Configuring VMware Identity Manager as a Third-Party IDP in AD FS VMware Identity Manager AUGUST 2016 V2
Configuring VMware Identity Manager as a Third-Party IDP in AD FS
Table of Contents Introduction ....................................................................................................................................... 2 AD FS Configuration ........................................................................................................................ 3 VMware Identity Manager Configuration ........................................................................................ 15 Test Configuration .......................................................................................................................... 19 Appendix A – Setting VMware Identity Manager as Default Claims Provider ................................ 24 Appendix B - Enabling Support for IDP Initiated Login from Workspace ONE .............................. 25 Appendix C - Troubleshooting ........................................................................................................ 28
TECHNICAL WHITEPAPER /1
Configuring VMware Identity Manager as a Third-Party IDP in AD FS
Introduction With the rapid adoption of Office 365, more companies are looking to implement the Workspace™ ONE™ suite of solutions to improve the login experience for their end users into the Office 365 client applications. VMware Identity Manager™ is certified to handle all authentication use cases for Office 365 as a standalone identity provider. Yet many of the companies that have transitioned into Office 365 have also implemented Microsoft’s identity provider of choice, Active Directory Federation Services (AD FS) to federate the authentication of their Office 365 domain. In many cases it is not feasible for a company that has already deployed AD FS as their identity provider for Office 365 to change the configuration of their production tenant. This document explores an alternative that allows a company to take advantage of the Workspace ONE end user experience while avoiding having to make any critical changes to their current setup. AD FS supports the use of a third-party identity provider and can redirect incoming authentication requests from an Office 365 client to VMware Identity Manager. VMware Identity Manager can then challenge the client device for the specific mobile SSO authentication method and seamlessly authenticate the user without the need to manually enter any credentials unless required by the company as a second factor of authentication. This guide will go through the steps of configuring VMware Identity Manager as a third-party identity provider within AD FS. This guide assumes that Office 365 has already been set up and properly federated with an AD FS server. You will need admin access to both the VMware Identity Manger tenant and AD FS server. If you would instead like to configure Office 365 to authenticate directly with VMware Identity Manager, follow the steps in the following guide: https://www.vmware.com/pdf/VMware Identity Manager-Office 365-saml.pdf If you configure Office 365 to authenticate with VMware Identity Manager, AD FS can be leveraged as a third-party identity provider. This allows VMware Identity Manager to dynamically redirect authenticate to AD FS based on the device and/or network range thanks to its flexible policy engine. https://www.vmware.com/pdf/VMware Identity Manager-AD FS-integration.pdf
TECHNICAL WHITEPAPER /2
Configuring VMware Identity Manager as a Third-Party IDP in AD FS
AD FS Configuration 1.
Log in to the VMware Identity Manger tenant, navigate to the Catalog > Settings page, and download the Identity Provider (IdP) metadata file.
2.
Connect to the Office 365 tenant via the Windows Azure Active Directory PowerShell client module.
TECHNICAL WHITEPAPER /3
Configuring VMware Identity Manager as a Third-Party IDP in AD FS
3.
Verify that a domain has been validated with Office 365 and it has been federated with the AD FS server you will be working with.
4.
Authentication into the Office 365 through a web browser should be working with AD FS before proceeding.
TECHNICAL WHITEPAPER /4
Configuring VMware Identity Manager as a Third-Party IDP in AD FS
5.
Open the AD FS management snap-in.
6.
Right click on Claim Provider Trust and select Add Claims Provider Trust.
TECHNICAL WHITEPAPER /5
Configuring VMware Identity Manager as a Third-Party IDP in AD FS
7.
Click Start.
TECHNICAL WHITEPAPER /6
Configuring VMware Identity Manager as a Third-Party IDP in AD FS
8.
Select the Import data about the claims provider from a file option. Import the IDP metadata file that was downloaded from the VMware Identity Manager tenant.
TECHNICAL WHITEPAPER /7
Configuring VMware Identity Manager as a Third-Party IDP in AD FS
9.
Give this Claim Provider a friendly name. Note that the end user will need to select this name during the login process to authenticate with VMware Identity Manager instead of AD FS.
10. Select Next.
TECHNICAL WHITEPAPER /8
Configuring VMware Identity Manager as a Third-Party IDP in AD FS
11. Select the Open the Edit Claim Rules option and click Close.
The standard setup for Office 365 uses Active Directory to look for a user’s attribute after it has authenticate to include the attributes required by Office 365. This AD query expects a value of type WindowsAccountName in the form domain\user to run properly which differs from what VMware Identity Manager providers in its SAML response. Claim rules can be used to transform the incoming value.
TECHNICAL WHITEPAPER /9
Configuring VMware Identity Manager as a Third-Party IDP in AD FS
12. Click on Add Rule
TECHNICAL WHITEPAPER /10
Configuring VMware Identity Manager as a Third-Party IDP in AD FS
13. Select Transform an Incoming Claim from the dropdown.
14. Click Next.
TECHNICAL WHITEPAPER /11
Configuring VMware Identity Manager as a Third-Party IDP in AD FS
15. Configure the following settings: o
Claim Rule Name: provide a friendly name for this rule
o
Incoming name ID format: select Unspecified from the dropdown
o
Select Pass through all claim values
o o
Incoming claim type: select Name ID from the dropdown Outgoing claim type: select Windows account name from the dropdown
16. Click Finish.
TECHNICAL WHITEPAPER /12
Configuring VMware Identity Manager as a Third-Party IDP in AD FS
17. Click Yes to acknowledge the security warning.
TECHNICAL WHITEPAPER /13
Configuring VMware Identity Manager as a Third-Party IDP in AD FS
18. Verify that the claim rule has been created properly. 19. Click OK.
TECHNICAL WHITEPAPER /14
Configuring VMware Identity Manager as a Third-Party IDP in AD FS
VMware Identity Manager Configuration 1.
Download the metadata file for the AD FS server by navigating to the following URL (modify the URL to use your AD FS server address): o
https://AD FS.acme.com/FederationMetadata/2007-06/FederationMetadata.xml
You will need to create an application with the VMware Identity Manager admin console to respond to any authentication request from the AD FS server. 2.
Navigate to the Catalog menu.
3.
Select Add Application on the right hand side and click on create a new one.
4.
Give the application a friendly name.
5.
Select SAML 2.0 Post Profile as the Authentication Profile.
6.
Click Next.
TECHNICAL WHITEPAPER /15
Configuring VMware Identity Manager as a Third-Party IDP in AD FS
7.
In the Application Configuration page, select the option to configure via Metadata-XML.
8.
Paste the contents of the AD FS metadata xml file into the Metadata XML field.
9.
Click Save at the bottom.
TECHNICAL WHITEPAPER /16
Configuring VMware Identity Manager as a Third-Party IDP in AD FS
10. Navigate to the Entitlements > Group Entitlements page and select the group that will be testing authentication through this configuration. Make sure the deployment type is set to Automatic and click Save.
11. Navigate back to the Application Configuration page.
12. Select SHA256 with RSA from the Signature Algorithm drop-down menu. Note that this might be different depending upon the configuration of your AD FS server.
TECHNICAL WHITEPAPER /17
Configuring VMware Identity Manager as a Third-Party IDP in AD FS
VMware Identity Manager needs to send a Name ID in a format that can be used to query by AD FS to query users in AD. 13. Select Unspecified (username) from the Name ID Format dropdown. 14. Select Custom Value as the Name ID Value. 15. VMware Identity Manager will need to send a value in the form domain\user. This can be accomplished by using user lookup variables: ${user.domain}\${user.userName} 16. Save the configuration.
TECHNICAL WHITEPAPER /18
Configuring VMware Identity Manager as a Third-Party IDP in AD FS
Test Configuration 1.
Open a private browsing session (recommended when testing federated authentication) on your computer browser.
2.
Navigate to the Office 365 login page: https://login.microsoftonline.com
TECHNICAL WHITEPAPER /19
Configuring VMware Identity Manager as a Third-Party IDP in AD FS
3.
Enter the username of user existing in the Office 365 federated domain.
TECHNICAL WHITEPAPER /20
Configuring VMware Identity Manager as a Third-Party IDP in AD FS
Office 365 will redirect to the AD FS login page. Select to authenticate with VMware Identity Manager (this will match the name given to the Claim Provider configuration.
AD FS will redirect to the VMware Identity Manager login page.
TECHNICAL WHITEPAPER /21
Configuring VMware Identity Manager as a Third-Party IDP in AD FS
4.
Enter the credentials of a user entitled to this resource.
TECHNICAL WHITEPAPER /22
Configuring VMware Identity Manager as a Third-Party IDP in AD FS
If successful, you will be authenticated into your user’s Office 365 portal.
