VMware Identity Services | FEB 02 2024

Check for additions and updates to these release notes.

What's New in February 2024

Ability to deactivate VMware Identity Services from the console

We've now made it possible for you to deactivate VMware Identity Services from the Workspace ONE Cloud console. After deactivating VMware Identity Services, you can set up directory provisioning and federated authentication from Workspace ONE UEM and Workspace ONE Access directly. You might need to deactivate VMware Identity Services in the following scenarios:

  • Your use cases are not supported by VMware Identity Services.

  • You want to sync users and groups directly from Active Directory.

  • You want to configure directory services and identity federation in Workspace ONE UEM or Workspace ONE Access, instead of the Workspace ONE Cloud service.

Here's how you do it: Deactivating VMware Identity Services

What's New in December 2023

VMware Identity Services public APIs

We are happy to announce the release of VMware Identity Services public APIs for Workspace ONE, bringing the power of automation to your Workspace ONE Cloud integration with cloud identity providers that use SCIM 2.0.

The following use cases are available for the API integration:

  • Configure a provisioned directory of users and groups using the System for Cross-domain Identity Management (SCIM 2.0) protocol.

  • Manage identity provider configuration for federated authentication into Workspace ONE services.

  • Leverage centralized user management and authentication for Workspace ONE Access and Workspace ONE UEM.

You can create an OAuth 2.0 client in the Workspace ONE console to get API access to get started.

To learn more about the new APIs, see the VMware Identity Services API Reference.

Note:

The VMware Identity Services APIs are available to new Workspace ONE Access or Workspace ONE UEM customers, and to existing customers that have already onboarded VMware Identity Services.

Token expiry notification for administrators

We now send notifications to administrators when the secret token used for directory synchronization is about to expire or has expired. Notifications are sent to the administrator by email and also appear as a banner in the Workspace ONE Cloud console.

Administrators can opt out from receiving email notifications.

What's New in October 2023

New Flow for Okta Integration with Workspace ONE

We are excited to announce that a new Okta flow is now available in the Workspace ONE Cloud console to support integration with Okta! This flow makes it easier for you to provision users and groups from Okta to Workspace ONE services and authenticate users using Okta. Prior to this release, Okta was tested and documented for the generic SCIM 2.0 Identity Provider flow.

Get familiar with the new flow by reading Integrating VMware Identity Services with Okta in the VMware Identity Services documentation.

Note:

The Okta integration is available for new customers or customers that have already onboarded to VMware Identity Services.


What's New in June 2023

Audit events for provisioning to Workspace ONE services

VMware Identity Services for Workspace ONE introduces audit events to track successes and failures in pushing data from Workspace ONE to downstream services such as Workspace ONE UEM and Workspace ONE Access. Admins can use the audited information to identify, track, and debug provisioning-based issues. Audit events support filtering based on the object name, object type, downstream service, and errors. A detailed view of audit events provides error states.


See Viewing Audit Events for VMware Identity Services for more information.

What's New in April 2023

New provisioning app for Azure Active Directory integration

We are excited to announce the availability of a new provisioning app, the VMware Identity Service app, in the Azure AD App Gallery! The app makes it easier for you to set up user provisioning from Azure AD to VMware Identity Services by including preconfigured settings.

To get started with your provisioning app, search for "VMware Identity Service" in the Azure AD App Gallery, then select the app.


Read more about how to integrate VMware Identity Services with Azure AD in the documentation.

Introducing VMware Identity Services - January 2023

We’re introducing a new service that makes user provisioning and identity federation easier for new customers of VMware Workspace ONE®Access™ and VMware Workspace ONE® UEM! You can now leverage VMware Identity Services to configure a provisioned directory of users and groups based on SCIM 2.0 in the Workspace ONE console. VMware Identity Services will then automatically provision users and groups, as well as authentication settings, to your Workspace ONE UEM and Workspace ONE Access admin consoles.

While integrating with your third-party identity provider, you confirm the user attributes to synchronize into VMware Identity Services. 

Take a look at some of the use cases:

  • Create and configure a provisioned directory of users and groups using the System for Cross-domain Identity Management (SCIM) 2.0 protocol.

  • Manage identity provider configuration for federated authentication into Workspace ONE services.

  • Leverage centralized user management and authentication across Workspace ONE products.

Currently, VMware Identity Services supports Workspace ONE UEM and Workspace ONE Access for centralized user management and authentication from the Workspace ONE console for newly-created environments.

Supported identity providers and directory sources:

  • Azure Active Directory (Azure AD), a cloud-based identity service in Microsoft Azure

  • Generic SCIM 2.0 identity source (tested for Okta)

Important:
  • VMware Identity Services is only available for new Workspace ONE environments.

  • VMware Identity Services is not available for VMware Managed Services Provider customers at this time.

To get started with VMware Identity Services, log into your organization's Workspace ONE portal and select Accounts > End User Management.

VMware Identity Services


Click Get Started and use the wizard to set up the integration with your identity provider.

Getting Started


Known Issues

  • Unsupported features

    When VMware Identity Services is enabled, some features are not supported in Workspace ONE Access, Workspace ONE UEM, Hub Services, and VMware Workspace ONE® Intelligent Hub and portal. See Configuring User Provisioning and Identity Federation with VMware Identity Services for more information.

  • After you select a service such as Workspace ONE Access or Workspace ONE UEM to use with VMware Identity Services and save your selection, you cannot deselect it.

    Solution: Contact VMware Support to reset the selection.

  • Deleting a user in Azure AD does not delete the user from VMware Identity Services

    When you delete a user in Azure AD, the account is suspended for a specific period of time before being deleted. The user is deactivated in VMware Identity Services, too, for that period of time. In Azure AD, the username of the deleted user is also modified, and the changes are reflected in VMware Identity Services. See How Azure AD Users are Deleted for more information.

  • Deleting user and group attribute values in Azure AD does not delete the values in VMware Identity Services

    In Azure AD, when you delete a user or group attribute value that was already synced to VMware Identity Services, the value is not deleted in VMware Identity Services and Workspace ONE services. Azure AD does not propagate null values.

    Solution: Instead of clearing the value completely, enter a space character.

  • Okta integration requires two apps

    When you integrate VMware Identity Services with Okta, you must create separate apps in the Okta Admin console for user provisioning and identity provider configuration. You cannot use the same app for provisioning and authentication.

  • Login_hint feature does not work

    When you integrate a third-party identity provider with VMware Identity Services using the OpenID Connect protocol, the login_hint feature does not work. If the relying party sends a login_hint, VMware Identity Services does not pass it to the identity provider.

  • Deleting an attribute mapping in Azure AD or Okta does not remove the attribute from users in VMware Identity Services

    When you delete an attribute mapping from the provisioning app in Azure AD or Okta, the changes are not propagated to VMware Identity Services. The attribute is not deleted for users in VMware Identity Services and Workspace ONE services.

Internationalization

VMware Identity Services is available in the following languages:

Czech

French

Polish

Simplified Chinese (China)

Danish

Italian

Portugese

Chinese (Taiwan)

German

Japanese

Russian

English

Korean

Swedish

Spanish

Dutch

Turkish

To view the documentation in your preferred language, click the
icon at the top-right of the page and select the language.

Support Contact Information

Contact VMware Support when you need help with your VMware Identity Services environment. You can submit a support request to VMware Support online using your VMware Customer Connect account or by phone.

KB article 2151511, How to access VMware Workspace ONE Support, describes how to contact Workspace ONE Support.

check-circle-line exclamation-circle-line close-line
Scroll to top icon