To configure the AD FS integration, you must add AD FS as an identity provider instance in VMware Workspace ONE Access.


  • Download the federation metadata file for the AD FS server by navigating to the URL: https://ADFSdomain/FederationMetadata/2007-06/FederationMetadata.xml where ADFSdomain is replaced with the fully qualified domain name for your AD FS server.
  • In the VMware Workspace ONE Access console, configure the access policies that you want to use for the AD FS identity provider instance. For information about configuring access policies, see the Managing Workspace ONE Access User Authentication Methods guide.


  1. Log in to the VMware Workspace ONE Access console with full administrator privileges.
  2. Select the Identity & Access Management tab. Click Manage, and then click Identity Providers.

  3. Click Add Identity Provider and select Create Third Party IDP.
  4. Modify the configuration settings.
    Setting Description
    Identity Provider Name Enter a short descriptive name for the AD FS identity provider instance.
    SAML Metadata
    1. To establish trust with AD FS, add the federation metadata here. In the text box, copy and paste the contents of the AD FS federation metadata file that you obtained previously.
    2. Click Process IdP Metadata. The Name ID format mappings are automatically imported from the AD FS metadata.

    3. (Optional) Configure additional AD FS Name ID formats and map them to user values in the VMware Workspace ONE Access service.
    Just-in-Time User Provisioning Do not enable.
    Users Select the VMware Workspace ONE Access directories of the users that can authenticate using AD FS.
    Network The existing network ranges configured in the service are listed. Select the network ranges for the users, based on their IP addresses, that you want to direct to AD FS for authentication.
    Authentication Methods

    To add an authentication method that you want AD FS to use, click the green plus sign and enter the name of the method. Then select the SAML authentication context class that supports the method. Configure the following authentication methods.

    • Forms-based authentication: For SAML Context, select urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport.
    • Kerberos-based authentication: For SAML Context, select urn:federation:authentication:windows

    Single Sign-Out Configuration Do not enable. Single sign-out configuration is not required for the AD FS identity provider instance.
    SAML Signing Certificate To display the VMware Workspace ONE Access service provider metadata in a browser window, click Service Provider (SP) Metadata. Copy and save the URL. You need this URL later when you configure the Federation Service Properties in AD FS.
  5. Click Add.

What to do next

Add AD FS Authentication Methods to Access Policy Rules