How do I start the self-service federation setup

Starting self-service federation with VMware Cloud Services involves two consecutive steps.

Each step is carried out by a different roles representing your enterprise.


You need an...	To...	Completing this task results in:
Organization Owner	Kick off self-service federation for your enterprise domain	The Management Organization with federation dashboard for your domain is created. One or more members of your enterprise are granted the Enterprise Administrator role. The Enterprise Administrators receive an email invitation with a link to the federation dashboard in the Management Organization.
Enterprise Administrator	Start the self-service federation setup	The type of self-service federation setup is selected. The workflow to set up federation with your domain is activated and can be accessed in the federation dashboard in the Management Organization.

Note: The Organization Owner user who kicked off the self-service federation workflow can access the special Management Organization and the federation workflow. Organization Member users of the Management Organization with Enterprise Administrator role can access only the federation workflow.

Before you begin the self-service federation setup

There are multiple steps in the self-service federation setup workflow and several Enterprise Administrators can work on them over a period of time.

Prerequisites

As an Enterprise Administrator, you access the self-service federation workflow from the Enterprise Federation dashboard in the Management Organization created for your enterprise during kick-off. You receive the access link to the federation dashboard as part of the invitation email sent to you by the Organization Owner of the Management Organization who initiated the federation, or by another Enterprise Administrator user who invited you to participate.

Before you begin, make sure that you have read and understood the prerequisites and requirements for setting up enterprise federation.

Attention: Your enterprise must own the domains you want to federate for access with VMware Cloud services and you must verify the ownership during the first step of the self-service workflow. You cannot federate domains that belong to a service provider.

Setting up federation through the self-service workflow requires Enterprise Administrator access.
To see all the steps of the workflow correctly displayed in your browser, you must allow third-party cookies.
Note: When you work with the federation setup workflow, make sure you do not use your browser's incognito mode.
Verify that you can access and modify the federated domains' DNS records for domain verification.
Attention: Your enterprise must own the domains you want to federate for access with VMware Cloud services and you must verify the ownership during the first step of the self-service workflow. You cannot federate domains that belong to a service provider.

The prerequisites based on the selected self-service federation setup are the following:


For the dynamic (connectorless) authentication setup, you need to...	Verify that you can access your identity provider console. For SAML-based federation setup, verify you have access to the IdP metadata URL.
For the connector-based authentication setup, you need to...	Verify that you can access and modify the federated domains' DNS records for domain verification. Verify that your host machine is with installed MS Windows Server 2012 R2 or later, and that you can access your enterprise directory. The host Windows machine must have a static IP address and a DNS resolvable FQDN. The connector must have network access to Active Directory on ports 389/636. Verify that your corporate firewall is configured to make an outbound connection from the Workspace ONE Access connector to Port 443 for interaction with the hosted tenant service. If you want to add domains to the allow list, you must add the *.workspaceoneaccess.com (Workspace ONE Access Production Tenant URL) domains to your list of allowed domains. The host Windows server machine or virtual machine can be deployed on-premises, on a VMware Cloud on AWS, or can be an Elastic Compute Cloud instance. The host on which Workspace ONE Access connector is installed must be able to access your enterprise directory over LDAP/LDAPS. For additional information about installing the Workspace ONE Access connector, review the overall Workspace ONE Access Connector 20.01 Systems Requirements Verify that you have a user or service account with read permissions on Active Directory and a non-expiring password for AD Bind User DN/Name to sync groups and users. The service account must have the following attributes: firstname, lastname, displayname, and email address. The email address for the service account can be a placeholder value. Note: If you use a service account with an expiring password policy and if a password expires before renewal, groups and users cannot be synced unless you re-establish the connection between Active Directory and the Workspace ONE Access connector. The required attributes to sync users for access to VMware Cloud services are first name, last name, email address, user name, and domain. If your enterprise uses User Principal Name (UPN) for authentication, it must be available as a user profile attribute. Important: User passwords are never synced.

Kick off self-service federation for your enterprise domain

Organization Owner users of unfederated domains can kick off the federation setup from the Cloud Services Console on behalf of their enterprise.

Any Organization Owner user can kick off the self-service federation process by identifying one or more Enterprise Administrators to complete the setup.

Prerequisites

In this task, you kick off the self-service federation process for everyone in your business enterprise. Before you start, read carefully the What is enterprise federation and how does it work section and make sure that you meet the required prerequisites.

Procedure

In the Cloud Services Console main menu, click Organization > Enterprise Management.
Click Set Up.
Identify one Enterprise Administrator who will be invited to complete the federation setup for your enterprise.
Accept the Terms of Service and click Submit.
To invite another Enterprise Administrator, click the Send Another Invitation link.

Note: You can add more Enterprise Administrators after the kick off.
Click Launch Management Organization.

Results

A special Management Organization for your enterprise domain is created. The enterprise federation setup can be accessed from the Enterprsie Federation menu in the Management Organization.
The Enterprise Administrator you identified receives an email with a link. When they click the link and sign in to VMware Cloud ServicesVMware Cloud Services, they gain access to the special Management Organization and the enterprise federation setup.

What to do next

The Enterprise Administrator must initiate the self-service federation setup in the special Management Organization.

Start the self-service federation setup

To start the self-service federation setup, you must first receive an email invitation with a link to the Enterprise Federation dashboard.

The Organization Owner who sent you the invitation has identified you as an Enterprise Administrator and granted you the permissions to initiate and configure the federation setup for your enterprise domain.

In this task, you initiate the self-service federation workflow by selecting the type of federation setup that is most suitable for your enterprise.

Prerequisites

To access the special Management Organization and start the setup process, you must have a VMware Cloud Services account with Enterprise Administrator permissions.

Procedure

Click the link in the email invitation you received.
If you don't have a VMware Cloud Services account, you will be prompted to create one.
Log in to Cloud Services Console.
If you used the invitation link to log in, the Set up Enterprise Federation page is the first page you will see.
If you don't see the Set up Enterprise Federation page, open Organization > Enterprise Federation from the main menu.
Click Get Started.
The first screen of the self-service federation setup prompts you to commence the workflow by selecting the type of integration for your enterprise identity provider (IdP).

Select the type of integration you will use to configure your enterprise IdP for federation with VMware Cloud Services.


Option	Workflow
Dynamic user and group provisioning (connectorless)	This option leads you through a 3-steps workflow that involves configuring your third-party SAML 2.0 or OIDC IdP with VMware Cloud Services for one of the following dynamic provisioning options: JIT-based user and group provisioning; SCIM-based provisioning. For detailed information, refer to Overview of the steps for dynamic federation setup.
Connector-based pre-provisioning	This option leads you through a 5-steps that involves: Installing and configuring an on-premises instance of Workspace ONE Access connector. Creating an internal directory to store the users and groups you will sync from your Active Directory. (Optional) Configuring a third-party SAML 2.0 IdP. For detailed information, refer to Overview of the steps for connector-based federation setup.

Note: The integration option you select in this step cannot be reverted. To switch the option to a different one, you must file a support ticket.

Click Continue.
Review the prerequisite for the selected option, then click Continue.

Results

You now have access to the first step of the self-service federation workflow.

The first step of the Enterprise Federation setup workflow.

What to do next

You can now begin to setup your corporate domains for enterprise federation with VMware Cloud Services.