In this step, you set up federation with your OpenID Connect (OIDC) based corporate identity provider and configure the IdP settings on the Workspace ONE Access tenant created for your enterprise to use SCIM-based user and group provisioning.

Depending on the IdP you select for your federation setup, one or more Provisioning Type options are displayed:
  • SCIM-based
    Note: This option is currently available for Azure Active Directory. To configure SCIM-based provisioning for your enterprise federation setup, you must also configure your third-party IdP and provide using the settings from the Set up identity provider for SCIM provisioning step of the workflow.
  • JIT-based.
For this example, ACME enterprise is using Azure Active Directory with SCIM-based provisioning. As the Enterprise Administrator setting up federation for ACME, you configure Azure Active Directory.
Note: Currently Azure Active Directory and AWS Cognito are the only OIDC-based identity provider option for self-service federation with VMware Cloud Services.

Prerequisites

In this step, you must set user identification preference - how users of your enterprise are going to identify themselves when accessing VMware Cloud Services from the Cloud Services discovery page. The available options are Email, User Principal Name (UPN), and User@Domain. If you consider setting User@Domain as the user identification preference for your enterprise, you must be aware of the following restriction.
Restriction: Once the identity provider is configured with User@Domain identification preference, you won't be able to go back to Step 1: Verify Domains and add more domains during the setup. You must add all domains that you want to federate before you start this step of the self-service federation flow. If you want to add another domain after this step is completed, you must file a support ticket.

Procedure

  1. In the Configure identity provider section of the Set up Enterprise Federation page, click Start.
    The Select your identity provider section displays.
  2. Select Azure Active Directory.
    The available Provisioning Type and Authentication Protocol Type options for Azure Active Directory are displayed.
  3. Select SCIM-based and OpenID Connect respectively, then click Next.
    The credentials for communication with the Workspace ONE Access tenant are automatically generated.
  4. In the Set up Identity Provider for SCIM provisioning section of the workflow, do the following:
    1. Copy the Tenant URL link.
    2. Accept the default Token Lifespan setting of 6 months and copy the Secret Token.
      Note: If you change the Token Lifespan, you must regenerate the token before you copy it.
      You will need the tenant URL link and the token to configure your Azure Active Directory IdP for secure communication with the Workspace ONE Access tenant.
    3. Click Next.
    4. In the Set up Open ID Connect provider with Redirect URI section of the workflow, copy the Reply URL.
    5. Click Next to open the User Attributes section of the workflow.
  5. Open your Azure Active Directory admin console.
    1. Navigate to Provisioning > User Credentials > Admin Credentials.
    2. Paste the tenant URL link you copied in the Tenant URL field.
    3. Paste the token you copied in the Secret Token field.
    4. Click Test Connection and then save the settings in your IdP admin console.
    5. Navigate to App registrations > All applications.
    6. Cclick the Application (client) ID name then click Redirect URI link and supply the Reply URL you copied in in the previous step.
      When you paste the Reply URL, an automatic check will validate the link you provided.
    7. Save the configuration.
  6. Go back to the self-service federation workflow.
  7. In the User Attributes section of the workflow, accept the default values for Required Attributes and click Next.
    The User attributes section expands to display a list of mappings between required VMware Cloud Services user attributes and SCIM user attributes.
  8. (Optional) Modify the SCIM to VMware Cloud Services user attribute mappings.
    If the default attribute mappings are not suitable for your customized IdP configuration, you can select new values for SCIM Attribute or create additional attribute mappings. Otherwise changing the mappings is not recommended.
  9. Click Next to continue to the Configure your identity provider step of the workflow and supply the following values from your Azure Active Directory admin console:
    • Configuration URL. When you paste the Configuration URL, an automatic check will validate the link you provided.
    • Client ID.
    • Client Secret.
  10. Accept the default User Lookup Attribute settings.
  11. Click Next to continue to the Set user identification preference section.
  12. Select how users of your enterprise are going to identify themselves when accessing VMware Cloud Services from the Cloud Services discovery page.
    User identification is different from how the user authenticates against your enterprise identity provider.
    Important: If you select Username@Domain as an identification preference option, the Domain attribute must be present in the OIDC response when they log in to VMware Cloud services.
  13. Click Configure.

Results

In this step, you added your identity provider to the Workspace ONE Access tenant configuration, configured the Workspace ONE Access tenant as a service provider on your IdP, selected the value to be used for identifying the user in the OIDC response, and specified the authentication method to be used to authenticate the user on the identity provider.

What to do next

Validate the login to your IdP and activate federation.