After enabling VMware Identity Services for your Workspace ONE tenant, set up the integration with your SCIM 2.0-based identity provider.

  1. In the VMware Identity Services Getting Started wizard, click Start in step 2, Integrate a SCIM 2.0-Based Identity Provider.""
  2. Click Set Up on the SCIM 2.0 Identity Provider card.
    ""
  3. Follow the wizard to set up the integration with your identity provider.

Step 1: Create a Directory

As the first step in setting up user provisioning and identity federation with VMware Identity Services, create a directory in the Workspace ONE Cloud console for users and groups provisioned from your identity provider.

Caution: After you create a directory, you cannot change your identity provider selection. Make sure that you select the appropriate identity provider before proceeding.

Procedure

  1. In step 1, General Information, of the wizard, enter the name that you want to use for the provisioned directory in Workspace ONE.
    The name can have a maximum length of 128 characters. Only the following characters are allowed: letters (a-z or equivalent in other languages), digits (0-9), space, hyphen (-), and underscore (_).
    Important: You cannot change the name of the directory after it is created.
  2. For Domain Name, enter the primary domain name of your source directory, including the extension such as .com or .net.
    VMware Identity Services currently supports only one domain. Provisioned users and groups are associated with this domain in Workspace ONE services.

    The domain name can have a maximum length of 100 characters. Only the following characters are allowed: letters (a-z or equivalent in other languages), digits (0-9), space, hyphen (-), underscore (_), and period (.).

    For example:

    In this example, the directory name is Demo and the domain name is example.com.
  3. Click Save, and confirm your selection.

What to do next

Set up user and group provisioning.

Step 2: Set up User and Group Provisioning

After you create a directory in VMware Identity Services, set up user and group provisioning. You start the process in VMware Identity Services by generating the admin credentials required for provisioning, then configure provisioning in the identity provider using those credentials.

Note: This information applies to any SCIM 2.0-based identity provider other than Microsoft Entra ID and Okta. To integrate VMware Identity Services with Microsoft Entra ID, see Integrating VMware Identity Services with Microsoft Entra ID. To integrate VMware Identity Services with Okta, see Integrating VMware Identity Services with Okta.
Note: This topic provides high-level information about configuring a third-party identity provider. The exact steps and locations for the tasks vary based on your identity provider. Refer to your identity provider's documentation for specific information.

Prerequisites

You have an administrator account in the identity provider with the privileges required to set up user provisioning.

Procedure

  1. In the Workspace ONE Cloud console, in step 2, Configure Identity Provider, of the VMware Identity Services wizard, select the type of credentials required to set up user provisioning in your identity provider.
    Choose between:
    • Client ID and secret
    • Tenant URL and token

    Since tokens expire and have to be updated manually, Client ID and secret is preferred. As a security best practice, rotate the client ID and client secret every six months.

    When you click Next, VMware Identity Services generates the credentials.
  2. If you selected Client ID and secret, copy the Client ID and Client Secret values.
    Important: Make sure that you copy the secret before clicking Next. After you click Next, the secret will no longer be visible and you will have to generate a new secret. Be aware that whenever you regenerate the secret, the previous secret becomes invalid and provisioning fails. Make sure that you copy and paste the new secret to the identity provider app.

    For example:

    Client ID and Client Secret values appear with a copy icon next to them.
  3. If you selected Tenant URL and token, review and copy the generated values.
    • Tenant URL: Your VMware Identity Services tenant's SCIM 2.0 endpoint. Copy the value.
    • Token lifespan: The period for which the secret token is valid

      By default, VMware Identity Services generates the token with a default lifespan of 6 months. To change the token lifespan, click the down arrow, select another option, and click Regenerate to regenerate the token with the new value.

      Important: Whenever you update the token lifespan, the previous token becomes invalid and provisioning of users and groups from the identity provider fails. You must regenerate a new token and copy and paste the new token to the identity provider.
    • Secret token: The token required by the identity provider to provision users to Workspace ONE. Copy the value.
      Important: Make sure you copy the token before clicking Next. After you click Next, the token will no longer be visible and you will have to generate a new token. Be aware that whenever you regenerate the token, the previous token becomes invalid and provisioning fails. Make sure that you copy and paste the new token to the identity provider.

    For example:

    Values for Tenant URL and Secret Token appear. The token lifespan is 6 months.
    When the token is about to expire, a banner notification will appear in the Workspace ONE Cloud console. If you also want to receive email notifications, make sure that the Email check box is selected for the Workspace ONE Access and Identity Services Secret Token Expirations setting. You can find the setting on the Notification Settings page in the Workspace ONE Cloud console.
  4. In your identity provider, set up user and group provisioning to Workspace ONE.
    1. Log into your identity provider console as an administrator.
    2. Set up SCIM 2.0 provisioning.
      When prompted, enter the credentials that you generated in the Workspace ONE Cloud console.
    3. Activate the provisioning.

What to do next

Return to the Workspace ONE Cloud console to continue with the VMware Identity Services wizard.

Step 3: Map SCIM User Attributes

Map the user attributes to synchronize from your identity provider to Workspace ONE services. In your identity provider console, add the required SCIM user attributes and map them to your identity provider attributes. At a minimum, synchronize the attributes that VMware Identity Services and Workspace ONE services require.

VMware Identity Services and Workspace ONE services require the following SCIM user attributes:

  • userName
  • emails
  • name.givenName
  • name.familyName
  • externalId
  • active

For more information about these attributes and their mapping to Workspace ONE attributes, see User Attribute Mapping for VMware Identity Services.

In addition to the required attributes, you can synchronize optional attributes and custom attributes. For the list of supported optional and custom attributes, see User Attribute Mapping for VMware Identity Services.

Procedure

  1. In the Workspace ONE Cloud console, in step 3, Map SCIM User Attributes, of the VMware Identity Services wizard, review the list of attributes that VMware Identity Services supports.
  2. In your identity provider admin console, navigate to the provisioning configuration for Workspace ONE.
  3. Navigate to the attribute mapping page.
  4. Map the required SCIM user attributes to your identity provider attributes.
  5. Add and map optional and custom SCIM user attributes, as needed.

What to do next

Return to the Workspace ONE Cloud console to continue with the VMware Identity Services wizard.

Step 4: Select the Authentication Protocol

Select the protocol to use for federated authentication. VMware Identity Services supports the OpenID Connect and SAML protocols.

Caution: Make your choice carefully. After you select the protocol and configure authentication, you cannot change the type of protocol without deleting the directory.

Procedure

  1. In step 4, Select Authentication Protocol, of the wizard, select OpenID Connect or SAML.
  2. Click Next.
    The next step of the wizard appears with the values required to configure the protocol you selected.

What to do next

Configure VMware Identity Services and the identity provider for federated authentication.

Step 5: Configure Authentication (Generic SCIM Identity Provider)

To configure federated authentication with your identity provider, you set up an OpenID Connect or SAML app in the identity provider using the service provider metadata from VMware Identity Services, and configure VMware Identity Services with the values from the app.

Note: This topic provides high-level information about configuring a third-party identity provider. The exact steps for the tasks vary based on your identity provider. Refer to your identity provider's documentation for specific information.

OpenID Connect

If you selected OpenID Connect as the authentication protocol, follow these steps.

  1. From step 5, Configure OpenID Connect, of the VMware Identity Services wizard, copy the Redirect URI value.

    You need this value for the next step, when you create an OpenID Connect app in your identity provider.

    ""

  2. In the identity provider admin console, create an OpenID Connect app.
  3. Find the Redirect URI section in the app, and copy and paste the Redirect URI value that you copied from the VMware Identity Services wizard.
  4. Create a client secret for the app, and copy it.

    You will enter the secret in the VMware Identity Services wizard in the next step.

