Quantcast
Channel: VMware Communities : Blog List - All Communities
Viewing all articles
Browse latest Browse all 3135

Integrating Workspace ONE with Google Directory as Third-party IDP via SAML JIT User Provisioning

$
0
0

This guide provides a step-by-step process to configure Workspace ONE to authenticate via SAML Just-in-Time Provisioning with a Google Directory.

User provisioning is done just-in-time during user authentication.

 

The end-result will have a user (that doesn't initially exist in VMware Identity Manager Users list) get provisioned in the VMware Identity Manager tenant:

  1. User either: (a) navigates to WS1 tenant via URL, or (2) downloads WS1 App and enters Tenant URL.
  2. The app presents Google’s SAML Authentication screen (note user should not see VMware Identity Manager signin screen). User enters username password.
  3. Upon successful login, user is presented with Catalog.
  4. User gets provisioned in VMware Identity Manager Directory.

 

Configuration Steps

 

The attached PDF includes screenshots to assist the configuration steps.

 

  1. Collect required information from VMware Identity Manager tenant

    1. Save User Attributes values that need to be pulled in, such as: userName, firstName, lastName, email.
    2. Under Catalog > Settings > SAML Metadata, click on “Service Provider (SP) metadata.” Save the following data from the XML:
        1. ACS URL: Find this value under Location=”ACSURL” next to AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
        2. Entity ID: Find this value in the first line, under EntityID=”EntityID
  2. Create a SAML App in the Google Admin Console

    1. Login to admin.google.com, go to Apps > SAML apps > Enable SSO for a SAML Application.
    2. Click Setup my Own Custom App.
    3. Under Option 2, click Download IDP Metadata
    4. Enter an Application Name and Description (optional)
    5. Enter Service Provider details:
      1. ACS URL and Entity ID from Step 1.
      2. NameID = Primary Email, NameIDFormat = Email
    6. Edit the Attribute Mapping to pull in certain user values, such as firstName, lastName, email, etc.
      1. Make sure these values match the User Attributes in VMware Identity tenant under Identity & Access Management > Setup > User Attributes.
      2. Required field is: userName
    7. Ensure the SAML Application is ON for your set of users.
  3. Follow the steps in VMware Identity Manager Administration Guide > Just-in-Time User Provisioning > Configuring Just-in-Time User Provisioning.

    1. Create a Third-Party IdP under Identity & Access Management > Identity Providers.
    2. Copy the IDP Metadata that was downloaded from the Google Admin Console in Step 2, and Paste it under SAML Metadata.
    3. Click Process IdP Metadata.
    4. Set NameIDFormat as urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified, set NameIDValue as username
    5. Set NameIDPolicy as urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
    6. Enable the Just-in-Time User Provisioning. Enter Domain from the GSuite Application.
    7. Give the Authentication Methods a identifyable name, then set SAML Context as urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified
    8. Save
    1. Configure the Policies to use the Authentication Method from the IdP that was created in Step 3

     

    Once complete, a user that does not exist in VMware Identity Manager Directory should be able to authenticate through WorkspaceONE login, and get provisioned into the VMware Identity Manager Directory.


    Viewing all articles
    Browse latest Browse all 3135

    Trending Articles



    <script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>