Problem

You cannot authenticate into AD FS-federated applications using VMware Workspace ONE Access as the identity provider.

Cause

Possibly one of the following:

  • The federation between VMware Workspace ONE Access and AD FS is configured incorrectly.
  • The value or format provided in the claim issued by VMware Workspace ONE Access does not match the value or format expected by AD FS.
  • The RelayState parameter is not enabled, or the relying party identifier is not configured for the application.

Solution

  1. Attempt an IdP-initiated login into AD FS by navigating to: https://{ADFSdomain}/ADFS/ls/idpinitiatedsignon.aspx, where {ADFSdomain} is replaced with the fully qualified domain name of the AD FS server.


  2. Check the AD FS Event Viewer log for authentication errors.
    Most errors indicate a mismatch between the value or format provided by VMware Workspace ONE Access and what is expected by the AD FS server. Check and redo the procedure described in Configure Claim Rules for the Claims Provider Trust.