This section covers configuring Workspace ONE Access as an Identity Provider (IdP) for VMware Cloud Web Security. We first cover the Workspace ONE configuration, and then the VMware Cloud Orchestrator configuration.
Prerequisites
Users need the following to configure Workspace ONE as an identity provider with
VMware Cloud Web Security:
A Workspace ONE account.
A customer Enterprise on a production VMware Cloud Orchestrator with Cloud Web Security activated. The Orchestrator must use Release 4.5.0 or later.
Workspace ONE Access Configuration
Create Users and Groups. Associate the users to the group.
Go to Catalog > Web Apps.
Click on New to add a New Application.
Name the Application as VMware CWS and click Next.
Click on Advanced Properties and Add a Custom Attribute Mapping as below. This configuration is to send groups attribute in SAML assertion.
Note: The Name must be "groups" and the Value is ${groupNames}.
Click Next.
On the Access Policies page, “default_access_policy_set” is automatically selected.
Click Next and Click Save and Assign.
Under Catalog > Web Apps >, click on Settings.
In the Settings window, go to the SAML Metadata section.
Click on Identity Provider (IdP) metadata. This action opens a new window in your browser with XML data. Copy the "entityID" and "Location" URL into a notepad.
where <ws1access-server> is the Workspace ONE Access server in your environment.
Go back to the Setting window and then copy the contents of Signing Certificate to the notepad.
Assign User Groups to the VMware CWS web application.
VMware Cloud Orchestrator Configuration
Log onto the New Orchestrator UI.
Go to Cloud Web Security > Configure > Enterprise Settings > Identity Provider. The Identity Provider Settings page appears.
Toggle Single Sign On to Enabled.
Configure the following:
For SAML Server Internet Accessible select Yes
For SAML Provider select Workspace ONE Access
For SAML 2.0 Endpoint, copy the Location URL from the notepad. For example, Location: https://<ws1access_server>/SAAS/auth/federation/sso
For Service Identifier (Issuer), copy the entityID URL from the notepad. For example, entityID: https://<ws1access_server>/SAAS/API/1.0/GET/metadata/idp.xml
X.509 Certificate, click on Add Certificate and copy the certificate from the notepad and paste here.
Click Save Changes
Add an SSL Bypass rule for the Workspace ONE Access domain.
Navigate to Cloud Web Security > Configure > Security Policies.
Select an existing policy to add SSL Bypass rule and click the Edit button.
Click the SSL Inspection tab and click + Add Rule. The Create SSL Exception screen appears.
In the Create SSL Exception screen, configure the following and click Next:
For Skip SSL Inspection based on, select Destination.
For Destination Type, select Destination Host/Domain.
For Domain, enter vidmpreview.com.
In the Name and Tags screen, enter a unique name for the rule and add a reason, if needed.
Click Finish, and then Publish the applicable Security Policy to apply this new rule.
Important: The domain
vidmpreview.com is part of the
Workspace ONE pair of domains as found in the document:
Domains and CIDRs Where an SSL Inspection Bypass Rule Is Recommended. If you have already configured an SSL Bypass rule which includes both
Workspace ONE domains, you can skip this step. If you attempt to configure the above rule while also already having the
Workspace ONE domain set included in an existing SSL Bypass rule, the new rule will throw an error as only one SSL Bypass domain instance is permitted or needed per Enterprise customer.
Verifying your configuration may be done using one or more group-based web policy rules on
Cloud Web Security. For example, using URL Filtering and blocking Twitter.com.
Add the Groups to be considered for the URL Filter rule.
Note: The groups have to be specified manually. There is no 'search' capability to select which groups. Add the group name as they are setup in Workspace ONE Access.
Check the Web Logs under Cloud Web Security > Monitor > Web Logs
