Configuring Workspace ONE Access as an Identity Provider (IdP) with VMware Cloud Web Security

This section covers configuring Workspace ONE Access as an Identity Provider (IdP) for VMware Cloud Web Security. We first cover the Workspace ONE configuration, and then the VMware SASE Orchestrator configuration.

Prerequisites

A user needs the following to configure Workspace ONE as an identity provider with VMware Cloud Web Security:

A Workspace ONE account.
A customer enterprise on a production VMware SASE Orchestrator with Cloud Web Security Enabled. The Orchestrator must use Release 4.5.0 or later.

Workspace ONE Access Configuration

Create Users and Groups. Associate the users to the group.
Go to Catalog > Web Apps .
Click on New to add a New Application.
Name the Application as VMware CWS and click Next.
On the Configuration section:
1. Enter the following details for Single Sign-On:
  - Authentication Type: SAML 2.0
  - Configuration: Manual
  - Single Sign-On URL: https://safe-cws-sase.vmware.com/safeview-auth-server/saml
  - Recipient URL: https://safe-cws-sase.vmware.com/safeview-auth-server/saml
  - Application ID: https://safe-cws-sase.vmware.com/safeview-auth-server/saml/metadata
  - Username Format: Email Address ([email protected])
  - Username Value: ${user.email}
2. Click on Advanced Properties and Add a Customer Attribute Marking as below. This configuration is to send groups attribute in SAML assertion. Note: the Name must be "groups" and the Value is ${groupNames}.
3. Click Next.
On the Access Policies page, “default_access_policy_set” is automatically selected.
Click Next and Click Save and Assign.
Under Catalog > Web Apps >, click on Settings.
In the Settings window, go to the SAML Metadata section.
Click on Identity Provider (IdP) metadata. This action opens a new window in your browser with XML data. Copy the "entityID" and "Location" URL into a notepad.
- entityID: https://<ws1access_server>/SAAS/API/1.0/GET/metadata/idp.xml
- Location: https://<ws1access_server>/SAAS/auth/federation/sso
  where <ws1access-server> is the Workspace ONE Access server in your environment.
Go back to the Setting window and then copy the contents of Signing Certificate to the notepad.
Assign User Groups to the VMware CWS web application.

VMware SASE Orchestrator Configuration

Log onto the Orchestrator UI and then open the New Orchestrator UI.
Go to Cloud Web Security > Configure Authentication. Enable Single Sign On.
Configure the following:
- For SAML Server Internet Accessible select Yes
- For SAML Provider select Workspace ONE Access
- For SAML 2.0 Endpoint, copy the Location URL from the notepad. For example, Location: https://<ws1access_server>/SAAS/auth/federation/sso
- For Service Identifier (Issuer), copy the entityID URL from the notepad. For example, entityID: https://<ws1access_server>/SAAS/API/1.0/GET/metadata/idp.xml
- X.509 Certificate, click on Add Certificate and copy the certificate from the notepad and paste here.
- Click Save Changes
Add an SSL Bypass rule for the Workspace ONE Access domain.
- Under Cloud Web Security, Configure > Select Policy for example, "SecurityPolicy1"
- Click on Policy > Edit
- Under SSL Inspection
  - Add Rule
  - For Skip SSL Inspection based on: select Destination checkbox
  - For Destination Type, select Destination Host/Domain
  - Then specify the domain of the Workspace ONE Access server: vidmpreview.com, and click Next.
- On the Name and Tags screen, name the new rule and add a reason, if desired. Click Finish, and then republish the Security Policy to apply this new rule.
Important: The domain vidmpreview.com is part of the Workspace ONE pair of domains as found in the document: Domains and CIDRs Where an SSL Inspection Bypass Rule Is Recommended. If you have already configured an SSL Bypass rule which includes both Workspace ONE domains, you can skip this step. If you attempt to configure the above rule while also already having the Workspace ONE domain set included in an existing SSL Bypass rule, the new rule will throw an error as only one SSL Bypass domain instance is permitted or needed per customer enterprise.
For more information on domains that should have SSL Bypass rules configured, consult Domains and CIDRs Where an SSL Inspection Bypass Rule Is Recommended.

Verifying Your Configuration

Verifying your configuration may be done using one or more group based web policy rules on Cloud Web Security. For example, using URL Filtering and blocking Twitter.com.

Add the Groups to be considered for the URL Filter rule.

Note: The groups have to be specified manually. There is no 'search' capability to select which groups. Add the group name as they are setup in Workspace ONE Access.

Check the Web Logs under Cloud Web Security > Monitor > Web Logs