace ONE Access. |
VCF-VRS-WSA-CFG-012 |
Enable the synchronization of enterprise directory group members when a group is added to the Workspace ONE Access directory. |
When enabled, members of the enterprise directory groups are synchronized to the Workspace ONE Access directory when groups are added. When disabled, group names are synchronized to the directory, but members of the group are not synchronized until the group is entitled to an application or the group name is added to an access policy.
|
None. |
VCF-VRS-WSA-CFG-013 |
Enable Workspace ONE Access to synchronize nested group members by default. |
Allows Workspace ONE Access to update and cache the membership of groups without querying your enterprise directory. |
Changes to group membership are not reflected until the next synchronization event. |
VCF-VRS-WSA-CFG-014 |
Add a filter to the Workspace ONE Access directory settings to exclude users from the directory replication. |
Limits the number of replicated users for Workspace ONE Access within the maximum scale. |
To ensure that replicated user accounts are managed within the maximums, you must define a filtering schema that works for your organization based on your directory attributes. |
VCF-VRS-WSA-CFG-015 |
Configure the mapped attributes included when a user is added to the Workspace ONE Access directory. |
You can configure the minimum required and extended user attributes to synchronize directory user account for the Workspace ONE Access cluster to be used as an authentication source for cross-instance vRealize Suite solutions. |
User accounts in your organization's enterprise directory must have the following required attributes mapped:
|
VCF-VRS-WSA-CFG-016 |
Configure the Workspace ONE Access directory synchronization frequency to a reoccurring schedule, for example, 15 minutes. |
Ensures that any changes to group memberships in the corporate directory are available for integrated solutions in a timely manner. |
Schedule the synchronization interval to be longer than the time to synchronize from the enterprise directory. If users and groups are being synchronized to Workspace ONE Access when the next synchronization is scheduled, the new synchronization starts immediately after the end of the previous iteration. With this schedule, the process is continuous. |
Identity Providers and Connectors
Workspace ONE Access synchronizes with the organization's Active Directory by using the native connector component. Any required users and groups that are provided access to the SDDC components that are connected to Workspace ONE Access are synchronized into Workspace ONE Access. In addition, the connector is the default identity provider and authenticates users to the identity and access management service. Authentication uses your organization's enterprise directory, but searches are made against the local Workspace ONE Access directory mirror. You can configure high availability for directory synchronization by associating the directory with multiple connector instances.
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
VCF-VRS-WSA-CFG-017 |
Configure second and third native connectors that correspond to the second and third Workspace ONE Access cluster nodes to support the high availability of directory services access. |
High availability is achieved by installing three Workspace ONE Access cluster nodes load-balanced by an NSX load balancer. Adding the additional native connectors provides redundancy and improves performance by load-balancing authentication requests. |
Each of the Workspace ONE Access cluster nodes must be joined to the Active Directory domain to use Active Directory with Integrated Windows Authentication with the native connector. |