In this step, you set up federation with your SAML-based corporate identity provider and configure the IdP settings on the Workspace ONE Access tenant created for your enterprise to use JIT-based user and group provisioning.

You can use any SAML 2.0 compliant third-party IdP to set up enterprise federation with VMware Cloud services. Easy setup is available as part of the self-service federation workflow for the following providers: Okta, PingIdentity, Microsoft Active Directory Federation Services (ADFS), OneLogin, and Azure Active Directory.
Note: If you want to configure Azure Active Directory for enterprise federation with VMware Cloud Services, you must have selected the sAMAccountName for the additional group claim. It is required to fetch group details after federation setup is activated.
Depending on the IdP you select, there might be additional options to set, such as Provisioning Type.
  • If you want to integrate your IdP for automatic user and group pre-provisioning, select SCIM-based.
    Note: This option is currently available for Azure Active Directory. To configure SCIM-based provisioning for your enterprise federation setup, you must also configure your third-party IdP and provide using the settings from the Set up identity provider for SCIM provisioning step of the workflow.
  • If you want to integrate your IdP for dynamic user and group provisioning, select JIT-based.

To configure a different SAML 2.0 compliant third-party IdP that is not part of this list, select Other.

For this example, ACME enterprise is using Okta with JIT-based provisioning. As the Enterprise Administrator setting up federation for ACME, you configure Okta.
Note: If your identity provider supports sending group informaiton in the SAML response, you can include group attributes to your federation setup.

Prerequisites

In this step, you must set user identification preference - how users of your enterprise are going to identify themselves when accessing VMware Cloud Services from the Cloud Services discovery page. The available options are Email, User Principal Name (UPN), and User@Domain. If you consider setting User@Domain as the user identification preference for your enterprise, you must be aware of the following restriction.
Restriction: Once the identity provider is configured with User@Domain identification preference, you won't be able to go back to Step 1: Verify Domains and add more domains during the setup. You must add all domains that you want to federate before you start this step of the self-service federation flow. If you want to add another domain after this step is completed, you must file a support ticket.

Procedure

  1. In the Configure identity provider section of the Set up Enterprise Federation page, click Start.
    The Select your identity provider section displays. The SAML-based Identity Provider option is selected by default.
  2. From the list of available third-party SAML identity providers, click Okta.
    The default provisioning type and authentication protocol type settings for Okta IdP are displayed. These are JIT-based SAML respectively.
  3. Click Next.
    The Set up SAML within your identity provider section expands.
  4. Click the View SAML Service Provider Metadata link and download the metadata file.
    If your identity provider supports a URL format, you can also copy the Metadata URL. You use the metadata file or the URL to configure your identity provider to establish trust with the Workspace ONE Access tenant.
  5. Copy the Single Sign-On URL and Audience URI path.
  6. Open your IdP's admin console.
    1. Paste the Single Sign-On URL and Audience URI you copied in the previous step.
    2. Upload the metadata file you downloaded in Step 4 of this task.
    3. Copy the Name ID configured on your IdP and keep for further reference.
    4. Download the IdP's metadata file.
  7. When ready with your IdP's configuration, go back to the self-service federation workflow, expand the Set up SAML within your identity provider section, and click Next.
    The Configure your identity provider section of the workflow expands.
  8. To configure your IdP on the Workspace ONE Access tenant, provide the following:
    1. In the IdP Display Name text box, enter a user-friendly name for your IdP.
      This name will be displayed to the users of VMware Cloud services at login and logout.
    2. In the Metadata text box, enter the IdP Metadata URL or select XML and paste the Identity Provider Metadata XML file.
      Validation of the metadata starts automatically. When validation finishes, a green check box icon indicates that the file was read and parsed successfully. If the validation returns an error, check if the URL you entered is correct. Ensure that there are not extra spaces or characters in the IdP metadata XML file.
    3. Select the Name ID format from the drop-down menu.
      The Name ID format is the value in the SAML response to identify the authenticated user.
    4. Select the Name ID Format and Name ID Value from the drop-down menu as applicable for your identity provider.
      The Authentication Method is automatically populated.
    5. From the SAML Context drop-down menu, select the type of user authentication on the IdP.
    6. Click Next.
      The User attributes section expands to display a list of the mandatory and non-mandatory user attributes that you can look for in the SAML response from your identity provider.
  9. (Optional) To add a custom user attribute that is not in the list, click Add User Attribute and enter a value matching exactly its name on your IdP.
  10. Click Next.
    If you indicated your setup with an identity provider that supports group attribute in SAML response, the Group attributes section of the workflow expands, where you add a group attribute and group names to be called for in the SAML request.
  11. (Optional) From the drop-down menu, select a group attribute and group names.
  12. In the Set user identification preference section, select how users of your enterprise are going to identify themselves when accessing VMware Cloud Services from the Cloud Services discovery page.
    User identification is different from how the user authenticates against your enterprise identity provider.
    Important: If you select Username@Domain as an identification preference option, the Domain attribute must be present in the SAML response when they log in to VMware Cloud services.
  13. Click Configure.

Results

In this step, you added your identity provider to the Workspace ONE Access tenant configuration, configured the Workspace ONE Access tenant as a service provider on your IdP, selected the value to be used for identifying the user in the SAML response, and specified the authentication method to be used to authenticate the user on the identity provider.

What to do next

Validate the login to your IdP and activate federation.