When you add and configure new SAML identity provider instances for your Workspace ONE Access deployment, you can provide high availability, support additional user authentication methods, and add flexibility in the way you manage the user authentication process based on user IP address ranges.
Complete the following tasks before adding the third-party identity provider instance.
- Verify that the third-party instances are SAML 2.0 compliant and that the Workspace ONE Access service can reach the third-party instance.
- Coordinate the integration with the third-party identity provider. Depending on the identity provider, you might need to configure both settings in unison.
- Obtain the appropriate third-party metadata information to add when you configure the identity provider in the Workspace ONE Access console. The metadata information you obtain from the third-party instance is either the URL to the metadata or the actual metadata.
- In the Workspace ONE Access console page, select the identity provider labeled Create SAML IDP and configure the identity provider settings..
Form Item Description Identity Provider Name Enter a name for this identity provider instance. SAML Metadata
Add the third-party identity provider XML-based metadata document to establish trust with the identity provider.
- Enter the SAML metadata URL or the xml content into the text box. Click Process IdP Metadata.
- Select how the user is identified. The identifier sent in an inbound SAML Assertion can be either sent in the Subject or in the Attribute element.
- NameID Element. User identifier is retrieved from the NameID element of the Subject element.
- SAML Attribute. User identifier is retrieved from a specific Attribute or AttributeStatement element.
- If you select NameID Element, the NameID formats supported by the identity provider are extracted from the metadata and added to the Name ID Format table that is displayed.
- In the Name ID value column, select the user attributes that are configured in the Workspace ONE Access service to map to the NameID formats that are displayed. You can add custom third-party name ID formats and map them to the user attribute values in the Workspace ONE Access service.
- Select the Name ID Policy in SAML Request response identifier string format to use. This format must match the specific Name ID Policy format configuration of the third-party IDP used to establish trust with the Workspace ONE Access service.
- (Cloud only) Select the option Send Subject in SAML Request (when available) as a login hint or as a hint for authentication such as MFA. When you enable this option, you can also enable Send Subject value based on NameID format mapping to map the login hint provided by the third-party app to the NameID value.
Note: When Send Subject value based on NameID format mapping is enabled, the Workspace ONE Access service is vulnerable to a security risk known as user enumeration. Enable this option with caution.
Example of a configuration where Send Subject value based on NameID format mapping option is enabled
Third-Party Identity Provider Configuration
- App ‘X’ is federated with Workspace ONE Access.
- The third-party identity provider mapped the NameID value to userPrincipleName.
In this configuration the end user's email is not mapped to the third-party IDPs userPrincipleName.
- The App X access policy has a rule that the third-party identity provider is used to authenticate the user.
End User Authentication Flow
- End user selects App ‘X’.
- App ‘X’ presents a login page to the end user to enter their email address.
- App ‘X’ sends the email as a login hint back to Workspace ONE Access.
- Because Send Subject value based on NameID format mapping is enabled, Workspace ONE Access accepts the email and finds the UserPrincipleName for that user.
- Workspace ONE Access sends the SAML request with the corresponding UserPrincipleName that was mapped to the third-party IDP responsible for authenticating the end user.
- If you select SAML Attribute, include the Attribute Format and Attribute Name. Select the user attribute in the Workspace ONE Access service to map to the SAML Attribute.
Just-in-Time Provisioning Just-in-Time provisioning users are created and updated dynamically when they log in, based on SAML assertions sent by the identity provider. See How Just-in-Time User Provisioning Works in Workspace Access. If you enable JIT, enter the directory and domain name for the JIT directory. Users Select the directories that include the users who can authenticate using this identity provider. Network The existing network ranges configured in the service are listed.
Select the network ranges for the users based on their IP addresses, that you want to direct to this identity provider instance for authentication.
Enter the authentication method name to associate with this third-party identity provider. You can enter multiple authentication methods to associate with the third-party identity provider. Give each authentication method a friendly name that identifies the auth method. You select the authentication method name in the access policy to configure the rules for the third party IDP authentication method.
Map the authentication method name with the SAML authentication context that is sent by the third-party identity provider in the SAML response. In the drop-down menu, select a SAML authentication context class string from the list of commonly used strings, or you can enter a custom string.
Single Sign-Out Configuration
When users sign in to Workspace ONE from a third-party identity provider (IDP), two sessions are opened, one on the third-party identity provider, and the second on the identity manager service provider for Workspace ONE. The lifetime of those sessions is managed independently. When users sign out of Workspace ONE, the Workspace ONE session is closed, but the third-party IDP session might still be open. Based on your security requirements, you can enable single sign-out and configure single sign-out to sign out of both sessions, or you might keep the third-party IDP session intact.
Configuration Option 1
- You can enable single sign-out when you configure the third-party identity provider. If the third-party identity provider supports SAML-based single logout protocol (SLO), users are logged out of both sessions when they sign out of the Workspace ONE portal. The Redirect URL text box is not configured.
- If the third-party IDP does not support SAML-based single logout, you enable single sign-out, and in the Redirect URL text box designate an IDP single logout endpoint URL. You can also add a redirect parameter to append to the URL that sends users to a specific endpoint. Users are redirected to this URL when they sign out of the Workspace ONE portal and are signed out from the IDP as well.
Configuration Option 2
- Another single sign-out option is to log users out of their Workspace ONE portal and redirect them to a customized endpoint URL. You enable single sign-out, designate the URL in the Redirect URL text box, and the redirect parameter of the customized endpoint. When users sign out of the Workspace ONE portal, they are directed to this page, which can display a customized message. The third-party IDP session might still be open. The URL is entered as https://<vidm-access-url>/SAAS/auth/federation/slo.
If Enable Single Sign-out is not enabled, the default configuration in the Workspace ONE Access service is to directed users back to the Workspace ONE portal sign-in page when they sign out. The third-party IDP session might still be open.
SAML Signing Certificate Click Service Provider (SP) Metadata to see URL to Workspace ONE Access SAML service provider metadata URL. Copy and save the URL. This URL is configured when you edit the SAML assertion in the third-party identity provider to map Workspace ONE Access users. IdP Hostname If the Hostname text box displays, enter the host name where the identity provider is redirected to for authentication. If you are using a non-standard port other than 443, you can set the host name as Hostname:Port. For example, myco.example.com:8443.
- Click Add.
What to do next
- In the console, go to the Resources > Policies page and edit the default access policy to add a policy rule to select the SAML authentication method name as the authentication method to use. See Managing Access Policies in the Workspace ONE Access Service.
- Edit the third-party identity provider's configuration to add the SAML Signing Certificate URL that you saved.