In a successful configuration, users who visit the web portal of an AD FS-federated application can select their authentication method. You can automate this selection by configuring AD FS to authenticate desktop users and route mobile users to VMware Workspace ONE Access for authentication.

Use the following procedure to implement Mobile Device Trust (see Main Use Cases). With this use case, you gain the unique mobile device management features provided by VMware Workspace ONE Access with Workspace ONE UEM. Desktop users can continue to use the existing AD FS authentication workflow to which they are accustomed.

This use case applies to users who log in directly to an AD FS-federated application through the application portal (for example, portal.office.com for Office 365). When a user starts an SP-initiated flow in this way, AD FS routes the authentication request to the appropriate identity provider based on the user's device type.

  • If the user logs in from a desktop computer, AD FS handles the authentication request as the identity provider. The login experience remains unchanged for desktop users, as they sign in to the application using their familiar AD FS credentials.
  • If the user logs in from a mobile device, AD FS forwards the authentication request to VMware Workspace ONE Access as the trusted identity provider (or claims provider). VMware Workspace ONE Access validates the user's credentials, and Workspace ONE UEM manages the user's access to the application based on the device posture policies in effect.

For more information about SP-initiated authentication flows, see IdP-initiated and SP-Initiated Authentication Flows.

Prerequisites

Perform the procedures described in Integrating AD FS-federated Applications With Workspace ONE.

Procedure

  1. Log in to the AD FS server with full administrator privileges.
  2. Run PowerShell as an administrator.
  3. Create a working folder by entering the following cmdlet.
    mkdir c:\myscripts
  4. Export the default AD FS web theme.
    Export-AdfsWebTheme –Name "Default" –DirectoryPath c:\myscripts


    The Export cmdlet creates an onload.js file in the c:\myscripts\script folder. To specify the authentication option based on the type of user device, you modify this JavaScript file.
  5. Open C:\myscripts\script\onload.js in a text editor such as Notepad++, and add the following JavaScript code to the beginning of the file.
    Replace the placeholder values in the code as follows.
    Placeholder Value Replacement Value for AD FS 4.0 Replacement Value for AD FS 3.0
    {VIDMtenant} Fully qualified domain name (FQDN) of the VMware Workspace ONE Access service FQDN of the VMware Workspace ONE Access service
    {AD FS claims provider} 'AD Authority' 'http://{ADFSdomain}/adfs/services/trust'

    (where {ADFSdomain} is the FQDN of the AD FS server)

    var myCheckHRD = document.getElementById('hrdArea');
    if (myCheckHRD) {
    
       //redirect mobile users to VMware Identity Manager for authentication
       if (navigator.userAgent.match(/Mac|iPad|iPhone|Android/i) != null) {
          HRD.selection('https://{VIDMtenant}/SAAS/API/1.0/GET/metadata/idp.xml');
       }
    
       //authenticate non-mobile users with local AD FS claims provider
       else {
          HRD.selection({AD FS claims provider});
       }
    }
    
    // hide authentication source selector from user
    var hrdui = document.getElementById("bySelection");
    hrdui.style.display = "none";
    
    This code designates the VMware Workspace ONE Access service as the authentication option for users logging in from a mobile device. It designates AD FS as the authentication option for users logging in from all other devices. It also instructs AD FS to route authentication requests automatically without prompting the user for action.
  6. Put the updated onload.js file in the c:\myscripts\script folder, overwriting the old file.
    Next, you customize the AD FS login page by creating a AD FS web theme that references the updated onload.js file.
  7. In PowerShell, create a AD FS web theme.
    New-AdfsWebTheme –Name "VIDM" –SourceName "Default"
  8. Import the updated onload.js file.
    Set-AdfsWebTheme -TargetName VIDM -AdditionalFileResource
    				@{Uri='/adfs/portal/script/onload.js';path="c:\myscripts\script\onload.js"}
  9. Activate the new web theme.
    Set-AdfsWebConfig -ActiveThemeName "VIDM"
  10. To save your changes, restart the AD FS service.
    Restart-Service adfssrv
    Note: If you want to revert to the default AD FS web theme, enter this cmdlet:
    Set-AdfsWebConfig -ActiveThemeName "Default"