Workspace One Access (Aka Identity Manager)

AD FS as IdP for Workspace ONE Access and UAG

December 11, 2020

I’ll not talk about the configuration of AD FS itself but how to create the relying party for both Workspace ONE Access and UAG… spoiler: the configuration is not the same 🙂

So here the common part who consist to the creation of the Relying Party Trusts:

Open you AD FS Manager, select “Relying Party Truts” and with the select “Add Relying Party Trust…

Keep “Claims aware” and click “Start

Select “Import data about the relying party for a file“, click “Browse” and select the metadata file downloaded from your Workspace ONE Access or your Unified Access Gateway

Specify a “Display name

Select “Permit everyone

Click “Next

Click “Close

Click “Edit Claim Issuance Policy…

Click “Add Rule

Ok now we have a difference between UAG and Workspace ONE Access

For Workspace ONE Access :

We need to create 2 rules, the first one consist to the email address..

Select “Send LDAP Attributes as Claims
In Attribute store, select : “Active Directory” and the following Attributes/Outgoing Claim Type :
LDAP Attribute : “E-Mail-Addresses
Outgoing Claim Type : “E-Mail Address

And the second one consist to transform the output to something readable for Workspace One Access:

Select “Send Claims Using a Custom Rule
In “Claim rule name:“, type your rule name eg : “Transform
In “Custom rule“, copy and past the following line but change the “https://my_tenant.vmwareidentity.eu” by your tenant fqdn

c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]
 => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier"] = "{https://my_tenant.vmwareidentity.eu}");

For Unified Access Gateway, it’s more simple,

Select “Send LDAP Attributes as Claims
In Attribute store, select : “Active Directory” and the following Attributes/Outgoing Claim Type :
LDAP Attribute : “User-Principal-Name
Outgoing Claim Type : “Name ID



You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *