You can use PowerShell to create an AD FS Relying Party Trust between your AD FS server and VMware Workspace ONE Access.
Procedure
- On your AD FS server or the Windows server that you use to manage AWS Directory Services, open PowerShell as an administrator.
- Run the following PowerShell commands to create an AD FS Relying Party Trust.
$claimRules = @' @RuleTemplate = "LdapClaims" @RuleName = "GET" c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"), query = ";mail;{0}", param = c.Value); @RuleName = "PUT" c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"] => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer,OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier"] = "<XXX>.gc1.vmwareidentity.us"); @RuleTemplate = "LdapClaims" @RuleName = "firstName" c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types = ("firstName"), query = ";givenName;{0}", param = c.Value); @RuleTemplate = "LdapClaims" @RuleName = "lastName" c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types = ("lastName"), query = ";sn;{0}", param = c.Value); @RuleTemplate = "LdapClaims" @RuleName = "userName" c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types = ("userName"), query = ";sAMAccountName;{0}", param = c.Value); @RuleTemplate = "LdapClaims" @RuleName = "email" c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types = ("email"), query = ";mail;{0}", param = c.Value); '@
Replace <xxx> with the tenant URL information provided to you by VMware. The command creates a $claimRules variable that you must use in the next step.
- Run the code in PowerShell window to create the Relying Party Trust using the $claimRules variable. Add-ADFSRelyingPartyTrust -Name "VIDM" -MetadataURL
"https://<XXX>.gc1.vmwareidentity.us/SAAS/API/1.0/GET/metadata/sp.xml" -IssuanceTransformRules $claimRules
Note: Where <xxx> is the specific tenant URL information provided to you by VMware. You can now create a Relying Party Trust if you check the AD FS Management Console. - To verify the claim rules were successfully completed run the following command
Get-AdfsRelyingPartyTrust
Verify that the IssuanceTransformRules match with what was configured in Step 2. - Download the AD FS Federation Metadata from your AD FS server and browse to the URL https://<ADFSServer>/FederationMetadata/2007-06/FederationMetadata.xml. You can use this URL while you are authenticating your configuration. For more information see, Verify Authentication Methods.