After enabling VMware Identity Services for your Workspace ONE tenant, set up the integration with your SCIM 2.0-based identity provider.

  1. In the VMware Identity Services Getting Started wizard, click Start in step 2, Integrate a SCIM 2.0-Based Identity Provider.""
  2. Click Set Up on the SCIM 2.0 Identity Provider card.
    ""
  3. Follow the wizard to set up the integration with your identity provider.

Step 1: Create a Directory

As the first step in setting up user provisioning and identity federation with VMware Identity Services, create a directory in the Workspace ONE console for users and groups provisioned from your identity provider.

Caution: After you create a directory, you cannot change your identity provider selection. Make sure that you select the appropriate identity provider before proceeding.

Procedure

  1. In step 1, General Information, of the wizard, enter the name that you want to use for the provisioned directory in Workspace ONE.
    The name can have a maximum length of 128 characters. Only the following characters are allowed: letters (a-z or equivalent in other languages), digits (0-9), space, hyphen (-), and underscore (_).
    Important: You cannot change the name of the directory after it is created.
  2. For Domain Name, enter the primary domain name of your source directory, including the extension such as .com or .net.
    VMware Identity Services currently supports only one domain. Provisioned users and groups are associated with this domain in Workspace ONE services.

    The domain name can have a maximum length of 100 characters. Only the following characters are allowed: letters (a-z or equivalent in other languages), digits (0-9), space, hyphen (-), underscore (_), and period (.).

    For example:

    In this example, the directory name is Demo and the domain name is example.com.
  3. Click Save, and confirm your selection.

What to do next

Set up user and group provisioning.

Step 2: Set up User and Group Provisioning

After you create a directory in VMware Identity Services, set up user and group provisioning. You start the process in VMware Identity Services by generating the admin credentials required for provisioning, then configure provisioning in the identity provider using those credentials.

Note: This topic applies to integration with a SCIM 2.0 identity provider other than Azure AD. For integration with Azure AD, see Step 2: Set up User and Group Provisioning.
Note: This topic provides high-level information about configuring a third-party identity provider. The exact steps and locations for the tasks vary based on your identity provider. Refer to your identity provider's documentation for specific information.

Prerequisites

You have an administrator account in the identity provider with the privileges required to set up user provisioning.

Procedure

  1. In the Workspace ONE console, in step 2, Configure Identity Provider, of the VMware Identity Services wizard, select the type of credentials required to set up user provisioning in your identity provider.
    Choose between:
    • Client ID and secret
    • Tenant URL and token

    Since tokens expire and have to be updated manually, Client ID and secret is preferred. As a security best practice, rotate the client ID and client secret every six months.

    When you click Next, VMware Identity Services generates the credentials.
  2. If you selected Client ID and secret, copy the Client ID and Client Secret values.
    Important: Make sure that you copy the secret before clicking Next. After you click Next, the secret will no longer be visible and you will have to generate a new secret. Be aware that whenever you regenerate the secret, the previous secret becomes invalid and provisioning fails. Make sure that you copy and paste the new secret to the identity provider app.

    For example:

    Client ID and Client Secret values appear with a copy icon next to them.
  3. If you selected Tenant URL and token, review and copy the generated values.
    • Tenant URL: Your VMware Identity Services tenant's SCIM 2.0 endpoint. Copy the value.
    • Token lifespan: The period for which the secret token is valid

      By default, VMware Identity Services generates the token with a default lifespan of 6 months. To change the token lifespan, click the down arrow, select another option, and click Regenerate to regenerate the token with the new value.

      Important: Whenever you update the token lifespan, the previous token becomes invalid and provisioning of users and groups from the identity provider fails. You must regenerate a new token and copy and paste the new token to the identity provider.
    • Secret token: The token required by the identity provider to provision users to Workspace ONE. Copy the value.
      Important: Make sure you copy the token before clicking Next. After you click Next, the token will no longer be visible and you will have to generate a new token. Be aware that whenever you regenerate the token, the previous token becomes invalid and provisioning fails. Make sure that you copy and paste the new token to the identity provider.

    For example:

    Values for Tenant URL and Secret Token appear. The token lifespan is 6 months.
  4. In your identity provider, set up user and group provisioning to Workspace ONE.
    1. Log into your identity provider console as an administrator.
    2. Set up SCIM 2.0 provisioning.
      When prompted, enter the credentials that you generated in the Workspace ONE console.
    3. Activate the provisioning.

What to do next

Return to the Workspace ONE console to continue with the VMware Identity Services wizard.

Step 3: Map SCIM User Attributes

Map the user attributes to synchronize from your identity provider to Workspace ONE services. In your identity provider console, add the required SCIM user attributes and map them to your identity provider attributes. At a minimum, synchronize the attributes that VMware Identity Services and Workspace ONE services require.

VMware Identity Services and Workspace ONE services require the following SCIM user attributes:

  • userName
  • emails
  • name.givenName
  • name.familyName
  • externalId
  • active

For more information about these attributes and their mapping to Workspace ONE attributes, see User Attribute Mapping for VMware Identity Services.

In addition to the required attributes, you can synchronize optional attributes and custom attributes. For the list of supported optional and custom attributes, see User Attribute Mapping for VMware Identity Services.

Note: You cannot specify group attribute mappings in Okta to synchronize to VMware Identity Services. You can only map user attributes.

Procedure

  1. In the Workspace ONE console, in step 3, Map SCIM User Attributes, of the VMware Identity Services wizard, review the list of attributes that VMware Identity Services supports.
  2. In your identity provider admin console, navigate to the provisioning configuration for Workspace ONE.
  3. Navigate to the attribute mapping page.
  4. Map the required SCIM user attributes to your identity provider attributes.
  5. Add and map optional and custom SCIM user attributes, as needed.

