This guide describes steps to configure and test Azure Active Directory as a federation Identity Provider (IDP) and VMware Identity Manager as a Federation Service Provider (SP).
Assumptions:
Following assumptions are made for this guide:
- A SaaS tenant of VMware Identity Manager
- Azure Active Directory (AD) Premium subscription
Prerequisites:
- At least one test user account in Azure AD Premium
- At least one corresponding test user account in VMware Identity Manager
Configure Azure AD
VMware Identity Manager can federate with Azure AD as a custom application in the app gallery.
Sign into the Azure management portal using your Azure Active Directory administrator account, and browse to:
Active Directory > [Your Directory] > Applications section, select Add, and then Add an application from the gallery.
In the app gallery, add an unlisted app using the Custom category on the left. Enter a name for your VMware Identity Manager app.
Select Configure Single Sign-On.
Select Microsoft Azure AD Single Sign-On
The Configure App Setting screen requires SP metadata informaiton from your VMware Identity Manager tenant.
The Identity Manager SP metadata is available at https://[your_tenant].vmwareidentity.com/SAAS/API/1.0/GET/metadata/sp.xml.
Open https://[your_tenant].vmwareidentity.com/SAAS/API/1.0/GET/metadata/sp.xml in a web browser.
Copy following SP metadata values from VMware Identity Manager to Azure AD configuration Wizard:
- EntityID = IDENTIFIER
- HTTP-POST Assertion Consumer Service URL =REPLY URL
Click Next arrow.
Click Download Metadata (XML) to download Azure AD IDP metadata. This will be used when configuring SP federation connection in VMware Identity Manager.
Click Next arrow.
Complete the configuration wizard.
Assign App to user
Assign the newly created/federated "VMware Identity Manager" a test user account.
Click Assign accounts.
Select a user and assign
At this stage we have configured IDP connection in Azure AD and assigned the VMware Identity Manager app to a user. Now we need to configure the VMware SP connection.
Configure VMware Identity Manager SP connection
Log into you VMware Identity Manager tenant as admin user and navigate to:
Identity & Access Management > Identity Providers > Add Identity Provider > Create Third Party IDP
Give a name to this Identity Provider (e.g. Azure AD).
Azure AD Identity Provider metadata file was downloaded in one of the steps above. Open this file in a text editor and copy/paste Azure AD IDP Metadata into Identity Provider Metadata(URL or XML) text box and press Process IdP Metadata button. There should be no error messages.
Under Name ID format mapping from SAML Response, add two mapping as below:
Under Users, select the user store for your test user(s)
Under Network, select All Ranges
Under Authentication Methods, select “urn:oasis:names:tc:SAML:2.0:ac:classes:Password”.
Also name the authentication method (e.g. AzureAD-Password)
Click Add button at the bottom of the page to save the SP connection configuration. The following screenshots depicts all settings.
Under Identity & Access Management > Policies, select default_access_policy_set
Under Policy Rules, select Device Type Web Browser (note: feel free to try out other device types as well)
Under Edit Policy Rule, select the newly created Azure AD Authentication Method (e.g. AzureAD-Password).
Save changes.
Let's Test Now
Make sure you have a user account in VMware Identity Manager that maps to a user account in Azure AD.
Two user authentication flows can be tested:
- IDP initiated authentication
To test this flow goto:
http://myapps.microsoft.com and login with your test user account and click on the VMware Identity Manager app icon.
Here's a video of this authentication flow:
- SP initiated authentication
To test this flow, goto:
https://[your_tenant].vmwareidentity.com.
Here's video of this authentication flow: