In this step, you set up federation with your SAML-based corporate identity provider and configure the IdP settings on the Workspace ONE Access tenant created for your enterprise to use JIT-based user and group provisioning.
You can use any SAML 2.0 compliant third-party IdP to set up enterprise federation with
VMware Cloud services. Easy setup is available as part of the self-service federation workflow for the following providers:
Okta,
PingIdentity,
Microsoft Active Directory Federation Services (ADFS),
OneLogin, and
Azure Active Directory.
Note: If you want to configure Azure Active Directory for enterprise federation with
VMware Cloud Services, you must have selected the
sAMAccountName
for the additional group claim. It is required to fetch group details after federation setup is activated.
Depending on the IdP you select, there might be additional options to set, such as
Provisioning Type.
- If you want to integrate your IdP for automatic user and group pre-provisioning, select SCIM-based.
Note: This option is currently available for Azure Active Directory. To configure SCIM-based provisioning for your enterprise federation setup, you must also configure your third-party IdP and provide using the settings from the Set up identity provider for SCIM provisioning step of the workflow.
- If you want to integrate your IdP for dynamic user and group provisioning, select JIT-based.
To configure a different SAML 2.0 compliant third-party IdP that is not part of this list, select Other.
For this example, ACME enterprise is using
Okta with JIT-based provisioning. As the
Enterprise Administrator setting up federation for ACME, you configure
Okta.
Note: If your identity provider supports sending group informaiton in the SAML response, you can include group attributes to your federation setup.
Prerequisites
Restriction: Once the identity provider is configured with
User@Domain identification preference, you won't be able to go back to
Step 1: Verify Domains and add more domains during the setup. You must add all domains that you want to federate before you start this step of the self-service federation flow. If you want to add another domain after this step is completed, you must file a support ticket.
Procedure
Results
In this step, you added your identity provider to the Workspace ONE Access tenant configuration, configured the Workspace ONE Access tenant as a service provider on your IdP, selected the value to be used for identifying the user in the SAML response, and specified the authentication method to be used to authenticate the user on the identity provider.
What to do next
Validate the login to your IdP and activate federation.