Eric Monjoin
Staff Consulting Architect but also pilot, spending time in front of my computer or flying in the air...

Category: Workspace One Access (Aka Identity Manager)

Adding Static Route to WS1 Access

I had a request from Spanish colleagues about adding static routes to Workspace One Access (in their case it was because of database in a different network).

I first had a look on our internal channel on Slack and find a first way to do it … but with Identity Manager version 3.3. However, when I try to test it in my Home Lab using my on-premise WS1 Access 20.10 it was totally different. vIDM 3.3 is based on Suse Linux when WS1 Access 20.10 is based on Photon 3. After some exchange by mail with my colleagues, they sent me the procedure they used for their deployment… different for the first two !!!
Yes they deployed Workspace One Access 20.01…

Basically both method work with vIDM 3.3 and Workspace One v20.01 as both are running Suse Linux

AD FS as IdP for Workspace ONE Access and UAG

I’ll not talk about the configuration of AD FS itself but how to create the relying party for both Workspace ONE Access and UAG… spoiler: the configuration is not the same 🙂

So here the common part who consist to the creation of the Relying Party Trusts:

Open you AD FS Manager, select “Relying Party Truts” and with the select “Add Relying Party Trust…

Azure AD as IdP for Workspace One Access

This tuto will show you how to configure Azure AD as a 3rd party Identity Provider for Workspace One Access.

Note : In my case, the default Azure AD domain is alfadir.onmicrosoft.com but in order to match with my on-premise Active Directory I had to use not the email address or UPN but the “Alternate email”

So the first thing to do is to create a “New Application” in Azure, once logged on Azure Portal as Admin, select “Azure Active Directory“, then on the left pane, select “Enteprise applications” and click “New Application“:

Shibboleth as IdP for Workspace ONE Access

Recently I had to work on a project that imply Shibboleth as IdP (Identity Provider), so you will see below how to configure it in Workspace One Access as a 3rd party IdP.

One of the major issue with Shibboleth (in my case) is it only provides a samAccountName but not a UserPrincipalName (upn), so basically the User name without the domain name (eg. e.monjoin but not e.monjoin@mydomain.dom). It works in many situation excepted in a multi domain configuration where you can potentially have the same username in two different domain and you have a trust relationship between them (eg. e.monjoin@finance.domain.com and e.monjoin@technical.domain.com). In this case WS1 Access will not be able to choose a account you will see the following error :

Moving Workspace One Access database to a new MS SQL Server

I had to validate how to migrate WS1 Access database to another SQL Server.

This test concerns a dual-site configuration with 3 active nodes (R/W) on Site-A et 3 passive nodes on site B (R/O).

The first thin I did, was to set all nodes to passive (so read-only for all) so no more update will be done on the database.

After that I made a SQL backup of my database and copied it the new MS SQL Server.