VMware Identity Services is a new cloud service for integrating VMware products with third-party cloud-based identity providers such as Microsoft Azure Active Directory for user provisioning and identity federation. This document covers VMware Identity Services for VMware Workspace ONE®, which provides centralized user management across Workspace ONE services.

Key features of VMware Identity Services include:

  • SCIM 2.0 User Provisioning

    VMware Identity Services is based on the System for Cross-domain Identity Management (SCIM) 2.0 protocol, which is a standard for managing user identities in cloud-based applications and services. VMware Identity Services supports any SCIM 2.0-based cloud identity provider.

  • Identity federation using OpenID Connect or SAML 2.0

    You can configure federated authentication with your third-party identity provider using either OpenID Connect or SAML 2.0.

  • Centralized user management across Workspace ONE services

    With VMware Identity Services, you create a single provisioned directory in the Workspace ONE console. Users and groups are provisioned from your identity provider to VMware Identity Services, and are then provisioned automatically from VMware Identity Services to the Workspace ONE services that you select. VMware Identity Services currently supports VMware Workspace ONE® Access™ and VMware Workspace ONE® UEM.

    You manage the directory from the Workspace ONE console. Directory, users, user groups, user attributes, and identity provider settings in Workspace ONE Access and Workspace ONE UEM are read-only.

  • No connector requirement

    You do not need to deploy the VMware Workspace ONE Access Connector or the VMware AirWatch Cloud Connector on-premises to integrate VMware Identity Services with cloud identity providers.

You set up and manage VMware Identity Services from the Workspace ONE console. No configuration is required in the Workspace ONE Access and Workspace ONE UEM consoles.

Note: VMware Identity Services is not available for VMware Managed Services Provider customers at this time.

Supported Identity Providers

VMware Identity Services supports the following cloud-based identity providers:

  • Microsoft Azure Active Directory (Azure AD)
  • Any generic SCIM 2.0 identity source (integration with Okta has been tested)
Note: Direct integration with Active Directory is not supported.

Supported Workspace ONE Services

You can configure VMware Identity Services for the following Workspace ONE cloud services:

  • Workspace ONE Access Cloud service
  • Workspace ONE UEM 2212 or later
Important: VMware Identity Services is supported for new Workspace ONE tenants only.

Key Considerations

  • VMware Identity Services is available for new Workspace ONE tenants only.
  • VMware Identity Services currently supports Workspace ONE Access and Workspace ONE UEM.
  • You can only integrate a single directory with VMware Identity Services.
  • You can only configure one domain.
  • You must set up provisioning and authentication with the same identity provider. Integration with multiple identity providers is not supported.
  • VMware Identity Services does not support local administrators, local users, or Just-in-Time users.

    All users in the directory are either users provisioned from your identity provider, or Workspace ONE service administrators provisioned from VMware Cloud Services.

  • VMware Identity Services does not support direct integration with Active Directory or other LDAP directories.
  • You must have an administrator account in the Workspace ONE service to set up VMware Identity Services.
Note: When you select a service such as Workspace ONE Access or Workspace ONE UEM to use with VMware Identity Services and save your selection, you cannot deselect it and must contact VMware Support to make any changes.

Unsupported Workspace ONE Features

VMware Identity Services does not support the following features in Workspace ONE services.

Workspace ONE UEM

If VMware Identity Services is enabled for a tenant, the following features are not supported:

  • Non-SAML Flows (Password-grant flows)
    • Check-in and Check-out flows (for shared devices)
    • DEP flows
    • Username/Password Auth Type setting flow
    • PPKG enrollment flow
  • Directory Admin users

    Only VMware Cloud Services administrator users will be available.

  • Child OG override if VMware Identity Services is configured for the top OGs
  • Just-in-time (JIT) users

    Users can only be added from the cloud identity provider.

Workspace ONE Access

If VMware Identity Services is enabled for a tenant, the following features are not supported:

  • Creation of local users, local administrators, or Just-in-time (JIT) users

    All users are either provisioned from your identity provider by VMware Identity Services, or are administrators provisioned from VMware Cloud Services.

  • People Search
  • Integration with Horizon Cloud
  • Integration with Horizon Enterprise
  • If you integrate Workspace ONE Access with Office 365, you cannot use federated authentication to the Azure identity provider. Only Workspace ONE Access-specific authentication methods, such as RSA SecurID, Hub MFA, Mobile SSO, and Certificate Auth, will be available. Office 365 Active Flow authentication is currently not supported.

Hub Services

If VMware Identity Services is enabled for a tenant, the following features are not supported:

  • People tab configurations
  • New Hire Onboarding configurations, including Onboarding templates
  • Digital Badge and Return to Work experience
  • Integration with Horizon Cloud Service on Microsoft Azure with Universal Broker

Workspace ONE Intelligent Hub

If VMware Identity Services is enabled, the following features are not available to users in the VMware Workspace ONE® Intelligent Hub app or web browser:

  • People tab
  • Digital Badge and Return to Work experience
  • New Hire Onboarding
  • Change password option for Workspace ONE Access users (who are not Okta users)
  • Apps and desktops from Horizon Cloud Service on Microsoft Azure with Universal Broker