As a claims issuer, VMware Workspace ONE Access sends security tokens containing authentication claims to AD FS. Claim rules define the content of these claims and transform them into a format that AD FS can recognize and consume.

VMware Workspace ONE Access sends the Name ID user attribute as an authentication claim to AD FS. This attribute takes the form domain\samAccountName in the SAML assertion issued by VMware Workspace ONE Access. However, AD FS expects instead a value of type WindowsAccountName formatted as domain\user. AD FS also expects to see Active Directory named as the issuer of this value.

The solution is to configure a claim rule that transforms the Name ID attribute into WindowsAccountName format and changes the named issuer from VMware Workspace ONE Access to Active Directory. AD FS can then recognize and consume the incoming claim from VMware Workspace ONE Access.

Prerequisites

Add VMware Workspace ONE Access as a Claims Provider for AD FS

Procedure

  1. If needed, open the Edit Claim Rules window on the AD FS server by performing the following steps.
    1. Run the AD FS Management console as an administrator.
    2. (AD FS 3.0) In the left pane, expand the Trust Relationships folder.
    3. In the left pane, select Claims Provider Trusts.
    4. In the center pane, select the claims provider trust that you created for VMware Workspace ONE Access.
    5. In the right pane, click Edit Claim Rules.

    Screenshot of the Claims Providers Trust window showing the Edit Claim Rules option
  2. In the Edit Claim Rules window, click Add Rule.

    Screenshot of the Edit Claim Rules window
    The Add Transform Claim Rule Wizard appears.
  3. For Claim rule template, select Send Claims Using a Custom Rule. Then click Next.

    Screenshot of the Claim rule templat showing the Send Claims Using a Custom Rule option
    The Configure Rule page appears. You can now create a rule that transforms the incoming Name ID attribute into the WindowsAccountName value formatted as domain\user. The rule also names Active Directory as the issuer of this value.
  4. On the Configure Rule page, perform the following steps.
    1. For Claim rule name, enter a descriptive name for the rule.
    2. In the Custom Rule text box, enter the following rule. 
    c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", 
Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] == 
"urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"]


=> issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", 
Issuer = "AD AUTHORITY", OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType);

    Screenshot of the Configure Rule window showing the contents of the Claim rule name and Custom Rule fields
  5. Click Finish.
  6. In the Edit Claim Rules window, verify that the custom rule you created appears in the list.

    Screenshot of the Edit Claim Rules window showing the rule just created
  7. Click Apply, and then click OK.

What to do next

Proceed to Configuring AD FS as a Service Provider for VMware Workspace ONE Access.