TECHNICAL WHITEPAPER /23
Configuring VMware Identity Manager as a Third-Party IDP in AD FS
Appendix A – Setting VMware Identity Manager as Default Claims Provider
1.
Open a PowerShell session within the AD FS server. PowerShell will need to opened with elevated admin rights for the following command to be ran effectively: o
Set-AD FSRelyingPartyTrust -TargetName claimapp -ClaimsProviderName @("Fabrikam","Active Directory")
2.
Replace “claimapp” with the name of the Relaying Party Trust to which this will apply. For Office 365 the default name is “Microsoft Office 365 Identity Platform” (include “” in the command).
3.
Indicate the name of the claims provider after the –ClaimsProviderName parameter (i.e. AcmeVMWARE IDENTITY MANAGERServer). Note that as indicated in the sample command above, more than one claims provider can be specified (i.e. @(“AcmeVMWARE IDENTITY MANAGER1”, “AcmeVMWARE IDENTITY MANAGER2”)) If this command is running effectively and a single claims provider is specified, all authentication requests for that replaying party trust will be automatically redirected to that relaying party trust. This eliminates the users’ choice to authenticate with AD FS’s authentication policies.
For more customization options on the AD FS sign-in page, see the following link: https://technet.microsoft.com/en-us/library/dn280950.aspx
TECHNICAL WHITEPAPER /24
Configuring VMware Identity Manager as a Third-Party IDP in AD FS
Appendix B - Enabling Support for IDP Initiated Login from Workspace ONE The configuration described in the main body of this document enables support for any service providerinitiated (i.e. initiated from the Office365 portal) sign-in. However, that configuration does not fully work for an identity provider-initiated (from within the Workspace ONE) sign-in. With the configuration above, when a user clicks on the application that was configured for AD FS within VMware Identity Manager, they will be authenticated into AD FS. However, they are not further redirected to the Office365 portal given that AD FS has no information as to where the user should be directed. The information can be passed by VMware Identity Manager into AD FS in the form of a RelayState parameter. This will allow AD FS to direct the user to a specific Relaying Party Trust (application) upon successful authentication.
Enable support for RelayState in AD FS 1.
Open the file: %systemroot%\AD FS\Microsoft.IdentityServer.Servicehost.exe.config
2.
Insert within the section of the config file.
See the following link for more information: http://www.expta.com/2014/11/how-to-enable-relaystate-in-AD FS-20-and.html.
TECHNICAL WHITEPAPER /25
Configuring VMware Identity Manager as a Third-Party IDP in AD FS
Add RelayState Parameter in Application Configuration Open the Properties menu for the Office365 Relaying Party Trust in AD FS.
1.
Navigate to the Identifiers tab.
2.
Copy one of the configured Identifiers (in this case we will use “urn:federation:MicrosoftOnline”).
TECHNICAL WHITEPAPER /26
Configuring VMware Identity Manager as a Third-Party IDP in AD FS
1.
In the VMware Identity Manager admin console Catalog tab, navigate to your AD FS application Configuration page
2.
In the RelayState parameter text box enter RPID=RelyingPartyTrustIdentifier o
For Office365, this would be: RPID=urn:federation:MicrosoftOnline
For more information on RelayState support in AD FS see the following link: https://technet.microsoft.com/en-us/library/jj127245(v=ws.10).aspx
TECHNICAL WHITEPAPER /27
Configuring VMware Identity Manager as a Third-Party IDP in AD FS
Appendix C - Troubleshooting 1. 2.
If you are unable to authenticate, first try to perform an IDP initiated login into AD FS by navigating to: o
https://AD FS.acme.com/AD FS/ls/idpinitiatedsignon.aspx
This will check if the trust and authentication endpoints have been configured correctly in both AD FS and VMware Identity Manager (this is all configured through metadata xml exchange).
TECHNICAL WHITEPAPER /28
Configuring VMware Identity Manager as a Third-Party IDP in AD FS
3.
Next, check the AD FS Event Viewer log for any authentication errors. Most errors will likely be due to a mismatch between the value/format that VMware Identity Manager is providing and what is being expected by the AD FS server.
TECHNICAL WHITEPAPER /29
VMware, Inc. 3401 Hillview Avenue Palo Alto CA 94304 USA Tel 877-486-9273 Fax 650-427-5001 www.vmware.com
Copyright © 2016 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws. VMware products are covered by one or more patents listed at http://www.vmware.com/go/patents. VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marks and names mentioned herein may be trademarks of their respective companies.