This guide describes steps to configure and test Azure Active Directory as a federation Identity Provider (IDP) and VMware Identity Manager as a Federation Service Provider (SP).
Assumptions:
Following assumptions are made for this guide:
- A SaaS tenant of VMware Identity Manager
- Azure Active Directory (AD) Premium subscription
Prerequisites:
- At least one test user account in Azure AD Premium
- At least one corresponding test user account in VMware Identity Manager
Configure Azure AD
VMware Identity Manager can federate with Azure AD as a custom application in the app gallery.
Sign into the Azure management portal using your Azure Active Directory administrator account, and browse to:
Active Directory > [Your Directory] > Applications section, select Add, and then Add an application from the gallery.
Image may be NSFW.
Clik here to view.
In the app gallery, add an unlisted app using the Custom category on the left. Enter a name for your VMware Identity Manager app.
Image may be NSFW.
Clik here to view.
Select Configure Single Sign-On.
Image may be NSFW.
Clik here to view.
Select Microsoft Azure AD Single Sign-On
Image may be NSFW.
Clik here to view.
The Configure App Setting screen requires SP metadata informaiton from your VMware Identity Manager tenant.
The Identity Manager SP metadata is available at https://[your_tenant].vmwareidentity.com/SAAS/API/1.0/GET/metadata/sp.xml.
Open https://[your_tenant].vmwareidentity.com/SAAS/API/1.0/GET/metadata/sp.xml in a web browser.
Image may be NSFW.
Clik here to view.
Copy following SP metadata values from VMware Identity Manager to Azure AD configuration Wizard:
- EntityID = IDENTIFIER
- HTTP-POST Assertion Consumer Service URL =REPLY URL
Click Next arrow.
Image may be NSFW.
Clik here to view.
Click Download Metadata (XML) to download Azure AD IDP metadata. This will be used when configuring SP federation connection in VMware Identity Manager.
Click Next arrow.
Image may be NSFW.
Clik here to view.
Complete the configuration wizard.
Assign App to user
Assign the newly created/federated "VMware Identity Manager" to a test user account.
Click Assign accounts.
Image may be NSFW.
Clik here to view.
Select a user and assign
Image may be NSFW.
Clik here to view.
At this stage we have configured IDP connection in Azure AD and assigned the VMware Identity Manager app to a user. Now we need to configure the VMware SP connection.
Configure VMware Identity Manager SP connection
Log into you VMware Identity Manager tenant as admin user and navigate to:
Identity & Access Management > Identity Providers > Add Identity Provider > Create Third Party IDP
Image may be NSFW.
Clik here to view.
Give a name to this Identity Provider (e.g. Azure AD).
Azure AD Identity Provider metadata file was downloaded in one of the steps above. Open this file in a text editor and copy/paste Azure AD IDP Metadata into Identity Provider Metadata(URL or XML) text box and press Process IdP Metadata button. There should be no error messages.
Image may be NSFW.
Clik here to view.
Under Name ID format mapping from SAML Response, add two mapping as below:Image may be NSFW.
Clik here to view.
Under Users, select the user store for your test user(s)
Image may be NSFW.
Clik here to view.
Under Network, select All Ranges
Image may be NSFW.
Clik here to view.
Under Authentication Methods, select “urn:oasis:names:tc:SAML:2.0:ac:classes:Password”.
Also name the authentication method (e.g. AzureAD-Password)
Image may be NSFW.
Clik here to view.
Click Add button at the bottom of the page to save the SP connection configuration. The following screenshots depict all settings.
Image may be NSFW.
Clik here to view.
Image may be NSFW.
Clik here to view.
Under Identity & Access Management > Policies, select default_access_policy_set
Image may be NSFW.
Clik here to view.
Under Policy Rules, select Device Type Web Browser (note: feel free to try out other device types as well)
Image may be NSFW.
Clik here to view.
Under Edit Policy Rule, select the newly created Azure AD Authentication Method (e.g. AzureAD-Password).
Save changes.
Image may be NSFW.
Clik here to view.
Let's Test Now
Make sure you have a user account in VMware Identity Manager that maps to a user account in Azure AD.
Two user authentication flows can be tested:
- IDP initiated authentication
To test this flow goto:
http://myapps.microsoft.com and login with your test user account and click on the VMware Identity Manager app icon.
Here's a video of this authentication flow:
- SP initiated authentication
To test this flow, goto:
https://[your_tenant].vmwareidentity.com.
Here's video of this authentication flow: