{"id":88,"date":"2020-12-11T13:08:32","date_gmt":"2020-12-11T11:08:32","guid":{"rendered":"http:\/\/my-virt.alfadir.net\/?p=88"},"modified":"2021-01-22T00:54:25","modified_gmt":"2021-01-21T22:54:25","slug":"azure-ad-as-idp-for-workspace-one-access","status":"publish","type":"post","link":"https:\/\/my-virt.alfadir.net\/index.php\/2020\/12\/11\/azure-ad-as-idp-for-workspace-one-access\/","title":{"rendered":"Azure AD as IdP for Workspace One Access"},"content":{"rendered":"\n

This tuto will show you how to configure Azure AD as a 3rd party Identity Provider for Workspace One Access. <\/p>\n\n\n\n

Note : In my case, the default Azure AD domain is alfadir.onmicrosoft.com but in order to match with my on-premise Active Directory I had to use not the email address or UPN but the “Alternate email” <\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

So the first thing to do is to create a “New Application” in Azure, once logged on Azure Portal as Admin, select “Azure Active Directory<\/strong>“, then on the left pane, select “Enteprise applications<\/strong>” and click “New Application<\/strong>“:<\/p>\n\n\n\n\n\n\n\n

\"\"<\/figure>\n\n\n\n

Select “Click here to switch to switch to the old app gallery experience<\/strong>“<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Select “Non-gallery application<\/strong>“<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Type a name for this application (Tenant name for exemple) and click “Add” (bottom-left)<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Select “1. Assign users and groups” and click “Add user” <\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Add all required users and click “Assign”<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Click “2. Set up single sign on” or “Single sign-on” on the left pane.<\/p>\n\n\n\n

\n
\n
\"\"<\/figure>\n<\/div>\n\n\n\n
\n
\"\"<\/figure>\n<\/div>\n<\/div>\n\n\n\n

Select “SAML<\/strong>“<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Click “Edit<\/strong>“<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Fill the Identifier (Entity ID) and Reply URL (Assertion Consumer Service URL) with your Workspace ONE Access tenant information and click “Save<\/strong>“<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

As said by default the following attributes are used :<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

But in my case I had to use the Alternate email so I only change it for :<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Now we need to save the Federation metadata so we can import it it in Workspace ONE Access, so one the block number “3”, click “Download<\/strong>” in front of “Federation Metadata XML<\/strong>“<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Nothing more to do on the Azure side, now let’s configure Workspace ONE Access…<\/p>\n\n\n\n

Login as admin and select “Identity & Access Management<\/strong>” then “Identity Providers<\/strong>“<\/p>\n\n\n\n

Click “Add Identity Provider” (upper right)<\/p>\n\n\n\n

Fill the required informations :<\/span>
Identity Provider Name<\/strong> <\/span>: Something to identify this IdP eg. Azure AD
SAML Metadata<\/span><\/strong> : copy and past the content of “Federation Metadata XML<\/em>” and click “Process IdP Metadata<\/strong>“
Name ID Format:<\/span><\/strong>
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified = userName
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress = userPrincipalName
Name ID Policy in SAML Request<\/strong> : urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
Network<\/span><\/strong>: Select appropriate networks
Authentication Methods<\/span><\/strong> : Something to identify this IdP eg. Azure AD
SAML Contexts<\/strong><\/span> : urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n

Once done you can specify your Azure AD as authentication method in the Policies for this, select “Policies<\/strong>” and “EDIT DEFAULT POLICY”<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Select “Configuration” \\ “<Network Range>” <\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Finally select “AZURE AD” (or whatever you call it) and Save<\/p>\n","protected":false},"excerpt":{"rendered":"

This tuto will show you how to configure Azure AD as a 3rd party Identity Provider for Workspace One Access. Note : In my case, the...<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-88","post","type-post","status-publish","format-standard","hentry","category-identity-manager"],"_links":{"self":[{"href":"https:\/\/my-virt.alfadir.net\/index.php\/wp-json\/wp\/v2\/posts\/88","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/my-virt.alfadir.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/my-virt.alfadir.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/my-virt.alfadir.net\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/my-virt.alfadir.net\/index.php\/wp-json\/wp\/v2\/comments?post=88"}],"version-history":[{"count":4,"href":"https:\/\/my-virt.alfadir.net\/index.php\/wp-json\/wp\/v2\/posts\/88\/revisions"}],"predecessor-version":[{"id":146,"href":"https:\/\/my-virt.alfadir.net\/index.php\/wp-json\/wp\/v2\/posts\/88\/revisions\/146"}],"wp:attachment":[{"href":"https:\/\/my-virt.alfadir.net\/index.php\/wp-json\/wp\/v2\/media?parent=88"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/my-virt.alfadir.net\/index.php\/wp-json\/wp\/v2\/categories?post=88"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/my-virt.alfadir.net\/index.php\/wp-json\/wp\/v2\/tags?post=88"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}