{"id":111,"date":"2020-12-11T16:01:31","date_gmt":"2020-12-11T14:01:31","guid":{"rendered":"http:\/\/my-virt.alfadir.net\/?p=111"},"modified":"2022-02-13T18:13:14","modified_gmt":"2022-02-13T16:13:14","slug":"ad-fs-as-idp-for-workspace-one-access-and-uag","status":"publish","type":"post","link":"https:\/\/my-virt.alfadir.net\/index.php\/2020\/12\/11\/ad-fs-as-idp-for-workspace-one-access-and-uag\/","title":{"rendered":"AD FS as IdP for Workspace ONE Access and UAG"},"content":{"rendered":"\n

I’ll not talk about the configuration of AD FS itself but how to create the relying party for both Workspace ONE Access and UAG… spoiler: the configuration is not the same \ud83d\ude42<\/p>\n\n\n\n

So here the common part who consist to the creation of the Relying Party Trusts:<\/p>\n\n\n\n

Open you AD FS Manager, select “Relying Party Truts<\/strong>” and with the select “Add Relying Party Trust…<\/strong>“<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n\n\n\n\n

Keep “Claims aware<\/strong>” and click “Start<\/strong>“<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Select “Import data about the relying party for a file<\/strong>“, click “Browse<\/strong>” and select the metadata file downloaded from your Workspace ONE Access or your Unified Access Gateway<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Specify a “Display name<\/strong>” <\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Select “Permit everyone<\/strong>“<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Click “Next<\/strong>“<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Click “Close<\/strong>“<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Click “Edit Claim Issuance Policy…<\/strong>“<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Click “Add Rule<\/strong>“<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Ok now we have a difference between UAG and Workspace ONE Access<\/p>\n\n\n\n

For Workspace ONE Access :<\/strong><\/p>\n\n\n\n

We need to create 2 rules, the first one consist to the email address..<\/p>\n\n\n\n

Select “Send LDAP Attributes as Claims<\/strong>“
In Attribute store, select : “Active Directory<\/strong>” and the following Attributes\/Outgoing Claim Type :
LDAP Attribute<\/span> : “E-Mail-Addresses<\/em>“
Outgoing Claim Type<\/span> : “E-Mail Address<\/em>“<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

And the second one consist to transform the output to something readable for Workspace One Access:<\/p>\n\n\n\n

Select “Send Claims Using a Custom Rule<\/strong>“
In “Claim rule name:<\/strong>“, type your rule name eg : “Transform<\/em>“
In “Custom rule<\/strong>“, copy and past the following line but change the “https:\/\/my_tenant.vmwareidentity.eu” by your tenant fqdn
<\/p>\n\n\n\n

c:[Type == \"http:\/\/schemas.xmlsoap.org\/ws\/2005\/05\/identity\/claims\/emailaddress\"]\n => issue(Type = \"http:\/\/schemas.xmlsoap.org\/ws\/2005\/05\/identity\/claims\/nameidentifier\", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties[\"http:\/\/schemas.xmlsoap.org\/ws\/2005\/05\/identity\/claimproperties\/format\"] = \"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress\", Properties[\"http:\/\/schemas.xmlsoap.org\/ws\/2005\/05\/identity\/claimproperties\/spnamequalifier\"] = \"{https:\/\/my_tenant.vmwareidentity.eu}\");<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
<\/p>\n\n\n\n
For Unified Access Gateway:<\/strong><\/p>\n\n\n\n
It’s more simple, <\/p>\n\n\n\n
Give a Claim rule name : eg. “Get UPN<\/em>“<\/p>\n\n\n\n
Select “Send LDAP Attributes as Claims<\/strong>“
In Attribute store, select : “Active Directory<\/strong>” and the following Attributes\/Outgoing Claim Type :
LDAP Attribute : “User-Principal-Name<\/em>“
Outgoing Claim Type : “Name ID<\/em>“<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Click “Finish<\/strong>“<\/p>\n\n\n\n
Click “Apply<\/strong>“

<\/p>\n","protected":false},"excerpt":{"rendered":"
I’ll not talk about the configuration of AD FS itself but how to create the relying party for both Workspace ONE Access and UAG… spoiler: the...<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-111","post","type-post","status-publish","format-standard","hentry","category-identity-manager"],"_links":{"self":[{"href":"https:\/\/my-virt.alfadir.net\/index.php\/wp-json\/wp\/v2\/posts\/111","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/my-virt.alfadir.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/my-virt.alfadir.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/my-virt.alfadir.net\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/my-virt.alfadir.net\/index.php\/wp-json\/wp\/v2\/comments?post=111"}],"version-history":[{"count":7,"href":"https:\/\/my-virt.alfadir.net\/index.php\/wp-json\/wp\/v2\/posts\/111\/revisions"}],"predecessor-version":[{"id":266,"href":"https:\/\/my-virt.alfadir.net\/index.php\/wp-json\/wp\/v2\/posts\/111\/revisions\/266"}],"wp:attachment":[{"href":"https:\/\/my-virt.alfadir.net\/index.php\/wp-json\/wp\/v2\/media?parent=111"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/my-virt.alfadir.net\/index.php\/wp-json\/wp\/v2\/categories?post=111"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/my-virt.alfadir.net\/index.php\/wp-json\/wp\/v2\/tags?post=111"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}