You can configure and edit password (cloud) authentication in the Workspace ONE Access console, Connector Authentication Method page after the Directory Sync service is configured with your enterprise directory.

Which text boxes you configure for password (cloud) authentication are based on the type of directory you select. The following is a list of the type of directories for password authentication.
  • Active Directory with fixed host and port
  • Active Directory with DNS lookup
  • Global Catalog Directory
  • IWA Directory
  • LDAP Directory

To learn how directory sync service integrates with your enterprise directory, see the Directory Integrations with Workspace ONE Access guide .

Prerequisites

  • Install the Workspace ONE Access connector with the User Auth service configured on the connector. See the latest version of the VMware Workspace ONE Access Connector installation guide.
    • Make sure that all User Auth service instances in your environment are configured on the Workspace ONE Connector version 21.08. You cannot configure User Auth service authentication methods if you mix connector versions 21.08 and 20.x of the User Auth service.
  • The Directory Sync service installed on a Workspace ONE Access connector.
  • Directories configured in the Workspace ONE Access console Integrations section.
  • User attributes correctly mapped to your enterprise directory.

Procedure

  1. In the Workspace ONE Access console Integrations > Connector Authentication Methods page, click NEW and select Password (cloud deployment).
  2. Select the Directory and the Service Host that is configured with password authentication.
  3. In the Configuration page, configure the Password (cloud) authentication method settings.
    Directory Type Option Action
    All types Number of authentication attempts allowed. Enter the maximum number of failed login attempts when using password authentication against a directory. The default is two attempts.
    All types Directory Type Select the type of directory that you set up when you installed the Directory Sync service in the connector server.
    Active Directory with fixed host and port Server Port Select the port used for Active Directory, either 389 or 636 for standard LDAP queries.

    For global catalog queries, enter either ports 3268 or 3269 .
    Active Directory with fixed host and port Server Host Select one or more Directory Sync Service instances to use.
    All Types Communication Mode Basic mode is selected by default. You can change the communication mode.
    • Select SSL, if SSL/TLS is used for communication with the directory.
    • Select STARTTLS, if the DNS service location and SSL are used for communication with the directory. Add the certificates.
    All types Directory Certificate If the enterprise directory requires access over SSL/TLS, copy and paste the enterprise directory server's root CA SSL certificate into the text box. Ensure that the certificate is in PEM format and include "BEGIN CERTIFICATE" and "END CERTIFICATE lines.
    Active Directory with DNS lookup Use DNS Service Location Select this box to use the DNS service location records to locate the Active Directory domains.

    If you do not use DNS service location lookup, deselect the check box and enter the Active Directory server host name and port.

    • Active Directory with fixed host and port
    • Active Directory with DNS lookup
    • IWA Directory
    • LDAP Directory
    		 Base DN Enter the DN from which to start searches in the directory. For example, cn=users,dc=example,dc=com.
    All Types Bind DN / User Name (IWA) Enter the user name to use to search for users. For example, CN=binduser,OU=myUnit,DC=myCorp,DC=com.
    Note: Using a Bind DN user account with a non-expiring password is recommended.
    All Types Bind Password Enter the Bind DN user password.
    • Active Directory with fixed host and port
    • Active Directory with DNS lookup
    • IWA Directory
    		 Search Attribute Enter the account attribute that contains the user name. This can be either sAMAcountName, UPN, or Custom.
    • LDAP Directory
    		 Custom Directory Search Attribute for Users When you enter Custom in the Search Attribute text box, enter the custom search attribute to use to query your LDAP directory to obtain user and group names. For example, UID.
    • Active Directory with fixed host and port
    • Active Directory with DNS lookup
    • IWA Directory
    		 Filter query to get AD users Enter the search filters used to query your enterprise directory.
    • Groups search filter to obtain groups. For example, (objectClass=groupOfNames).
    • Users search filter to obtain users to sync. For example, (&(objectClass=user) (objectCategory=person))
    • Active Directory with fixed host and port
    • Active Directory with DNS lookup
    • IWA Directory
    • Global Catalog Directory
    		 SAML Name-Id Format Enter the nameIdFormat value that is used to identify the user after authentication. By default, the value is the Directory search UID attribute.
    All Types Change password feature enabled Enable this feature to allow users to reset their Active Directory passwords from the Workspace ONE Access login page.
    All Types Display domain in login page Enable this to show the System Domain as an option when users are signing on. If this is deactivated and only one domain is available, the domain selection page is not displayed.
  4. Click NEXT to review the configuration and then click SAVE.

What to do next

Add Password (cloud deployment) as an authentication method to the built-in identity provider in the Integrations section.

Add the authentication method to the default access policy. In the console, go to the Resources > Policies page and edit the default policy rules to add the password authentication method to the rule. See Managing Access Policies in the Workspace ONE Access Service.