After enabling VMware Identity Services for your Workspace ONE tenant, set up the integration with Azure AD.

  1. In the VMware Identity Services Getting Started wizard, click Start in step 2, Integrate a SCIM 2.0-Based Identity Provider.""
  2. Click Set Up on the Microsoft Azure Active Directory card.
    ""
  3. Follow the wizard to set up the integration with Azure AD.

Step 1: Create a Directory

As the first step in setting up user provisioning and identity federation with VMware Identity Services, create a directory in the Workspace ONE console for users and groups provisioned from your identity provider.

Caution: After you create a directory, you cannot change your identity provider selection. Make sure that you select the appropriate identity provider before proceeding.

Procedure

  1. In step 1, General Information, of the wizard, enter the name that you want to use for the provisioned directory in Workspace ONE.
    The name can have a maximum length of 128 characters. Only the following characters are allowed: letters (a-z or equivalent in other languages), digits (0-9), space, hyphen (-), and underscore (_).
    Important: You cannot change the name of the directory after it is created.
  2. For Domain Name, enter the primary domain name of your source directory, including the extension such as .com or .net.
    VMware Identity Services currently supports only one domain. Provisioned users and groups are associated with this domain in Workspace ONE services.

    The domain name can have a maximum length of 100 characters. Only the following characters are allowed: letters (a-z or equivalent in other languages), digits (0-9), space, hyphen (-), underscore (_), and period (.).

    For example:

    In this example, the directory name is Demo and the domain name is example.com.
  3. Click Save, and confirm your selection.

What to do next

Set up user and group provisioning.

Step 2: Set up User and Group Provisioning

After you create a directory in VMware Identity Services, set up user and group provisioning. You start the process in VMware Identity Services by generating the admin credentials required for provisioning, then create a provisioning app in Azure AD to provision users and groups to Workspace ONE.

Important: The VMware Identity Services gallery app in the Azure AD app gallery is currently under testing and not yet supported. Create a new enterprise application.

Prerequisites

You have an administrator account in Azure AD with the privileges required to set up provisioning.

Procedure

  1. In the Workspace ONE console, after creating a directory, review and copy the values generated in step 2, Configure Azure Enterprise Application, of the wizard.
    You require these values to configure the provisioning app in Azure AD.
    • Tenant URL: Your VMware Identity Services tenant's SCIM 2.0 endpoint. Copy the value.
    • Token Lifespan: The period for which the secret token is valid.

      By default, VMware Identity Services generates the token with a lifespan of six months. To change the token lifespan, click the down arrow, select another option, and click Regenerate to regenerate the token with the new value.

      Important: Whenever you update the token lifespan, the previous token becomes invalid and provisioning of users and groups from Azure AD fails. You must regenerate a new token and copy and paste the new token to the Azure AD app.
    • Secret token: The token required by Azure AD to provision users to Workspace ONE. Copy the value by clicking the copy icon.
      Important: Make sure you copy the token before clicking Next. After you click Next, the token will no longer be visible and you will have to generate a new token. If you regenerate the token, the previous token becomes invalid and provisioning fails. Make sure that you copy and paste the new token to the Azure AD app.

    For example:

    Step 2 displays a tenant URL, a token lifespan of 6 months, and a secret token.
  2. Create the provisioning app in Azure AD.
    1. Log in to the Azure Active Directory admin center.
    2. Select Enterprise applications in the left navigation pane.
    3. On the Enterprise applications page, click + New application.
      ""
    4. On the Browse Azure AD Gallery page, click + Create your own application.
      Important: The VMware Identity Services gallery app is currently under testing and not yet supported. Create a new enterprise application.
    5. In the Create your own application pane, select Integrate any other application you don't find in the gallery (Non-gallery), enter a name for the application, and click Create.
      The What's the name of your app text box has the example value scim-demo-app2.
    6. After the application is created, select Provisioning from the Manage menu, and click Get Started.
    7. On the Provisioning page, for Provisioning Mode, select Automatic.
    8. Under Admin Credentials, enter the token URL and secret token that you copied from the Configure Azure Enterprise Application step of the Workspace ONE wizard.
      For example:
      Provisioning mode is Automatic. The Tenant URL and Secret Token text boxes have the values copied from Workspace ONE.
    9. Click Test Connection.
    10. Make sure the following message appears: 
      The supplied credentials are enabled to authorize provisioning.

      If you get an error, regenerate the secret token in the VMware Identity Services wizard and copy and paste it into the Azure app. Then, click Test Connection again.

    11. Click Save to save the application.

What to do next

Return to the Workspace ONE console to continue with the VMware Identity Services wizard.

Step 3: Map SCIM User Attributes

Map the user attributes to synchronize from Azure AD to Workspace ONE services. In the Azure Active Directory admin center, add the SCIM user attributes and map them to Azure AD attributes. At a minimum, synchronize the attributes that VMware Identity Services and Workspace ONE services require.

VMware Identity Services and Workspace ONE services require the following SCIM user attributes:

Azure Active Directory Attribute SCIM User Attribute (Required)
userPrincipalName userName
mail emails
givenName name.givenName
surname name.familyName
objectId externalId
Switch([IsSoftDeleted], , "False", "True", "True", "False") active
Note: The table shows the typical mapping between the required SCIM attributes and Azure AD attributes. However, you can map the SCIM attributes to different Azure AD attributes than those listed here.

For more information about these attributes and how they map to Workspace ONE attributes, see User Attribute Mapping for VMware Identity Services.

In addition to the required attributes, you can synchronize optional attributes and custom attributes. For the list of supported optional and custom attributes, see User Attribute Mapping for VMware Identity Services.

Procedure

  1. In the Workspace ONE console, in step 3, Map SCIM User Attributes, of the wizard, review the list of attributes that VMware Identity Services supports.
  2. In the Azure Active Directory admin center, navigate to the provisioning app you created for user provisioning to VMware Identity Services.
  3. From the Manage menu, select Provisioning.
  4. Under Manage Provisioning, click Edit attribute mappings.

    ""
  5. On the Provisioning page, in the Mappings section, make the following selections.
    • Set Provision Azure Active Directory Groups to Yes.
    • Set Provision Azure Active Directory Users to Yes.
    • Set Provisioning Status to On.

    ""
  6. Click the Provision Azure Active Directory Users link.
  7. On the Attribute Mapping page, specify the required attribute mappings between Azure AD attributes and SCIM attributes (customappsso attributes).
    The required attributes are included in the Attribute Mappings table by default. Review and update the mappings, as needed.
    1. Click the attribute in the Attribute Mappings table.
    2. Edit the mapping. For Source attribute, select the Azure AD attribute and for Target attribute, select the SCIM attribute.

      For example:


      objectId is selected as the source attribute, and externalId is selected as the target attribute.
    Tip: In a new Azure AD SCIM provisioning app, the default mapping for the SCIM externalId attribute is mailNickname. Changing the mapping from mailNickname to objectId is recommended.
  8. Map optional user attributes supported by VMware Identity Services and Workspace ONE services, if needed.
    • Many of the optional attributes already appear in the Azure AD app. If the attribute appears in the Attributes Mapping table, click on it to edit the mapping. Otherwise, click Add New Mapping and specify the mapping. For Source attribute, select the Azure AD attribute and for Target attribute, select the SCIM attribute.
    • To add attributes that are part of the VMware Identity Services schema extension (attributes that have urn:ietf:params:scim:schemas:extension:ws1b: in their path):
      1. On the Attribute Mapping page, select the Show advanced options check box at the bottom of the page and click Edit attribute list for customappsso. Add the SCIM attribute, and click Save.

        Make sure that you use the full SCIM attribute path, for example, urn:ietf:params:scim:schemas:extension:ws1b:2.0:User:userPrincipalName.

      2. On the Attribute Mapping page, click Add New Mapping and specify the mapping for the new attribute. For Source attribute, select the Azure AD attribute and for Target attribute, select the SCIM attribute.
    See the list of optional SCIM attributes supported by VMware Identity Services and how they map to Workspace ONE attributes in User Attribute Mapping for VMware Identity Services.
  9. Map custom user attributes supported by VMware Identity Services and Workspace ONE services, if needed.
    1. On the Attribute Mapping page, select the Show advanced options check box at the bottom of the page, click Edit attribute list for customappsso, add the custom SCIM attribute at the bottom of the attribute list, and click Save.

      Make sure that you use the full SCIM attribute path, for example, urn:ietf:params:scim:schemas:extension:ws1b:2.0:User:customAttribute3.


      A custom attribute, urn:ietf:params:scim:schemas:extension:ws1b:2.0:User:customAttribute3, is added.
    2. On the Attribute Mapping page, click Add New Mapping and specify the mapping for the custom SCIM attribute. For Source attribute, select the Azure AD attribute and for Target attribute, select the custom SCIM attribute that you added.
    See the list of custom SCIM attributes supported by VMware Identity Services and how they map to Workspace ONE attributes in User Attribute Mapping for VMware Identity Services.

What to do next

Return to the Workspace ONE console to continue with the VMware Identity Services wizard.

Step 4: Select the Authentication Protocol

Select the protocol to use for federated authentication. VMware Identity Services supports the OpenID Connect and SAML protocols.

Procedure

  1. In step 4, Select Authentication Protocol, of the wizard, select OpenID Connect or SAML.
  2. Click Next.
    The next step of the wizard appears with the values required to configure the protocol you selected.

What to do next

Configure VMware Identity Services and the identity provider for federated authentication.

Step 5: Configure Authentication

To configure federated authentication with Azure AD, you set up an OpenID Connect or SAML app in Azure AD using the service provider metadata from VMware Identity Services, and configure VMware Identity Services with the values from the app.

OpenID Connect

If you selected OpenID Connect as the authentication protocol, follow these steps.

  1. From step 5, Configure OpenID Connect, of the VMware Identity Services wizard, copy the Redirect URI value.

    You need this value for the next step, when you create an OpenID Connect application in the Azure AD admin center.