What to do next

Return to the Workspace ONE console to continue with the VMware Identity Services wizard.

Step 4: Select the Authentication Protocol

Select the protocol to use for federated authentication. VMware Identity Services supports the OpenID Connect and SAML protocols.

Procedure

  1. In step 4, Select Authentication Protocol, of the wizard, select OpenID Connect or SAML.
  2. Click Next.
    The next step of the wizard appears with the values required to configure the protocol you selected.

What to do next

Configure VMware Identity Services and the identity provider for federated authentication.

Step 5: Configure Authentication (Generic SCIM Identity Provider)

To configure federated authentication with your identity provider, you set up an OpenID Connect or SAML app in the identity provider using the service provider metadata from VMware Identity Services, and configure VMware Identity Services with the values from the app.

Important: If you are integrating VMware Identity Services with Okta, you must create separate apps in the Okta Admin console for user provisioning and identity provider configuration. You cannot use the same app for provisioning and authentication.
Note: This topic provides high-level information about configuring a third-party identity provider. The exact steps for the tasks vary based on your identity provider. Refer to your identity provider's documentation for specific information.

OpenID Connect

If you selected OpenID Connect as the authentication protocol, follow these steps.

  1. From step 5, Configure OpenID Connect, of the VMware Identity Services wizard, copy the Redirect URI value.

    You need this value for the next step, when you create an OpenID Connect app in your identity provider.

    ""

  2. In the identity provider admin console, create an OpenID Connect app.
  3. Find the Redirect URI section in the app, and copy and paste the Redirect URI value that you copied from the VMware Identity Services wizard.
  4. Create a client secret for the app, and copy it.

    You will enter the secret in the VMware Identity Services wizard in the next step.

  5. Return to the VMware Identity Services wizard in the Workspace ONE console, and complete the configuration in the Configure OpenID Connect section.
    Client ID Copy and paste the client ID value from the identity provider app.
    Client Secret Copy and paste the client secret from the identity provider app.
    Configuration URL Copy and paste the OpenID Connect well-known configuration URL of the identity provider app. For example: https://example.com/.well-known/openid-configuration
    OIDC User Identifier Attribute Specify the OpenID Connect attribute to map to the Workspace ONE attribute for user lookups.
    Workspace ONE User Identifier Attribute Specify the Workspace ONE attribute to map to the OpenID Connect attribute for user lookups.
  6. In the VMware Identity Services wizard, click Finish to complete setting up the integration between VMware Identity Services and your identity provider.

SAML

If you selected SAML as the authentication protocol, follow these steps.

  1. Get the service provider metadata from the Workspace ONE console.

    From step 5, Configure SAML Single Sign-On, of the VMware Identity Services wizard, either copy or view and download the SAML service provider metadata.


    ""
  2. In the identity provider admin console, navigate to the single sign-on configuration page.
    Important: If you are integrating VMware Identity Services with Okta, you must create a separate SAML app in Okta for authentication. You cannot use the same app for provisioning and authentication.
  3. Configure single sign-on using values from the VMware Identity Services wizard.

    Typical configuration steps include one of the following, based on what the identity provider supports:

    • Find the Service Provider metadata option, and upload or copy and paste the SAML service provider metadata from the VMware Identity Services wizard.
    • If the identity provider does not have an option for uploading the metadata, copy and paste the following values from the VMware Identity Services SAML service provider metadata to the corresponding fields in the identity provider console:

      entityID value: For example, https://yourVMwareIdentityServicesFQDN/SAAS/API/1.0/GET/metadata/sp.xml.

      AssertionConsumerService HTTP-POST Location value: For example, https://yourVMwareIdentityServicesFQDN/SAAS/auth/saml/response.

  4. Find and copy the Identity Provider SAML metadata from the identity provider console.
  5. In the Workspace ONE console, in step 5, Configure SAML Single Sign-On, of the VMware Identity Services wizard, paste the Identity Provider metadata into the Identity provider metadata text box.
    ""
  6. Configure the rest of the options in the Configure SAML Single Sign-On section.
    • Single sign-out: Select this option if you want to log users out of their identity provider session after they sign out of Workspace ONE Intelligent Hub.
    • Binding protocol: Select the SAML binding protocol, HTTP POST or HTTP Redirect.
    • Name ID format: Specify the Name ID format to use to map users between your identity provider and Workspace ONE services.
    • Name ID value: Select the user attribute for users in Workspace ONE.
    • Send Subject in SAML request (when available): Select this option if you want the identity provider to send the subject to VMware Identity Services as a login hint, when available. If you select this option, you can also select Use Name ID format mapping for Subject.
    • Use Name ID format mapping for Subject: Select this option to use the Name ID format to map the login hint provided by the identity provider to the Name ID value.
      Caution: Enabling this option might increase the risk of a security vulnerability known as user enumeration.
  7. Click Finish in the wizard to complete setting up the integration between VMware Identity Services and your identity provider.

Results

The integration between VMware Identity Services and your identity provider is complete.

The directory is created in VMware Identity Services and will be populated when you push users and groups from the provisioning app in the identity provider. Provisioned users and groups will automatically appear in the Workspace ONE services you choose to integrate with the identity provider, such as Workspace ONE Access and Workspace ONE UEM.

You cannot edit the directory in the Workspace ONE Access and Workspace ONE UEM consoles. Directory, users, user groups, user attributes, and identity provider pages are read-only.

What to do next

Next, select the Workspace ONE services to which you want to provision users and groups.

Then, push users and groups from your identity provider. See Provisioning Users to Workspace ONE.