Quantcast
Channel: VMware Communities : Blog List - All Communities
Viewing all articles
Browse latest Browse all 3135

Using Workspace ONE Access as a Claims Provider in ADFS

$
0
0

For updates on this blog and other blogs: Follow @SteveIDM

 

There are many use cases when integrating ADFS with Workspace ONE. In this blog, I'm going to focus on the use case of using Workspace ONE as a claims provider.  The VMware documentation for integrating ADFS and Workspace ONE is quite good. Please reference the VMware Documentation for the official steps on this integration.  My blog is intended to compliment the official  documentation.

 

In this blog, we will focus on:

 

Warning - Do NOT Perform any of these steps on a production ADFS Server without testing in a lower environment. Once you add a second claims provider it will impact the experience for your users.

Creating Workspace ONE Access as a Claims Provider

Download Workspace ONE Access Metadata

  1. Log into your Workspace ONE Access Administration Console.
  2. Go to Catalog -> Web Apps
  3. Click on Settings
  4. Click on SAML Metadata
    Screen Shot 10-08-20 at 04.06 PM.PNG
  5. Right-Click and Download your Identity Provider (IdP) Metadata.

 

Create your Claims Provider Trust


Warning - Do NOT Perform any of these steps on a production ADFS Server without testing in a lower environment. Once you add a second claims provider it will impact the experience for your users.

  1. Launch your ADFS Management Console
  2. Right Click on Claims Provider Trust and click "Add Claims Provider Trust"
    Screen Shot 10-08-20 at 11.25 AM.PNG
  3. Click Start
  4. Select " Import data about the claims provider from a file"
  5. Select the Workspace ONE Metadata file you just downloaded.
  6. Click Next
  7. Select a Display Name that is recognizable to your users. This name will appear on the ADFS Home Realm Discovery Page.
  8. Click Next
  9. Click Next
  10. Click Close

 

Configure Claim Rules

  1. Right Mouse on the newly created Claims Provider Trust and Click Edit Claims Rules
  2. Click Add Rule
  3. Select "Send Claims Using a Custom Rule" and Click Next
  4. Provide a Rule Name
  5. Paste the following Custom Rule. This rule will transform the incoming claim (Windows Account) and set AD as the source. In using this custom rule, we will not need to modify any existing Relying Parties that are already configured.

    c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",

    Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] ==

    "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"]

    => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname",

    Issuer = "AD AUTHORITY", OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType);


    Screen Shot 10-08-20 at 11.47 AM.PNG

  6. Click Finish
  7. Click OK

 

Configuring the ADFS Application Source in Workspace ONE Access

  1. Download the federation metadata file for the AD FS server by navigating to the URL: https://{ADFSdomain}/FederationMetadata/2007-06/FederationMetadata.xml where {ADFSdomain} is replaced with the fully qualified domain name (FQDN) your AD FS server.
  2. Log into the Workspace ONE Access Admin Console
  3. Select Catalog -> Web Apps
  4. Click the Settings button
  5. Click Application Sources
  6. Click the ADFS Application Source
    Screen Shot 10-08-20 at 03.47 PM.PNG
  7. Click Next
  8. Past the contents of the previously downloaded ADFS Metadata into the URL/XML box. It is recommended you paste the contents rather than pasting the URL.
    Screen Shot 10-08-20 at 03.49 PM.PNG
  9. Click Next
  10. Click Next
  11. Click Save
  12. Click the ADFS Application Source again.
  13. Click the configuration tab
  14. Change the Username Format to Unspecified
  15. Change the Username Value to "${user.domain}\${user.userName}"
    Screen Shot 10-08-20 at 03.53 PM.PNG
  16. Expand Advanced Properties
  17. Set Include Assertion Signature to Yes.
  18. For Signature Algorithm, select SHA256 with RSA.
  19. Change the Digest Algorithm to SHA256
    Screen Shot 10-08-20 at 03.55 PM.PNG
  20. Click Next and Save

 

