Keep “Claims aware” and click “Start“
Select “Import data about the relying party for a file“, click “Browse” and select the metadata file downloaded from your Workspace ONE Access or your Unified Access Gateway
Specify a “Display name”
Select “Permit everyone“
Click “Next“
Click “Close“
Click “Edit Claim Issuance Policy…“
Click “Add Rule“
Ok now we have a difference between UAG and Workspace ONE Access
For Workspace ONE Access :
We need to create 2 rules, the first one consist to the email address..
Select “Send LDAP Attributes as Claims“
In Attribute store, select : “Active Directory” and the following Attributes/Outgoing Claim Type :
LDAP Attribute : “E-Mail-Addresses“
Outgoing Claim Type : “E-Mail Address“
And the second one consist to transform the output to something readable for Workspace One Access:
Select “Send Claims Using a Custom Rule“
In “Claim rule name:“, type your rule name eg : “Transform“
In “Custom rule“, copy and past the following line but change the “https://my_tenant.vmwareidentity.eu” by your tenant fqdn
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier"] = "{https://my_tenant.vmwareidentity.eu}");
For Unified Access Gateway:
It’s more simple,
Give a Claim rule name : eg. “Get UPN“
Select “Send LDAP Attributes as Claims“
In Attribute store, select : “Active Directory” and the following Attributes/Outgoing Claim Type :
LDAP Attribute : “User-Principal-Name“
Outgoing Claim Type : “Name ID“
Click “Finish“
Click “Apply“
Recent Comments