Use Case:
Configure VMware Identity Manager as trusted federation Service Provider with OneLogin (IDP).
Prerequisites:
- Access to VMware Identity Manager administrative interface.
- Access to OneLogin administrative interface.
- At least one test user account in VMware Identity Manager and OneLogin. For this tutorial, the user email should match in both systems.
Approach and Steps:
We will use OneLogin "SAML Test Connector" to setup VMware Identity Manager as a federated application. The OneLogin SAML Test Connector allows you to build custom application connectors for applications that are not found within the OneLogin catalog. Following steps will be configured:
- Identify VMware Identity Manager Service Provider metadata.
- Configure VMware Identity Manager as custom application (Service Provider) in OneLogin.
- Assign VMWare Identity Manager to users in OneLogin.
- Generate OneLogin IDP metadata
- Configure OneLogin as third party Identity Provider in VMware Identity Manager.
- Test federation connection for IDP and SP initiated authentication flows.
Detailed steps are provided below.
1. Identify VMware Identity Manager Service Provider metadata
- Log into VMware Identity Manager admin console and navigate to Catalog > Settings > SAML Metadata > Service Provider (SP) metadata.
- Keep SP metadata open in a web browser window. This will be needed in the next step.
2. Configure VMware Identity Manager as custom application (Service Provider) in OneLogin.
- Log in to your OneLogin tenant with an Admin account.
- Navigate to Apps > Add Apps.
- Search for 'SAML Test Connector' and select the first search result.
Additional informaiton on other OneLogin Test Connectors is available here: How to Use the OneLogin SAML Test Connector – OneLogin Help Center
- Enter Display Name (i.e. VMware Identity Manager) and click Save.
- Under Configuration tab, enter following information from VMware Identity Manager SP SAML metadata (from Step 1):
entityID ==> Audience
Example: https://acmecorp.vmwareidentity.com/SAAS/API/1.0/GET/metadata/sp.xml
HTTP-POST Location ==> Recipient
Example: https://acmecorp.vmwareidentity.com/SAAS/auth/saml/response
HTTP-POST Location ==> ACS (Consumer) URL Validator
Example: https://acmecorp.vmwareidentity.com/SAAS/auth/saml/response
HTTP-POST Location ==> ACS (Consumer) URL
Example: https://acmecorp.vmwareidentity.com/SAAS/auth/saml/response
- Click Save
- Under Parameters tab, select "Email"
Open SSO tab, and keep it open. This information will be used in next step to build OneLogin IDP metadata.
3. Generate OneLogin IDP metadata
In order to configure a federation IDP in VMware Identity Manager, it needs the IDP SAML metadata in XML format. However, OneLogin does not provide IDP metadata in XML format. So we will use a tool called samltool to generate the IDP SAML metadata.
- Open https://www.samltool.com/idp_metadata.php.
- Copy OneLogin IDP metadata information from Step 2 into samltool as shown below.
- Ensure the NameId Format is set to:
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
- Click "Build IDP METADATA" in samltool.
- Scroll down and copy the IDP metadata to be used in Step 5.
4. Assign VMWare Identity Manager to users in OneLogin
In OneLogin, ensure that users are assigned to VMWare Identity Manager application. OneLogin provides various ways to assign users, for testing purposes we can assign a single user under "Users" > "All Users" > [click on user name] > "Applications tab". Click on '+' sign to assign your test user to application.
5. Configure OneLogin as third party Identity Provider in VMware Identity Manager
- In VMware Identity Manager admin console, navigate to Identity & Access Management > Identity Providers > Add Identity Provider > Create Third Party IDP.
- Enter Identity Provider Name (i.e. OneLogin).
- In "SAML Metadata" text box, paste OneLogin IDP SAML metadata from Step 3 and Click "Process IdP Metadata". Ensure there are no error messages.
- Set Name ID format to:
- urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
- Under Users section, select a Directory for your test user(s).
- Under Network select ALL RANGES.
- Under Authentication Methods:
- Authentication Methods = "OneLogin_Password"
- SAML Context = PasswordProtectedProtocol
- Click Save.
- Navigate to Identity & Access Management > Policies > default_access_policy_set.
- Click on the row for device type "Web Browser"
- Select OneLogin_Password as the authentication method.
- Click OK
- Don't forget to click Save.
6. Test federation connection
- SP initiated authentication flow
This can be tested by going to your VMware Identity Manager URL.
Following video demonstrates this login flow:
- IDP initiated authentication flow
This can be tested by going to your OneLogin tenant URL.
Following video demonstrates this login flow:
Also check out:
VMware Identity Manager as federated Identity Provider for OneLogin