You can use PowerShell to create an AD FS Relying Party Trust between your AD FS server and VMware Workspace ONE Access.

Procedure

  1. On your AD FS server or the Windows server that you use to manage AWS Directory Services, open PowerShell as an administrator.
  2. Run the following PowerShell commands to create an AD FS Relying Party Trust.
    $claimRules = @'
    
    @RuleTemplate = "LdapClaims"
    @RuleName = "GET"
    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"), query = ";mail;{0}", param = c.Value);
    
    @RuleName = "PUT"
    c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]
    => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer,OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
    Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier"] = "<XXX>.gc1.vmwareidentity.us");
    
    @RuleTemplate = "LdapClaims"
    @RuleName = "firstName"
    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types = ("firstName"), query = ";givenName;{0}", param = c.Value);
    
    @RuleTemplate = "LdapClaims"
    @RuleName = "lastName"
    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types = ("lastName"), query = ";sn;{0}", param = c.Value);
    
    @RuleTemplate = "LdapClaims"
    @RuleName = "userName"
    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types = ("userName"), query = ";sAMAccountName;{0}", param = c.Value);
    
    @RuleTemplate = "LdapClaims"
    @RuleName = "email"
    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types = ("email"), query = ";mail;{0}", param = c.Value);
    '@
    

    Replace <xxx> with the tenant URL information provided to you by VMware. The command creates a $claimRules variable that you must use in the next step.

  3. Run the code in PowerShell window to create the Relying Party Trust using the $claimRules variable. Add-ADFSRelyingPartyTrust -Name "VIDM" -MetadataURL
    "https://<XXX>.gc1.vmwareidentity.us/SAAS/API/1.0/GET/metadata/sp.xml" -IssuanceTransformRules $claimRules
    Note: Where <xxx> is the specific tenant URL information provided to you by VMware. You can now create a Relying Party Trust if you check the AD FS Management Console.
  4. To verify the claim rules were successfully completed run the following command Get-AdfsRelyingPartyTrust
    Verify that the IssuanceTransformRules match with what was configured in Step 2.
  5. Download the AD FS Federation Metadata from your AD FS server and browse to the URL https://<ADFSServer>/FederationMetadata/2007-06/FederationMetadata.xml. You can use this URL while you are authenticating your configuration. For more information see, Verify Authentication Methods.