Setting up enterprise federation for your corporate domain is a self-service process that involves multiple steps, users, and roles.
- Step 1: Verify domains
-
In this step, you verify the ownership of the domains that you want to federate. The verification process involves adding DNS TXT records for your domains. Before you begin, verify that you can modify the DNS records for your corporate domains.
The domains you add in this step are the top-level public domains that your enterprise employees use to access VMware Cloud services. These domains are not internal Active Directory domains. You can add users and groups from internal Active Directory domains in Step 3 of the federation setup. The internal Active Directory domains that you add for synchronization are not externally visible for access from VMware Cloud services.
Note: The verification does not happen automatically. It might take up to 72 hours after submitting the TXT records for the changes to take effect. - Step 2: Install Workspace ONE Access Connector
-
In this step, you download the Workspace ONE Access connector executable file and install it on a Windows machine with access to your enterprise directory.
Note: As your enterprise does not use a SAML 2.0 based identity provider, the authentication methods supported by the Workspace ONE Access connector will be used to authenticate users. This is configured in Step 4 of the self-service federation workflow.The Workspace ONE Access connector is an on-premises component of Workspace ONE Access (formerly known as VMware Identity Manager) that integrates with your on-premises infrastructure such as Active Directory, RADIUS, and RSA SecurID. In the federation setup, the connector is used to continuously sync the users and groups configured by the Enterprise Administrator with a hosted Workspace ONE Access tenant created for the corporate entity for the purposes of enterprise federation.
- Step 3: Sync groups and users
-
In this step, you bind to your enterprise Active Directory. If necessary, upload security certificates for SSL/TLS communication from the Workspace ONE Access connector to the Active Directory. You then search your enterprise directory for users and groups to sync them with the Workspace ONE Access tenant. Syncing additional groups and users can continue after the federation setup is completed.
- Step 4: Configure identity provider
-
In this step, you configure the Workspace ONE Access connector to act as an identity provider and activate direct user authentication against your Active Directory. You activate Kerberos authentication method for secure interactions between users' browsers and the Workspace ONE Access service.
For detailed information about Kerberos authentication, see Configuring Kerberos Authentication in Workspace ONE Access.
Caution: You cannot change the identity provider that you configure in this step, after the federation setup is activated. If you must change your identity provider later, file a support ticket. - Step 5: Complete setup
-
In this final step of the federation setup, you must perform a list of actions.
- Validate that the users from your enterprise can log in to VMware Cloud services by using your corporate IdP.
- Notify the enterprise users of the domains that you specified in Step 1 that they have to log in to VMware Cloud services by using their corporate credentials.
- Acknowledge the changes and activate the federation for your enterprise.
After you complete the federation setup, the self-service workflow is no longer available for changes. Enterprise Administrators can modify the initial setup from the Enterprise Federation dashboard.
Important: After enterprise federation is activated, users with federated domains can only access VMware Cloud services using their corporate accounts. They can no longer use their My VMware accounts to log in to VMware Cloud services. - Step 6: Link Your VMware ID Account
-
In the last step of the workflow, you link your federated account to your VMware ID account. This step is necessary to complete for the following roles:
- Enterprise Administrator and Organization Owner users who participated in the self-service federation setup.
- Organization Owner and Organization Member users who need access to billing information.
- Organization Owner and Organization Member users who want to be able to file support requests.
