Quantcast
Channel: VMware Communities : Blog List - All Communities
Viewing all articles
Browse latest Browse all 3135

OneLogin as federated Identity Provider for VMware Identity Manager

$
0
0

Use Case:

Configure VMware Identity Manager as trusted federation Service Provider with OneLogin (IDP).

 

Prerequisites:

  • Access to VMware Identity Manager administrative interface.
  • Access to OneLogin  administrative interface.
  • At least one test user account in VMware Identity Manager and OneLogin. For this tutorial, the user email should match in both systems.

 

Approach and Steps:

We will use OneLogin "SAML Test Connector" to setup VMware Identity Manager as a federated application. The OneLogin SAML Test Connector allows you to build custom application connectors for applications that are not found within the OneLogin catalog. Following steps will be configured:

  1. Identify VMware Identity Manager Service Provider metadata.
  2. Configure VMware Identity Manager as custom application (Service Provider) in OneLogin.
  3. Assign VMWare Identity Manager to users in OneLogin.
  4. Generate OneLogin IDP metadata
  5. Configure OneLogin as third party Identity Provider in VMware Identity Manager.
  6. Test federation connection for IDP and SP initiated authentication flows.

 

Detailed steps are provided below.

 

1. Identify VMware Identity Manager Service Provider metadata

  • Log into VMware Identity Manager admin console and navigate to Catalog > Settings > SAML Metadata > Service Provider (SP) metadata.
  • Keep SP metadata open in a web browser window. This will be needed in the next step.

Screen Shot 2016-12-15 at 1.13.39 PM.png

 

2. Configure VMware Identity Manager as custom application (Service Provider) in OneLogin.

  • Log in to your OneLogin tenant with an Admin account.
  • Navigate to Apps > Add Apps.
  • Search for 'SAML Test Connector' and select the first search result.

 

Additional informaiton on other OneLogin Test Connectors is available here: How to Use the OneLogin SAML Test Connector – OneLogin Help Center

Screen Shot 2016-12-15 at 1.02.14 PM.png

 

  • Enter Display Name (i.e. VMware Identity Manager) and click Save.

Screen Shot 2016-12-15 at 1.06.07 PM.png

 

  • Under Configuration tab, enter following information from VMware Identity Manager SP SAML metadata (from Step 1):

entityID ==> Audience

Example: https://acmecorp.vmwareidentity.com/SAAS/API/1.0/GET/metadata/sp.xml

 

HTTP-POST Location ==> Recipient

Example: https://acmecorp.vmwareidentity.com/SAAS/auth/saml/response

 

HTTP-POST Location ==> ACS (Consumer) URL Validator

Example: https://acmecorp.vmwareidentity.com/SAAS/auth/saml/response

 

HTTP-POST Location ==> ACS (Consumer) URL

Example: https://acmecorp.vmwareidentity.com/SAAS/auth/saml/response

 

  • Click Save

Screen+Shot+2016-12-15+at+1.27.26+PM.png

 

Screen Shot 2016-12-15 at 8.05.35 PM.png

 

  • Under Parameters tab, select "Email"

 

Screen Shot 2016-12-15 at 7.59.09 PM.png

 

Open SSO tab, and keep it open. This information will be used in next step to build OneLogin IDP metadata.

 

Screen Shot 2016-12-15 at 1.34.19 PM.png

 

3. Generate OneLogin IDP metadata

In order to configure a federation IDP in VMware Identity Manager, it needs the IDP SAML metadata in XML format. However, OneLogin does not provide IDP metadata in XML format. So we will use a tool called samltool to generate the IDP SAML metadata.

Screen Shot 2016-12-16 at 4.30.51 PM.png

  • Ensure the NameId Format is set to:
    urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

Screen Shot 2016-12-16 at 5.09.00 PM.png

  • Click "Build IDP METADATA" in samltool.
  • Scroll down and copy the IDP metadata to be used in Step 5.

Screen Shot 2016-12-16 at 4.39.54 PM.png

 

4. Assign VMWare Identity Manager to users in OneLogin

In OneLogin, ensure that users are assigned to VMWare Identity Manager application. OneLogin provides various ways to assign users, for testing purposes we can assign a single user under "Users" > "All Users" > [click on user name] > "Applications tab". Click on '+' sign to assign your test user to application.

Screen Shot 2016-12-16 at 4.43.41 PM.png

 

5. Configure OneLogin as third party Identity Provider in VMware Identity Manager

  • In VMware Identity Manager admin console, navigate to Identity & Access Management > Identity Providers > Add Identity Provider > Create Third Party IDP.

Screen Shot 2016-12-15 at 1.42.24 PM.png


  • Enter Identity Provider Name (i.e. OneLogin).
  • In "SAML Metadata" text box, paste OneLogin IDP SAML metadata from Step 3 and Click "Process IdP Metadata". Ensure there are no error messages.

Screen Shot 2016-12-16 at 4.54.14 PM.png

  • Set Name ID format to:
    • urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

Screen Shot 2016-12-16 at 5.05.43 PM.png

  • Under Users section, select a Directory for your test user(s).
  • Under Network select ALL RANGES.
  • Under Authentication Methods:
    • Authentication Methods = "OneLogin_Password"
    • SAML Context = PasswordProtectedProtocol
  • Click Save.

Screen Shot 2016-12-16 at 5.06.55 PM.png



  • Navigate to Identity & Access Management > Policies > default_access_policy_set.
  • Click on the row for device type "Web Browser"
  • Select OneLogin_Password as the authentication method.
  • Click OK

Screen Shot 2016-12-16 at 5.25.06 PM.png

  • Don't forget to click Save.

Screen Shot 2016-12-16 at 6.15.41 PM.png

 

6. Test federation connection

  • SP initiated authentication flow

     This can be tested by going to your VMware Identity Manager URL.

     Following video demonstrates this login flow:

     https://youtu.be/EK--F5LQSvg

   

  • IDP initiated authentication flow

     This can be tested by going to your OneLogin tenant URL.

     Following video demonstrates this login flow:

     https://youtu.be/ZXskGrRV3MM

 

Also check out:

VMware Identity Manager as federated Identity Provider for OneLogin


Viewing all articles
Browse latest Browse all 3135

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>