We’re introducing a new service that makes user provisioning and identity federation easier for new customers of VMware Workspace ONE® Access™ and VMware Workspace ONE® UEM! You can now leverage VMware Identity Services to configure a provisioned directory of users and groups based on SCIM 2.0 in the Workspace ONE console. VMware Identity Services will then automatically provision users and groups, as well as authentication settings, to your Workspace ONE UEM and Workspace ONE Access admin consoles.

While integrating with your third-party identity provider, you confirm the user attributes to synchronize into VMware Identity Services. 

Take a look at some of the use cases:

• Create and configure a provisioned directory of users and groups using the System for Cross-domain Identity Management (SCIM) 2.0 protocol.

• Manage identity provider configuration for federated authentication into Workspace ONE services.

• Leverage centralized user management and authentication across Workspace ONE products.

Currently, VMware Identity Services supports Workspace ONE UEM and Workspace ONE Access for centralized user management and authentication from the Workspace ONE console for newly-created environments.

Supported identity providers and directory sources:

• Azure Active Directory (Azure AD), a cloud-based identity service in Microsoft Azure

• Generic SCIM 2.0 identity source (tested for Okta)

To get started with VMware Identity Services, log into your organization's Workspace ONE portal and select Accounts > End User Management.

Click Get Started and use the wizard to set up the integration with your identity provider.

• Unsupported features

  When VMware Identity Services is enabled, some features are not supported in Workspace ONE Access, Workspace ONE UEM, Hub Services, and VMware Workspace ONE® Intelligent Hub and portal. See Configuring User Provisioning and Identity Federation with VMware Identity Services for more information.

• After you select a service such as Workspace ONE Access or Workspace ONE UEM to use with VMware Identity Services and save your selection, you cannot deselect it.

  Solution: Contact VMware Support to reset the selection.

• Deleting a user in Azure AD does not delete the user from VMware Identity Services

  When you delete a user in Azure AD, the account is suspended for a specific period of time before being deleted. The user is deactivated in VMware Identity Services, too, for that period of time. In Azure AD, the username of the deleted user is also modified, and the changes are reflected in VMware Identity Services. See How Azure AD Users are Deleted for more information.

• Deleting user and group attribute values in Azure AD does not delete the values in VMware Identity Services

  In Azure AD, when you delete a user or group attribute value that was already synced to VMware Identity Services, the value is not deleted in VMware Identity Services and Workspace ONE services. Azure AD does not propagate null values.

  Solution: Instead of clearing the value completely, enter a space character.

• Okta integration requires two apps

  When you integrate VMware Identity Services with Okta, you must create separate apps in the Okta Admin console for user provisioning and identity provider configuration. You cannot use the same app for provisioning and authentication.

• Login_hint feature does not work

  When you integrate a third-party identity provider with VMware Identity Services using the OpenID Connect protocol, the login_hint feature does not work. If the relying party sends a login_hint, VMware Identity Services does not pass it to the identity provider.

• Deleting an attribute mapping in Azure AD or Okta does not remove the attribute from users in VMware Identity Services

  When you delete an attribute mapping from the provisioning app in Azure AD or Okta, the changes are not propagated to VMware Identity Services. The attribute is not deleted for users in VMware Identity Services and Workspace ONE services.

See Configuring User Provisioning and Identity Federation with VMware Identity Services in the Workspace ONE documentation center.

VMware Identity Services is available in the following languages:

To view the documentation in your preferred language, click the icon at the top-right of the page and select the language.

Contact VMware Support when you need help with your VMware Identity Services environment. You can submit a support request to VMware Support online using your VMware Customer Connect account or by phone.

KB article 2151511, How to access VMware Workspace ONE Support, describes how to contact Workspace ONE Support.