To complete the configuration of the AD FS identity provider instance, incorporate the AD FS authentication methods into your access policies.

The following procedure describes an example of incorporating AD FS authentication methods into a policy rule for Windows 10 devices. You can use this example as a guideline when configuring your own access policies.

For more information about configuring access policies and policy rules, see the Managing Workspace ONE Access User Authentication Methods guide.


  1. Log in to the VMware Workspace ONE Access console with full administrator privileges.
  2. Select the Identity & Access Management tab. Click Manage, and then click Policies.
  3. Select the access policy that you want to modify and click Edit.
    The Edit Policy wizard appears.
  4. Click Next.

  5. On the Configuration page, click Add Policy Rule and create a rule for Windows 10 devices.
    1. Specify Kerberos-based authentication as the first authentication method and Forms-based authentication as the fallback method, according to the following example. Leave the and user belongs to group(s): option blank to apply the rule to all users.
      If a user's network range is: ALL RANGES
      and user accessing content from: Windows 10
      and user belongs to group(s): 
      Then perform this action: Authenticate using
      then the user may authenticate using: Kerberos-based authentication 
      If the preceding method fails or is not applicable, then: Forms-based authentication
    2. Click Save.
    The new policy rule appears as Kerberos-based authentication+1 in the rules list.
  6. In the rules list, reorder the rules such that Kerberos-based authentication+1 appears at the top of the list as the first rule to apply. To move the rule in the list, drag the handle at the left of the rule name.

  7. Click Next. Review your changes and then click Save.


You are now finished with configuring AD FS as a trusted identity provider for VMware Workspace ONE Access. Next, you must configure VMware Workspace ONE Access as a trusted relying party for AD FS.

What to do next

Perform the procedures described in Configuring VMware Workspace ONE Access as a Relying Party for AD FS.