This section covers configuring Workspace ONE Access as an Identity Provider (IdP) for VMware Cloud Web Security. We first cover the Workspace ONE configuration, and then the VMware Cloud Orchestrator configuration.
Prerequisites
Users need the following to configure Workspace ONE as an identity provider with
VMware Cloud Web Security:
- A Workspace ONE account.
- A customer Enterprise on a production VMware Cloud Orchestrator with Cloud Web Security activated. The Orchestrator must use Release 4.5.0 or later.
Workspace ONE Access Configuration
- Create Users and Groups. Associate the users to the group.
- Go to .
- Click on New to add a New Application.
- Name the Application as VMware CWS and click Next.
- On the Configuration section:
- Enter the following details for Single Sign-On:
- Authentication Type: SAML 2.0
- Configuration: Manual
- Single Sign-On URL: https://safe-cws-sase.vmware.com/safeview-auth-server/saml
- Recipient URL: https://safe-cws-sase.vmware.com/safeview-auth-server/saml
- Application ID: https://safe-cws-sase.vmware.com/safeview-auth-server/saml/metadata
- Username Format: Email Address ([email protected])
- Username Value: ${user.email}
- Click on Advanced Properties and Add a Custom Attribute Mapping as below. This configuration is to send groups attribute in SAML assertion.
Note: The Name must be "groups" and the Value is ${groupNames}.
- Click Next.
- Enter the following details for Single Sign-On:
- On the Access Policies page, “default_access_policy_set” is automatically selected.
- Click Next and Click Save and Assign.
- Under Settings. >, click on
- In the Settings window, go to the SAML Metadata section.
- Click on Identity Provider (IdP) metadata. This action opens a new window in your browser with XML data. Copy the "entityID" and "Location" URL into a notepad.
- entityID: https://<ws1access_server>/SAAS/API/1.0/GET/metadata/idp.xml
- Location: https://<ws1access_server>/SAAS/auth/federation/sso
where <ws1access-server> is the Workspace ONE Access server in your environment.
- Go back to the Setting window and then copy the contents of Signing Certificate to the notepad.
- Assign User Groups to the VMware CWS web application.
VMware Cloud Orchestrator Configuration
- Log onto the New Orchestrator UI.
- Go to Identity Provider Settings page appears. . The
- Toggle Single Sign On to Enabled.
- Configure the following:
- For SAML Server Internet Accessible select Yes
- For SAML Provider select Workspace ONE Access
- For SAML 2.0 Endpoint, copy the Location URL from the notepad. For example, Location: https://<ws1access_server>/SAAS/auth/federation/sso
- For Service Identifier (Issuer), copy the entityID URL from the notepad. For example, entityID: https://<ws1access_server>/SAAS/API/1.0/GET/metadata/idp.xml
- X.509 Certificate, click on Add Certificate and copy the certificate from the notepad and paste here.
- Click Save Changes
- Add an SSL Bypass rule for the Workspace ONE Access domain.
- Navigate to .
- Select an existing policy to add SSL Bypass rule and click the Edit button.
- Click the SSL Inspection tab and click + Add Rule. The Create SSL Exception screen appears.
- In the Create SSL Exception screen, configure the following and click Next:
- For Skip SSL Inspection based on, select Destination.
- For Destination Type, select Destination Host/Domain.
- For Domain, enter vidmpreview.com.
- In the Name and Tags screen, enter a unique name for the rule and add a reason, if needed.
- Click Finish, and then Publish the applicable Security Policy to apply this new rule.
Important: The domain vidmpreview.com is part of the Workspace ONE pair of domains as found in the document: Domains and CIDRs Where an SSL Inspection Bypass Rule Is Recommended. If you have already configured an SSL Bypass rule which includes both Workspace ONE domains, you can skip this step. If you attempt to configure the above rule while also already having the Workspace ONE domain set included in an existing SSL Bypass rule, the new rule will throw an error as only one SSL Bypass domain instance is permitted or needed per Enterprise customer.For more information on domains that should have SSL Bypass rules configured, consult Domains and CIDRs Where an SSL Inspection Bypass Rule Is Recommended.
Verifying Your Configuration
Verifying your configuration may be done using one or more group-based web policy rules on
Cloud Web Security. For example, using URL Filtering and blocking Twitter.com.
Add the Groups to be considered for the URL Filter rule.
Note: The groups have to be specified manually. There is no 'search' capability to select which groups. Add the group name as they are setup in Workspace ONE Access.
Check the Web Logs under