    The Redirect URI value has a copy icon next to it.
  2. In the Azure Active Directory admin center, navigate to Enterprise applications > App registrations.
  3. Click New Registration.
  4. In the Register an application page, enter a name for the app.
  5. For Redirect URI, select Web, and copy and paste the Redirect URI value that you copied from the Configure OpenID Connect section of the VMware Identity Services wizard.

    For example:


    ""
  6. Click Register.

    A Successfully created application name message appears.

  7. Create a client secret for the application.
    1. Click the Client Credentials: Add a certificate or secret link.
    2. Click + New client secret.
    3. In the Add a client secret pane, enter a description and the expiration period for the secret.
    4. Click Add.

      The secret is generated and appears on the Client secrets tab.

    5. Copy the secret value by clicking the copy icon next to it.

      If you leave the page without copying the secret, you will have to generate a new secret.

      You will enter the secret in the VMware Identity Services wizard in a later step.


      The Certificates & secrets page displays the secret in the Client secrets tab.
  8. Grant permissions for the application to call the VMware Identity Services APIs.
    1. Under Manage, select API permissions.
    2. Click Grant admin consent for organization, and click Yes in the confirmation box.
  9. Copy the client ID.
    1. From the left pane on the application page, select Overview.
    2. Copy the Application (client) ID value.

      You will enter the client ID in the VMware Identity Services wizard in a later step.


      The Application (client) ID value is in the Essentials section and has a copy icon next to it.
  10. Copy the OpenID Connect metadata document value.
    1. On the application Overview page, click Endpoints.
    2. From the Endpoints pane, copy the OpenID Connect metadata document value.
      ""

    You will enter the client ID in the VMware Identity Services wizard in the next step.

  11. Return to the VMware Identity Services wizard in the Workspace ONE console, and complete the configuration in the Configure OpenID Connect section.
    Application (client) ID Paste the application (client) ID value that you copied from the Azure AD OpenID Connect app.
    Client Secret Paste the client secret that you copied from the Azure AD OpenID Connect app.
    Configuration URL Paste the OpenID Connect metadata document value that you copied from the Azure AD OpenID Connect app.
    OIDC User Identifier Attribute The email attribute is mapped to the Workspace ONE attribute for user lookups.
    Workspace ONE User Identifier Attribute Specify the Workspace ONE attribute to map to the OpenID Connect attribute for user lookups.
  12. Click Finish to complete setting up the integration between VMware Identity Services and Azure AD.

SAML

If you selected SAML as the authentication protocol, follow these steps.

  1. Get the service provider metadata from the Workspace ONE console.

    In step 5, Configure SAML Single Sign-On, of the VMware Identity Services wizard, copy the SAML service provider metadata.


    ""
  2. Configure the app in Azure AD.
    1. In the Azure Active Directory admin center, select Enterprise applications in the left pane.
    2. Search for and select the provisioning app that you created in Step 2: Set up User and Group Provisioning.
    3. From the Manage menu, select Single sign-on.
    4. Select SAML as the single sign-on method.
      ""
    5. Click Upload metadata file, select the metadata file that you copied from the Workspace ONE console, and click Add.
      The Upload metadata file option is at the top of the Set up Single Sign-On with SAML page.
    6. In the Basic SAML Configuration pane, verify the following values:
      • The Identifier (Entity ID) value should be the entityID value from the Workspace ONE metadata file.

        For example: https://yourVMwareIdentityServicesFQDN/SAAS/API/1.0/GET/metadata/sp.xml

      • The Reply URL (Assertion Consumer Service URL) value should be the AssertionConsumerService HTTP-POST Location value from the Workspace ONE metadata file.

        For example: https://yourVMwareIdentityServicesFQDN/SAAS/auth/saml/response

    7. In the SAML Certificates section, click the Federation Metadata XML Download link to download the metadata.
      ""
  3. In the Workspace ONE console, copy and paste the federation metadata XML from the file you downloaded from Azure AD to the Identity provider metadata text box in step 5 of the VMware Identity Services wizard.
    In step 5 of the wizard, the Identity provider metadata text box displays the federation metadata XML.
  4. Configure the rest of the options in the Configure SAML Single Sign-On section.
    • Single Sign-Out: Select this option if you want to log users out of their identity provider session after they sign out of Workspace ONE Intelligent Hub.
    • Binding protocol: Select the SAML binding protocol, HTTP POST or HTTP Redirect.
    • Name ID format: Specify the name ID format to use to map users between Azure AD and Workspace ONE services.
    • Name ID value: Select the user attribute for users in Workspace ONE.
  5. Click Finish to complete setting up the integration between VMware Identity Services and Azure AD.

Results

The integration between VMware Identity Services and Azure AD is complete.

The directory is created in VMware Identity Services and will be populated when you push users and groups from the provisioning app in Azure AD. Provisioned users and groups will automatically appear in the Workspace ONE services you choose to integrate with Azure AD, such as Workspace ONE Access and Workspace ONE UEM.

You cannot edit the directory in the Workspace ONE Access and Workspace ONE UEM consoles. Directory, users, user groups, user attributes, and identity provider pages are read-only.

What to do next

Next, select the Workspace ONE services to which you want to provision users and groups.

Then, push users and groups from the Azure AD provisioning app. See Provisioning Users to Workspace ONE.