Testing the Workspace ONE Claims Provider

  1. Open a Private Browser
  2. Navigate to Service Provider that is using ADFS
    Screen Shot 10-08-20 at 04.09 PM.PNG
  3. Verify that you see the ADFS Home Realm Discovery Page. Note: Your page will look different depending on how many claims providers you have configured.
    Screen Shot 10-08-20 at 04.10 PM.PNG
  4. Select the option for Workspace ONE
  5. Enter your Credentials for Workspace ONE
  6. Verify that Workspace ONE responds with a successful SAML Response. Using a SAML Tracer, you can verify that the NameID is returned in a Domain\username format
    Screen Shot 10-08-20 at 04.14 PM.PNG

Configure Workspace ONE Access as the default Claims Provider for an RP

If you have specific applications where you want to redirect all traffic for that application to Workspace ONE, you can perform the following steps:

  1. On the AD FS server, open a PowerShell session with elevated administrator rights.
  2. Run the following Powershell command

    Set-ADFSRelyingPartyTrust -TargetName "{RP_app}" -ClaimsProviderName "{VMWARE IDENTITY MANAGER CLAIMS PROVIDER}"

    Replace the placeholders in the command as follows.
    Replace {RP_app} with the name of the relying party trust corresponding to the target application.
    Replace {VMWARE IDENTITY MANAGER CLAIMS PROVIDER} with the name of the claims provider trust that you configured for VMware Workspace ONE Access.
    Use the names of the relying party trust and claims provider trust as they appear in the AD FS Management console.

 

 

Modifying your Onload.js

Depending on your use case, you may or may not want to do redirect all applications or all platforms for a particular application to Workspace ONE Access. As we saw above, the ADFS Home Realm Discovery page will by default prompt the user to select the claims provider.  Assuming you will not run the previous PowerShell command to default traffic for particular relying party to Workspace ONE Access, we will need to use the onload.js to automate the selection for the users.

 

We will walk through some of your options in the onload.js. First, lets address some things that you can NOT do:

  • You can not redirect to Workspace ONE Access based on username. Although it may appear that usernames appear in the request, you can not code for this reliably. If you use auto acceleration in Azure AD, you will not get usernames in the request.
  • You can not redirect based on groups.
  • You can not redirect based on network range.
  • You can not redirect based on having an enrolled device in Workspace ONE UEM.

 

Before we walk through what we can do, lets get started by exporting the current ADFS WebTheme.

 

  1. Log into the ADFS Server
  2. Run PowerShell as an Administrator
  3. Create a working folder by running the following command

    mkdir c:\myscripts

  4. Export the default ADFS web theme

    Export-AdfsWebTheme –Name "Default" –DirectoryPath c:\myscripts

  5. In PowerShell, create a new AD FS web theme

    New-AdfsWebTheme –Name "VIDM" –SourceName "Default"

  6. Re-import the onload.js into the new Web Theme

    Set-AdfsWebTheme -TargetName VIDM -AdditionalFileResource @{Uri='/adfs/portal/script/onload.js';path="c:\myscripts\script\onload.js"}

  7. Activate the new web theme

    Set-AdfsWebConfig -ActiveThemeName "VIDM"

  8. To save your changes, you will need to restart the AD FS instance

    Restart-Service adfssrv

  9. Open C:\myscripts\script\onload.js in a text editor such as Notepad++
  10. In the next couple section we will go through the possible options that you can make in the onload.js.  Once you make a change, you will need to re-import the onload.js. You do not need to activate or restart ADFS.
    We are going to use the following placeholders in the following sections:
    {AccessTenant} = FQDN of the VMware Workspace ONE Access service ie. https://dsas.vmwareidentity.com
    {AD FS Claims Provider} = 'AD Authority'  Note: For older ADFS environments, you might need to use: 'http://{ADFSdomain}/adfs/services/trust'

 

 

Redirecting Mobile Traffic

 

 

// redirect mobile traffic to Workspace ONE

if (navigator.userAgent.match(/iPad|iPhone|Android|Windows Phone/i) != null)

{

HRD.selection('https://{AccessTenant}/SAAS/API/1.0/GET/metadata/idp.xml');

}else

{

HRD.selection(‘AD AUTHORITY’);

}

 

Support for IpadOS Devices

 

 

// ADDITIONAL LOGIC FOR iPadOS AND iOS 13 iPad DEVICES

if (navigator.userAgent.match(/Macintosh/i) != null)

{

if(navigator.maxTouchPoints > 2)

{

HRD.selection('https://{AccessTenant}/SAAS/API/1.0/GET/metadata/idp.xml');

}

else

{

HRD.selection(‘AD AUTHORITY’);

}

}

 

Hiding the HRD Selection

// hide HRD selector from user

var hrdui = document.getElementById("bySelection");

hrdui.style.display = "none";

 

Applying Conditions to Only Specific Relying PartiesVM

You will need to do some testing to make sure you get the correct values. If you *TEMPORARILLY* add the following code it will help get the correct values:

document.write("\n<b>WindowsLocation=</b>");

document.write(window.location.href);

document.write("<br>\n\n<b>UserAgent=</b>");

document.write(navigator.userAgent);

document.write("<br>\n\n<b>DocumentReferer=</b>");

document.write(document.referrer);

 

 

There are two options to choose from:

Option 1:

if ( window.location.href.indexOf(“urn%3afederation%3aMicrosoftOnline”|“https%3a%2f%2flogin.microsoftonline.com%2fextSTS.srf”) != -1 )

{

HRD.selection('https://{AccessTenant}/SAAS/API/1.0/GET/metadata/idp.xml');

}

Option 2:

if (document.referrer.indexOf("https://tenant.my.salesforce.com/") != -1){

HRD.selection('https://{AccessTenant}/SAAS/API/1.0/GET/metadata/idp.xml');

}

 

 

Using ADFS Access Control Policies

If you are you using ADFS Access Control Policies, you might see some errors in the event viewer similar to:

 

"The caller is not authorized to request a token for the relying party "

"Microsoft.IdentityServer.Service.IssuancePipeline.CallerAuthorizationException: MSIS5007: The caller authorization failed for caller identity  for relying party trust "

 

In order to comply with your Access Control Policies, we will need to add a policy to allow requests coming from Workspace ONE.

 

Here are two approaches that you can use:

 

Check for 'Federated Authority' in the Claims Request

This approach will not necessarily ensure the claim came from Workspace ONE. It will check if it came from a federated claim provider.

  1. Edit your Access Policy in ADFS
  2. Create a new rule that will permit users for a specific claim in the request.
  3. Select "Account Store" as the the Claim type and "FEDERATED AUTHORITY" as the Claim Value
    Screen Shot 10-09-20 at 09.37 AM 001.PNG
  4. Your Rule would look similar to this:
    Screen Shot 10-09-20 at 09.37 AM.PNG

Check for Specific Claim sent by Workspace ONE Access

In this approach, ADFS will validate a specific claim sent by Workspace ONE Access. There are a few more steps required in this approach.

  1. In Workspace ONE Access, open the Application Source for ADFS (Identity & Access Management -> Catalog -> Web Apps -> Settings)
  2. Click on Configuration and Expand Advanced Configuration
  3. Scroll down to Custom Attribute Mapping
  4. Add the attribute "http://schemas.microsoft.com/ws/2008/06/identity/claims/role"
  5. Select the format "Unspecified"
  6. Set the value to something like "WS1"
    Screen Shot 10-09-20 at 09.39 AM.PNG
  7. Click Next, Next, Save
  8. In ADFS, edit the Claim Rules for the Workspace ONE Claims Provider Trust
  9. Add A New Claim Rule
  10. Select "Pass Through or Filter an Incoming Claim"
  11. Provide a Name and Select "Role" as the incoming claim.
    Screen Shot 10-09-20 at 09.43 AM.PNG
  12. Click Finish. You may receive a warning, You can click OK or filter the claim value even further.
  13. Edit your Access Policy in ADFS
  14. Create a new rule that will permit users for a specific claim in the request.
  15. Select "Role" as the the Claim and "WS1" as the Claim Value
    Screen Shot 10-09-20 at 09.39 AM 001.PNG
  16. Your Rule would look similar to:
    Screen Shot 10-09-20 at 09.40 AM.PNG

 

 


Viewing all articles
Browse latest Browse all 3135

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>