When you add and configure new identity provider instances for your Workspace ONE Access deployment, you can provide high availability, support additional user authentication methods, and add flexibility in the way you manage the user authentication process based on user IP address ranges.
- Access to the third-party metadata document. Access can be either the URL to the metadata or the actual metadata.
- In the Workspace ONE Access console Identity & Access Management tab, select Identity Providers.
- Click Add Identity Provider.
- Edit the identity provider instance settings.
Form Item Description Identity Provider Name Enter a name for this identity provider instance. SAML Metadata
Add the third-party identity provider XML-based metadata document to establish trust with the identity provider.
- Enter the SAML metadata URL or the xml content into the text box. Click Process IdP Metadata.
- Select how the user is identified. The identifier sent in an inbound SAML Assertion can be either sent in the Subject or in the Attribute statement.
- NameID Element. The NameID element is retrieved the SAML Attribute statement.
- SAML Attribute.
- If you select SAML Attribute, the NameID formats supported by the identity provider are extracted from the metadata and added to the Name ID Format table.
- In the Name ID value column, select the user attribute in the service to map to the ID formats displayed. You can add custom third-party name ID formats and map them to the user attribute values in the service.
- (Optional) Select the NameID Policy response identifier string format.
Just-in-Time Provisioning N/A Users Select the Other Directory which includes the users who can authenticate using this identity provider. Network The existing network ranges configured in the service are listed.
Select the network ranges for the users based on their IP addresses, that you want to direct to this identity provider instance for authentication.
Authentication Methods Add the authentication methods supported by the third-party identity provider. Select the SAML authentication context class that supports the authentication method. Single Sign-Out Configuration
When users sign in to Workspace ONE from a third-party identity provider (IDP), two sessions are opened, one on the third-party identity provider, and the second on the identity manager service provider for Workspace ONE. The lifetime of those sessions is managed independently. When users sign out of Workspace ONE, the Workspace ONE session is closed, but the third-party IDP session might still be open. Based on your security requirements, you can enable single sign-out and configure single sign-out to sign out of both sessions, or you might keep the third-party IDP session intact.
Configuration Option 1
- You can enable single sign-out when you configure the third-party identity provider. If the third-party identity provider supports SAML-based single logout protocol (SLO), users are logged out of both sessions when they sign out of the Workspace ONE portal. The Redirect URL text box is not configured.
- If the third-party IDP does not support SAML-based single log out, you enable single sign-out, and in the Redirect URL text box designate an IDP single logout endpoint URL. You can also add a redirect parameter to append to the URL that sends users to a specific endpoint. Users are redirected to this URL when they sign out of the Workspace ONE portal and are signed out from the IDP as well.
Configuration Option 2
- Another single sign-out option is to log users out of their Workspace ONE portal and redirect them to a customized endpoint URL. You enable single sign-out, designate the URL in the Redirect URL text box, and the redirect parameter of the customized endpoint. When users sign out of the Workspace ONE portal, they are directed to this page, which can display a customized message. The third-party IDP session might still be open. The URL is entered as https://<vidm-access-url>/SAAS/auth/federation/slo.
If Enable Single Sign-out is not enabled, the default configuration in the Workspace ONE Access service is to directed users back to the Workspace ONE portal sign-in page when they sign out. The third-party IDP session might still be open.
SAML Signing Certificate Click Service Provider (SP) Metadata to see URL to Workspace ONE Access SAML service provider metadata URL. Copy and save the URL. This URL is configured when you edit the SAML assertion in the third-party identity provider to map Workspace ONE Access users. IdP Hostname If the Hostname text box displays, enter the host name where the identity provider is redirected to for authentication. If you are using a non-standard port other than 443, you can set the host name as Hostname:Port. For example, myco.example.com:8443.
- Click Add.
What to do next
- Edit the third-party identity provider's configuration to add the SAML Signing Certificate URL that you saved.