By integrating AD FS with VMware Workspace ONE Access, you can implement several beneficial use cases. The use cases include: Workspace ONE Login Using AD FS, Unified Application Catalog, and Mobile Device Trust.

The following sections describe the main use cases supported by AD FS integration, including the specific configuration procedures required to implement each use case. To realize the benefits of all three use cases, perform an end-to-end setup that includes all the integration procedures described in this guide.

Use Case 1: Workspace ONE Login Using AD FS

You can configure the Workspace ONE app and portal to use AD FS as a trusted identity provider. This configuration allows end users to log in to the Workspace ONE app and portal with their familiar Active Directory credentials. This use case also applies to VMware HorizonĀ® customers who are using the Workspace ONE portal to run Horizon apps and desktops, but have not yet deployed Workspace ONE UEM to manage devices.

To implement this use case, perform the procedures described in Integrating AD FS as a Federated Identity Provider for VMware Workspace ONE Access.

Use Case 2: Unified Application Catalog

You can configure the Workspace ONE catalog to publish applications federated through AD FS. These applications appear alongside other resources configured through Workspace ONE, such as virtual Horizon and Citrix applications and desktops, and native Workspace ONE UEM applications. End users can go to a single portal to discover, run, or download their enterprise apps from any device with a consistent user experience.

To implement this use case, perform the procedures described in the following topics:

  1. Creating a VMware Workspace ONE Access Claims Provider Trust in AD FS
  2. Configuring AD FS as a Service Provider for VMware Workspace ONE Access
  3. Test the VMware Workspace ONE Access Authentication
  4. Integrating AD FS-federated Applications With Workspace ONE

Use Case 3: Mobile Device Trust

Integrating AD FS with Workspace ONE lets administrators establish mobile device trust by evaluating device posture before permitting access from end users to sensitive applications. Device posture can refer to the security status of the mobile device, such as whether it is managed and compliant with your organization's IT requirements. Device posture policies are established in Workspace ONE UEM and evaluated whenever a user signs in to a protected application.

For example, a device trust flow using Office 365 follows this sequence:

  1. Mobile user attempts to access the Office 365 tenant.
  2. Office 365 redirects to AD FS as the federated identity provider.
  3. AD FS processes the incoming request and routes the user to VMware Workspace ONE Access as a trusted claims provider.
  4. As the identity component of Workspace ONE, VMware Workspace ONE Access challenges the user for authentication based on user access and device posture policies.
  5. VMware Workspace ONE Access performs authentication steps based on the device posture:
    1. If the device is managed and compliant with IT requirements, VMware Workspace ONE Access authenticates the user.
    2. If the device is unmanaged but compliant with IT requirements, VMware Workspace ONE Access enrolls the device and authenticates the user.
    3. If the device is not compliant with IT requirements, VMware Workspace ONE Access blocks the user from accessing the Office 365 application.
  6. Upon successful authentication with VMware Workspace ONE Access, the user is redirected back to AD FS.
  7. AD FS issues the SAML assertion for Office 365 and grants the user access to the application.
Figure 1. Device Trust Flow


To implement this use case, perform the procedures described in the following topics:

  1. Creating a VMware Workspace ONE Access Claims Provider Trust in AD FS
  2. Configuring AD FS as a Service Provider for VMware Workspace ONE Access
  3. Test the VMware Workspace ONE Access Authentication
  4. Redirect Mobile Users to VMware Workspace ONE Access for Authentication
Note: Alternatively, you can configure Office 365 to authenticate directly with the VMware Workspace ONE Access service, without using AD FS as an intermediary. For information on configuring this alternative use case, see VMware Identity Manager Integration with Office 365.

End to End Setup Covering All Use Cases

To set up the complete Workspace ONE and AD FS integration to cover all use cases, perform all the procedures described in the following topics:

  1. Integrating AD FS as a Federated Identity Provider for VMware Workspace ONE Access
  2. Integrating VMware Workspace ONE Access as a Federated Identity Provider for AD FS
  3. Configure the Claims Provider for the VMware Workspace ONE Access Relying Party Trust