In this step of the federation setup, you create an internal directory that stores the users and groups you sync from your Active Directory.
You can sync groups and users from a single or multiple Active Directory domains.
- Select the Single AD domain option when all users and groups you want to give federated access to VMware Cloud services are in a single AD domain. If you have multiple AD domains and there is no trust between these domains, use this option. Once federation is set up, you have the option to add new directory for each additional AD domain.
- Select Multiple AD domains when the users and groups you want to give federated access to VMware Cloud services are across different AD domains, you have multi-forest Active Directory configured and trust established between the different domains.
After enterprise federation is activated, the groups and users that you sync in this step of the federation workflow appear on the Groups page in the Cloud Services Console. You can access the page by navigating to . You can sync additional groups and users for your enterprise after the federation setup is activated.
All federated accounts must be synced to allow users' access to VMware Cloud services with their corporate accounts. Synced users are not asked to create VMware accounts upon login, unless they must view billing information, file a support ticket. Enterprise Administrators who are also Organization Owner users or are invited to complete the federation setup before the domain is federated, have to create a VMware account. Enterprise Administrators who are added to the special Management Organization after the domain is federated, don't need to create a VMware account.
Prerequisites
- If your Active Directory requires access over SSL/TLS, you must upload the domain controller's intermediate (if used) and Root CA certificates.
- For group and users sync, you must use any service or user account which has a read privilege on Active Directory and a non-expiring password for Bind User DN/Name to connect to Active Directory.
Caution: If your company security policy requires you to use a service account with an expiring password, and the password expires before it is renewed, groups and users are not synced. If sync is interrupted, you must reestablish the connection between your Active Directory and the
Workspace ONE Access connector.
Procedure
- In the Sync groups and users section of the Set up Enterprise Federation page, click Start.
The
Add a directory section displays.
- In the Directory Name text box, enter a name for the internal directory you are about to create.
You can provide any name for your enterprise directory, it does not need to match the name you use internally.
- For the purposes of this example, keep the default Single AD domain and No menu items selected.
- Click Next.
The
Provide bind user credentials section of the workflow expands.
- Provide the bind user administrator credentials of the service account that will be used to sync group and users from the enterprise Active Directory.
Here is an example of how you define the bind user distinguish name (DN). Let's say the bind user DN for your enterprise directory service is
[email protected]. See how the syntax of the user name is defined in the federation setup:
- In the Bind User DN text box, enter "CN=admin,DC=acme,DC=com".
The
Base DN text box is automatically populated to display
"DC=acme,DC=com".
- In the Bind User Password text box, enter the password for the bind user administrator.
Note: The bind user DN and bind DN credentials that you enter must follow the syntax presented in the examples.
- Click Next.
The
Sync groups section of the workflow expands.
- Enter the Group Distinguish Name (DN) for groups you want to sync.
Use syntax similar to what you entered in step 5 of this task to define specific user groups from your enterprise directory, such as
CN=Users,DC=acme,DC=com.
Note: The minimum attributes to sync groups and users are first name, last name, email, user name, and domain. If your enterprise uses User Principal Name (UPN) to authenticate users, this attribute must have a value for the sync as well. User passwords are never synced. Only the User and Group DNs configured in this step are synced, not your entire AD.
- Click the Select Groups link.
A pop-up window appears and displays all available group results for the Group DN criteria you entered. If your search results in more than 1000 groups, you can return to step 7 and refine your search criteria.
- Select the groups that you want to sync for the federation setup, then click Save.
The federation workflow page is refreshed and displays the number of groups added for sync in this step. You can add more groups by clicking
Add.
- Click Next.
- In the Sync users section that expands, enter the User DNs that you want to sync.
Use syntax similar to what you entered in step 7 of this task to define specific users from your enterprise directory, such as
CN=admin,CN=users,DC=acme,DC=com.
All groups and users that you added are now displayed in the
Review groups and users section.
To test the federation setup and validate the user log in with your enterprise Identity Provider, make sure to add and successfully sync groups and users who are going to test the federation setup, including yourself.
Note: Users who are not synced will fail user authentication after the enterprise federation is activated.
- Click Sync.
The Sync in progress status displays and remains until you click
Check Sync Status.
- To see the updated status of the sync, you must click Check Sync Status.
Note: Synchronization fails if the minimum required attributes, such as first name, last name, email, user name, domain, and UPN (if used), are missing.
When syncing is successful, the status changes to green.
Note: If you get an exception error for bind user DN, you can ignore it. For all other errors, you must troubleshoot your setup.
- Click Continue.
What to do next
You are now ready to configure your corporate IdP for the enterprise federation with VMware Cloud services.