  5. Return to the VMware Identity Services wizard in the Workspace ONE Cloud console, and complete the configuration in the Configure OpenID Connect section.
    Client ID Copy and paste the client ID value from the identity provider app.
    Client Secret Copy and paste the client secret from the identity provider app.
    Configuration URL Copy and paste the OpenID Connect well-known configuration URL of the identity provider app. For example: https://example.com/.well-known/openid-configuration
    OIDC User Identifier Attribute Specify the OpenID Connect attribute to map to the Workspace ONE attribute for user lookups.
    Workspace ONE User Identifier Attribute Specify the Workspace ONE attribute to map to the OpenID Connect attribute for user lookups.
  6. In the VMware Identity Services wizard, click Finish to complete setting up the integration between VMware Identity Services and your identity provider.

SAML

If you selected SAML as the authentication protocol, follow these steps.

  1. Get the service provider metadata from the Workspace ONE Cloud console.

    From step 5, Configure SAML Single Sign-On, of the VMware Identity Services wizard, either copy or download the SAML service provider metadata.


    ""
  2. In the identity provider admin console, navigate to the single sign-on configuration page.
  3. Configure single sign-on using values from the VMware Identity Services wizard.

    Typical configuration steps include one of the following, based on what the identity provider supports:

    • Find the Service Provider metadata option, and upload or copy and paste the SAML service provider metadata from the VMware Identity Services wizard.
    • If the identity provider does not have an option for uploading the metadata file, or if you prefer to configure settings individually, copy and paste the following values from step 5 of the VMware Identity Services wizard to the corresponding fields in the identity provider console:

      Entity ID value: For example, https://yourVMwareIdentityServicesFQDN/SAAS/API/1.0/GET/metadata/sp.xml.

      Single sign-on URL value: For example, https://yourVMwareIdentityServicesFQDN/SAAS/auth/saml/response.

      Signing Certificate

      Encryption certificate (under Advanced options): Required if you plan to enable SAML encryption in the identity provider.

  4. Find and copy the Identity Provider SAML metadata from the identity provider console.
  5. In the Workspace ONE Cloud console, in step 5, Configure SAML Single Sign-On, of the VMware Identity Services wizard, paste the Identity Provider metadata into the Identity provider metadata text box.
    ""
  6. Configure the rest of the options in the Configure SAML Single Sign-On section, as required.
    • Binding protocol: Select the SAML binding protocol, HTTP POST or HTTP Redirect.
    • Name ID format: Use the Name ID format and Name ID value settings to map users between your identity provider and VMware Identity Services. For Name ID format, specify the Name ID format used in the SAML response.
    • Name ID value: Select the VMware Identity Services user attribute to which to map the Name ID value received in the SAML response.
    • Send Subject in SAML request (when available): Select this option if you want to send the subject to the identity provider as a login hint to improve the user login experience, when available.
    • Use Name ID format mapping for Subject: Select this option if you want to apply the Name ID format and Name ID value mapping to the subject in the SAML request. This option is used with the Send Subject in SAML request (when available) option.
      Caution: Enabling this option might increase the risk of a security vulnerability known as user enumeration.
    • Use SAML single logout: Select this option if you want to log users out of their identity provider session after they log out of Workspace ONE services.
    • Identity provider single logout URL: If your identity provider does not support SAML single logout, you can use this option to specify the URL to which to redirect users after they log out of Workspace ONE services. If you use this option, also select the Use SAML single logout check box.

      If you leave this option blank, users are redirected to the identity provider using SAML single logout.

  7. Click Finish in the wizard to complete setting up the integration between VMware Identity Services and your identity provider.

Results

The integration between VMware Identity Services and your identity provider is complete.

The directory is created in VMware Identity Services and will be populated when you push users and groups from the provisioning app in the identity provider. Provisioned users and groups will automatically appear in the Workspace ONE services you choose to integrate with the identity provider, such as Workspace ONE Access and Workspace ONE UEM.

You cannot edit the directory in the Workspace ONE Access and Workspace ONE UEM consoles. Directory, users, user groups, user attributes, and identity provider pages are read-only.

What to do next

Next, select the Workspace ONE services to which you want to provision users and groups.

Then, push users and groups from your identity provider. See Provisioning Users to Workspace ONE.