{"id":72,"date":"2020-12-04T16:54:57","date_gmt":"2020-12-04T14:54:57","guid":{"rendered":"http:\/\/my-virt.alfadir.net\/?p=72"},"modified":"2021-01-22T00:54:46","modified_gmt":"2021-01-21T22:54:46","slug":"shibboleth-as-idp-for-workspace-one-access","status":"publish","type":"post","link":"https:\/\/my-virt.alfadir.net\/index.php\/2020\/12\/04\/shibboleth-as-idp-for-workspace-one-access\/","title":{"rendered":"Shibboleth as IdP for Workspace ONE Access"},"content":{"rendered":"\n

Recently I had to work on a project that imply Shibboleth as IdP (Identity Provider), so you will see below how to configure it in Workspace One Access as a 3rd party IdP.<\/p>\n\n\n\n

One of the major issue with Shibboleth (in my case) is it only provides a samAccountName but not a UserPrincipalName (upn), so basically the User name without the domain name (eg. e.monjoin but not e.monjoin@mydomain.dom). It works in many situation excepted in a multi domain configuration where you can potentially have the same username in two different domain and you have a trust relationship between them (eg. e.monjoin@finance.domain.com and e.monjoin@technical.domain.com). In this case WS1 Access will not be able to choose a account you will see the following error :<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n\n\n\n\n

That said, let see how to configure WS1 :<\/p>\n\n\n\n

1 – In Identity & Access Management<\/strong> \\ Setup<\/strong> \\ User Attributes<\/strong>
Only UserName<\/strong> should be checked as required<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

2  – In Identity & Access Management \\ Setup<\/strong> \\ Preference<\/strong>
Check  Sync Group Members to the Directory When Adding Group<\/strong><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Note : this prevent synching all users but only required one.<\/em><\/p>\n\n\n\n

3  – In Identity & Access Management \\ Manage<\/strong> \\ Directory<\/strong>
3a \u2013 Ensure all required domains are selected :<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

3b \u2013 Specify OU when to find required groups and select required groups<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

3c \u2013 Don’t specify Users unless you want to add a specific account who’s not belong to a group you select in the previous step (for example admin accounts)<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

3d \u2013 OPTIONAL \u2013 clear all percentage so Safeguards will not bother you when adding\/removing users<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

4 –  In Identity & Access Management \\ Manage<\/strong> \\ Identity Providers<\/strong>, click Add Identity Provider<\/strong> then  Create Third Party IDP<\/strong> to add Shibboleth:<\/p>\n\n\n\n

4a \u2013 Identity Provider Name :  Up to you but “Shibboleth” is good idea \ud83d\ude0a<\/p>\n\n\n\n

In SAML Metadata :<\/span><\/p>\n\n\n\n

4b \u2013 Copy Shibboleth IdP Metadata to SAML Metadata and click Process IdP Metadata
4c \u2013 Select SAML Attribute (instead of NameID Element)
4d \u2013 Attribute Format, select urn:oasis:names:tc:SAML:2.0:attrname-format:uri
4e \u2013 Attribute Name, type : urn:oid:1.3.6.1.4.1.5923.1.1.1.6
4f \u2013 Attribute Name is VMware Workspace ONE Access, select UserName<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Users :<\/span><\/p>\n\n\n\n

4g \u2013 Check appropriate domain<\/p>\n\n\n\n

Network :<\/span><\/p>\n\n\n\n

4h : Check appropriate network (certainly only ALL RANGES, unless you set another one)<\/p>\n\n\n\n

Authentication Methods<\/span><\/p>\n\n\n\n

4i \u2013 Authentication Methods : Up to you but “Shibboleth” is good idea as well \ud83d\ude0a
4j \u2013 SAML Context : Select urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

5 –  In Identity & Access Management \\ Manage<\/strong> \\ Policies
                5a \u2013 Click Edit Default Policy
                5b \u2013 For ALL RANGES (or required network), specify Shibboleth as Authentication Method and Verify as well if you want to add VMware Verify as MFA.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n","protected":false},"excerpt":{"rendered":"

Recently I had to work on a project that imply Shibboleth as IdP (Identity Provider), so you will see below how to configure it in Workspace...<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-72","post","type-post","status-publish","format-standard","hentry","category-identity-manager"],"_links":{"self":[{"href":"https:\/\/my-virt.alfadir.net\/index.php\/wp-json\/wp\/v2\/posts\/72","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/my-virt.alfadir.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/my-virt.alfadir.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/my-virt.alfadir.net\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/my-virt.alfadir.net\/index.php\/wp-json\/wp\/v2\/comments?post=72"}],"version-history":[{"count":4,"href":"https:\/\/my-virt.alfadir.net\/index.php\/wp-json\/wp\/v2\/posts\/72\/revisions"}],"predecessor-version":[{"id":147,"href":"https:\/\/my-virt.alfadir.net\/index.php\/wp-json\/wp\/v2\/posts\/72\/revisions\/147"}],"wp:attachment":[{"href":"https:\/\/my-virt.alfadir.net\/index.php\/wp-json\/wp\/v2\/media?parent=72"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/my-virt.alfadir.net\/index.php\/wp-json\/wp\/v2\/categories?post=72"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/my-virt.alfadir.net\/index.php\/wp-json\/wp\/v2\/tags?post=72"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}