This guide provides a step-by-step process to configure Workspace ONE to authenticate via SAML Just-in-Time Provisioning with a Google Directory.
User provisioning is done just-in-time during user authentication.
The end-result will have a user (that doesn't initially exist in VMware Identity Manager Users list) get provisioned in the VMware Identity Manager tenant:
- User either: (a) navigates to WS1 tenant via URL, or (2) downloads WS1 App and enters Tenant URL.
- The app presents Google’s SAML Authentication screen (note user should not see VMware Identity Manager signin screen). User enters username password.
- Upon successful login, user is presented with Catalog.
- User gets provisioned in VMware Identity Manager Directory.
Configuration Steps
The attached PDF includes screenshots to assist the configuration steps.
Collect required information from VMware Identity Manager tenant
- Save User Attributes values that need to be pulled in, such as: userName, firstName, lastName, email.
- Under Catalog > Settings > SAML Metadata, click on “Service Provider (SP) metadata.” Save the following data from the XML:
- ACS URL: Find this value under Location=”ACSURL” next to AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
- Entity ID: Find this value in the first line, under EntityID=”EntityID”
Create a SAML App in the Google Admin Console
- Login to admin.google.com, go to Apps > SAML apps > Enable SSO for a SAML Application.
- Click Setup my Own Custom App.
- Under Option 2, click Download IDP Metadata
- Enter an Application Name and Description (optional)
- Enter Service Provider details:
- ACS URL and Entity ID from Step 1.
- NameID = Primary Email, NameIDFormat = Email
- Edit the Attribute Mapping to pull in certain user values, such as firstName, lastName, email, etc.
- Make sure these values match the User Attributes in VMware Identity tenant under Identity & Access Management > Setup > User Attributes.
- Required field is: userName
- Ensure the SAML Application is ON for your set of users.
Follow the steps in VMware Identity Manager Administration Guide > Just-in-Time User Provisioning > Configuring Just-in-Time User Provisioning.
- Create a Third-Party IdP under Identity & Access Management > Identity Providers.
- Copy the IDP Metadata that was downloaded from the Google Admin Console in Step 2, and Paste it under SAML Metadata.
- Click Process IdP Metadata.
- Set NameIDFormat as urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified, set NameIDValue as username
- Set NameIDPolicy as urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
- Enable the Just-in-Time User Provisioning. Enter Domain from the GSuite Application.
- Give the Authentication Methods a identifyable name, then set SAML Context as urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified
- Save
Configure the Policies to use the Authentication Method from the IdP that was created in Step 3
Once complete, a user that does not exist in VMware Identity Manager Directory should be able to authenticate through WorkspaceONE login, and get provisioned into the VMware Identity Manager Directory.