Azure AD as IdP for Workspace One Access

This tuto will show you how to configure Azure AD as a 3rd party Identity Provider for Workspace One Access.

Note : In my case, the default Azure AD domain is alfadir.onmicrosoft.com but in order to match with my on-premise Active Directory I had to use not the email address or UPN but the “Alternate email”

So the first thing to do is to create a “New Application” in Azure, once logged on Azure Portal as Admin, select “Azure Active Directory“, then on the left pane, select “Enteprise applications” and click “New Application“:

Select “Click here to switch to switch to the old app gallery experience

Select “Non-gallery application

Type a name for this application (Tenant name for exemple) and click “Add” (bottom-left)

Select “1. Assign users and groups” and click “Add user”

Add all required users and click “Assign”

Click “2. Set up single sign on” or “Single sign-on” on the left pane.

Select “SAML

Click “Edit

Fill the Identifier (Entity ID) and Reply URL (Assertion Consumer Service URL) with your Workspace ONE Access tenant information and click “Save

As said by default the following attributes are used :

But in my case I had to use the Alternate email so I only change it for :

Now we need to save the Federation metadata so we can import it it in Workspace ONE Access, so one the block number “3”, click “Download” in front of “Federation Metadata XML

Nothing more to do on the Azure side, now let’s configure Workspace ONE Access…

Login as admin and select “Identity & Access Management” then “Identity Providers

Click “Add Identity Provider” (upper right)

Fill the required informations :
Identity Provider Name : Something to identify this IdP eg. Azure AD
SAML Metadata : copy and past the content of “Federation Metadata XML” and click “Process IdP Metadata
Name ID Format:
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified = userName
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress = userPrincipalName
Name ID Policy in SAML Request : urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
Network: Select appropriate networks
Authentication Methods : Something to identify this IdP eg. Azure AD
SAML Contexts : urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport

Once done you can specify your Azure AD as authentication method in the Policies for this, select “Policies” and “EDIT DEFAULT POLICY”

Select “Configuration” \ “<Network Range>”

Finally select “AZURE AD” (or whatever you call it) and Save

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *