Integrating PingFederate: VMware Workspace ONE ......INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE...
Transcript of Integrating PingFederate: VMware Workspace ONE ......INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE...
GUIDE – APRIL 2019
PRINTED 2 OCTOBER 2019
INTEGRATINGPINGFEDERATE: VMWAREWORKSPACE ONEOPERATIONAL TUTORIALVMware Workspace ONE
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 2
Table of Contents
Overview
– Introduction
– Audience
Adding Workspace ONE as an IdP Connection in PingFederate
– Introduction
– Prerequisites
– Retrieving Metadata from Workspace ONE Access
– Creating Identity Provider Connection
– Creating a New Authentication Policy Contract
– Configuring the Authentication Policy Contract
– Configuring Protocol Settings
– Completing Identity Provider Connection
– Exporting Metadata from PingFederate
– Configuring PingFederate Application Source in Workspace ONE Access
– Configuring Salesforce in PingFederate
– Testing Authentication to Salesforce using PingFederate
Creating Authentication Policies in PingFederate
– Introduction
– Prerequisites
– Configuring Identity Provider Selectors
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 3
– Configuring Authentication Policies in PingFederate
– Configuring HTML Form Adapter
– Configuring Identity Provider Connection
– Testing Authentication to Salesforce
Adding PingFederate Applications to the Workspace ONE Catalog
– Introduction
– Prerequisites
– Retrieving Salesforce Entity ID from PingFederate
– Adding Salesforce to Workspace ONE Catalog
– Testing Authentication to Salesforce from Workspace ONE Catalog
Adding PingFederate as Third-Party IdP in Workspace ONE
– Introduction
– Prerequisites
– Exporting SAML Metadata from Workspace ONE Access
– Adding Service Provider Connection in PingFederate
– Configuring Browser SSO Settings
– Reviewing Browser SSO Settings
– Completing Service Provider Connection Details
– Exporting Metadata from PingFederate
– Adding PingFederate as an IdP in Workspace ONE
– Modifying Authentication Policies in Workspace ONE Access
– Testing Single Sign-On to Workspace ONE
Configuring Authentication Failure Notification
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 4
– Introduction
– Prerequisites
– Logging In to the Workspace ONE Access Console
– Enabling Authentication Failure Notification
– Modifying the Authentication Policy in PingFederate
– Testing Single Sign-On to MS Office 365
Summary and Additional Resources
– Conclusion
– Terminology Used in This Tutorial
– Additional Resources
– About the Author
– Feedback
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 5
Integrating PingFederate: VMware Workspace ONEOperational Tutorial
OverviewIntroductionVMware provides this operational tutorial to help you with your VMware Workspace ONE®environment. In this tutorial, you integratePingFederate with Workspace ONE. Procedures include adding Workspace ONE as an IdP connector in PingFederate and addingPingFederate as a third-party IdP in Workspace ONE.
AudienceThis operational tutorial is intended for IT professionals and Workspace ONE administrators of existing production environments. Bothcurrent and new administrators can benefit from using this tutorial. Familiarity with networking and storage in a virtual environment isassumed, including Active Directory, identity management, and directory services. Knowledge of additional technologies such asVMware Workspace ONE® Access (formerly VMware Identity Manager) and VMware Workspace ONE® UEM is also helpful.
Adding Workspace ONE as an IdP Connection in PingFederateIntroductionThis tutorial helps you to integrate VMware Workspace ONE® with PingFederate®. In this section, you add Workspace ONE as anIdP connector in PingFederate. Procedures include:
Creating the IdP connectorCreating and configuring the authentication policy contractConfiguring protocol settingsConfiguring PingFederate application in Workspace ONE AccessConfiguring Salesforce in PingFederateTesting authentication to Salesforce using PingFederate
The steps are sequential and build upon one another, so make sure that you complete each step before going to the next step.
PrerequisitesBefore you can perform the procedures in this tutorial, you must satisfy the following requirements. For more information, see theVMware Identity Manager Documentation and VMware Workspace ONE UEM Documentation.
Check whether you have the following components installed and configured.
Admin access to both a Workspace ONE Access tenant and a PingFederate appliancePingFederate must have both Identity Provider and Service Provider roles enabledTest application federated with PingFederate (to follow the steps in this exercise, use Salesforce)Workspace ONE Access tenant and PingFederate appliance connected to the same Active Directory domainOptional: Mobile device to test redirection to Workspace ONE
Retrieving Metadata from Workspace ONE AccessBefore configuring Workspace ONE as an identity provider connector, you must collect the appropriate metadata from the WorkspaceONE Access tenant.
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 6
1. Navigate to Web Apps
Click Catalog.1.Click Web Apps.2.
2. Navigate to Settings
Click Settings.
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 7
3. Navigate to SAML Metadata
Select the SAML Metadata menu.1.Right-click Identity Provider (IDP) metadata.2.Click Save link as...3.
4. Save Metadata File
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 8
Click Save to save the idp.xml file locally on your computer.
Creating Identity Provider ConnectionAfter you have exported the metadata, you are ready to create the identity provider (IdP) connection.
1. Create New IdP Connection
In the PingFederate admin console:
Click Service Provider.1.Click Create New to create a new IdP Connection.2.
2. Configure Connection Type
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 9
Select BROWSER SSO PROFILES.1.Click Next.2.
3. Select Connection Options
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 10
Select BROWSER SSO for this connection.1.Click Next.2.
4. Import Metadata
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 11
Select File as the option to import metadata.1.Click Choose File.2.
5. Select Metadata File
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 12
Select the idp.xml file previously downloaded from the Workspace ONE Access tenant.1.Click Open.2.
6. Confirm File Uploaded
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 13
Verify that the correct file was uploaded.1.Click Next.2.
7. Confirm Entity ID
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 14
Verify that the Entity ID matches your tenant.1.Click Next2.
8. Review Configuration
Click Next to configure Browser SSO settings.
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 15
9. Configure Browser SSO
Click Configure Browser SSO.
10. Select SAML Profiles
Select IDP-INITITATED SSO.1.Select SP-INITITATED SSO.2.Click Next.3.
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 16
11. Configure User-Session Creation
Click Configure User-Session Creation.
12. Select Identity Mapping Mode
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 17
Select Account Mapping.1.Click Next.2.
13. Confirm Attribute Contract
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 18
In this exercise, Workspace ONE Access sends only a single attribute in the assertion (SAML_SUBJECT).
Click Next to Map a New Authentication Policy.
Creating a New Authentication Policy ContractIn this section, you continue to configure the IdP connection. This connection does not use any local adapter instances forauthentication. Instead, you map it to an authentication policy which you create in this exercise.
1. Map New Authentication Policy
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 19
Click Map New Authentication Policy.
2. Manage Authentication Policy Contract
Click Manage Authentication Policy Contracts.
3. Create New Contract
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 20
Click Create New Contract.
4. Enter Contract Name
Enter a contract name, for example, Workspace ONE.1.Click Next.2.
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 21
5. Confirm Attribute Contract
This configuration uses a single attribute (SAML_Subject).
Click Next.
6. Review Contract Details
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 22
Click Done.
7. Confirm Contract Creation
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 23
Validate that the new contract has been created.
Click Save.
Configuring the Authentication Policy ContractIn this section, continue the IdP Connection wizard to configure the policy contract.
1. Select the New Policy Contract
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 24
Select the new policy contract from the drop-down menu. For example, Workspace ONE.1.Click Next.2.
2. Select Authentication Policy Contract Subject
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 25
For this setup, Salesforce requires only the attribute provided in the assertion to fulfill the contract. Depending on the SaaS applicationyou are using to test this configuration, you might need to use the assertion to look for additional information.
Select Use only the attributes available in the SSO assertion.1.Click Next.2.
3. Select Contract Fulfillment Values
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 26
Select Assertion from the drop-down menu.1.Select SAML_Subject from the drop-down menu.2.Click Next.3.
4. Review Optional Issuance Criteria
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 27
Click Next.
5. Confirm Authentication Policy Contract Details
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 28
Verify the Authentication Policy Contract summary.
Click Done.
6. Confirm Policy Contract is Mapped
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 29
Verify that the new Authentication Policy Contract has been mapped.1.Click Next.2.
7. Confirm User-Session Creation Details
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 30
Click Done.
Configuring Protocol SettingsIn this section, configure the Browser SSO Protocol Settings including SSO service URLs, SAML bindings, and signature and
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 31
encryption policy settings.
1. Continue to Protocol Settings
Click Next.
2. Configure Protocol Settings
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 32
Click Configure Protocol Settings.
3. Confirm SSO Service URLs
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 33
The Endpoint URLs for Redirect and Post bindings should be both automatically populated from the metadata. If not, you must1.manually enter the URL. The URL will be the same for both bindings in all tenants: /SAAS/auth/federation/SSO.Click Next.2.
4. Select SAML Bindings
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 34
Select POST.1.Select REDIRECT.2.Click Next.3.
5. Review Optional Overrides
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 35
Click Next.
6. Configure Signature Policy
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 36
Select Specify Additional Signature Requirements.1.Select Sign Authn Requests Over Post and Redirect Bindings.2.Click Next.3.
7. Review Optional Encryption Policy Settings
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 37
Encryption of the SAML assertion is optional. For this configuration, it is not required.
Click Next.
8. Confirm Protocol Settings Configuration
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 39
9. Confirm Protocol Settings Applied
Click Next.
10. Review Protocol Settings
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 40
Review the Browser SSO summary.
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 41
Scroll to the bottom.1.Click Done.2.
Completing Identity Provider ConnectionIn this section, complete the final IdP connection details.
1. Continue to Configure Credentials
Click Next.
2. Confirm Credential Requirement Details
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 42
The signing certificate should be automatically populated from the metadata.1.Click Next.2.
3. Select Connection Status
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 44
4. Save Configuration
Scroll down to the bottom of the summary.1.Click Save.2.
5. Confirm IdP Connection Creation
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 45
Validate that the new IdP Connection has been created.
Exporting Metadata from PingFederateThe next step is to add PingFederate as a service provider in Workspace ONE Access. First, export the corresponding metadata filefrom PingFederate.
1. Select Metadata Export
In the PingFederate admin console:
Click Server Configuration.1.Click Metadata Export.2.
2. Select Metadata Role
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 46
Select I am the Service Provider (SP).1.Click Next.2.
3. Select Metadata Mode
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 47
Select User a Connection for Metadata Generation.1.Click Next.2.
4. Review Connection Metadata
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 48
Click Next.
5. Select Metadata Signing Details
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 49
Select the signing certificate for your PingFederate setup from the drop-down menu.1.Select RSA SHA256 as the signing algorithm.2.Click Next.3.
6. Review Summary and Export Metadata
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 50
Click Export.
7. Save Metadata File
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 51
Save the metadata.xml file locally on your computer.
Click Save.
8. Open Metadata File
Open the metadata.xml file downloaded from PingFederate and copy the contents of the file to the clipboard.
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 52
Configuring PingFederate Application Source in Workspace ONE AccessNow that you have exported the metadata from PingFederate, you are ready to configure the PingFederate application source inWorkspace ONE Access.
1. Configure PING Application Source
In the Workspace ONE Access administration console:
Click Application Sources.1.Click PING.2.
2. Start PING Application Source Wizard
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 53
Click Next.
3. Configure PING Application Source Single Sign-On
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 54
Select URL/XML as the configuration method.1.Copy the contents from the metadata.xml file downloaded from PingFederate into the text box.2.Click Next.3.
4. Select PING Application Source Access Policies
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 55
Select an access policy from your Workspace ONE Access tenant using the drop-down menu. For this setup, we have1.selected an access policy which challenges for domain credentials to test the configuration.Click Next.2.
5. Complete PING Application Source Wizard
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 56
Click Save.
Configuring Salesforce in PingFederateNext, modify the service provider connection (Salesforce) in PingFederate to authenticate with the newly created IdP Connection(Workspace ONE Access).
1. Select Service Provider Connection
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 57
Navigate back to the PingFederate admin console.
Click Identity Provider.1.Select your test SP Connection.2.
2. Configure Browser SSO
Select Browser SSO.1.Click Configure Browser SSO.2.
3. Configure Assertion Creation
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 58
Select Assertion Creation.1.Click Configure Assertion Creation.2.
4. Map New Authentication Policy
Click Map New Authentication Policy.
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 59
5. Select Authentication Policy Contract
Select the Workspace ONE authentication policy contract from the drop-down menu.1.Click Next.2.
6. Select Mapping Method
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 60
Select Use Only the Authentication Policy Contract Values in the SAML Assertion.1.Click Next.2.
7. Select Attribute Contract Fulfillment Values
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 61
Select Authentication Policy Contract from the Source drop-down menu.1.Select subject from the Value drop-down menu.2.Click Next.3.
8. Review Optional Issuance Criteria
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 62
Click Next.
9. Review Summary
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 63
Click Save.
10. Confirm Workspace ONE Contract Mapping
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 64
Validate that the Workspace ONE contract has been mapped.1.Click Delete to delete the HTML Form Adapter mapping.2.Click Save.3.
Testing Authentication to Salesforce using PingFederateYou can now test authentication to your SaaS application. In this exercise, log in to Salesforce using PingFederate. PingFederateredirects you to Workspace ONE Access for authentication and then launches Salesforce. The SAML assertion created by WorkspaceONE Access is validated by PingFederate, which in turn issues a SAML assertion for Salesforce.
1. Navigate to Salesforce Login
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 65
Navigate to the Salesforce login page and click PingFederate.
2. Enter Domain Credentials for Workspace ONE Access
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 66
Enter the domain credentials for your test user in Workspace ONE Access.
Enter the username. For example, user.1.Enter the password. For example, VMware1!.2.Click Sign in.3.
3. Confirm Salesforce Launches
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 67
After validating the credentials in Workspace ONE Access, you are redirected and logged directly into the Salesforce tenant.
Creating Authentication Policies in PingFederateIntroductionThis section helps you to create authentication policies in PingFederate. Procedures include:
Configuring identity provider selectorsConfiguring authentication policiesConfiguring HTML form adapter and IdP connectionTesting authentication to Salesforce using mobile and non-mobile devices
The steps are sequential and build upon one another, so make sure that you complete each step before going to the next step.
PrerequisitesBefore you can perform the procedures in this tutorial, you must satisfy the following requirements. For more information, see theVMware Identity Manager Documentation and VMware Workspace ONE UEM Documentation.
Check whether you have the following components installed and configured.
Admin access to both a Workspace ONE Access tenant and a PingFederate appliancePingFederate must have both Identity Provider and Service Provider roles enabledTest application federated with PingFederate (to follow the steps in this exercise, use Salesforce)
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 68
Workspace ONE Access tenant and PingFederate appliance connected to the same Active Directory domainOptional: Mobile device to test redirection to Workspace ONE
Configuring Identity Provider SelectorsIn this exercise, you create a new selector that allows different authentication requests for different applications federated withPingFederate. You can choose to redirect authentication requests to Workspace ONE only for specific applications.
With a selector in PingFederate, you can differentiate mobile traffic versus non-mobile traffic, and decide how each will beauthenticated. For this exercise, use the built-in Mobile Client Selector.
For more information, see Selectors in PingFederate documentation.
1. Navigate to Selectors
In the PingFederate admin console:
Click Identity Provider.1.Click Selectors.2.
2. Select Mobile Client Selector
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 69
Select the Mobile Client Selector.
3. Review Authentication Selector Details
This selector checks the user-agent in the authenticator header and returns positive if it matches one of the specified user agents foriOS or Android.
Click Done.
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 70
4. Create New Selector Instance
Click Create New Instance.
5. Enter Authentication Selector Values
Enter an instance name. For example, AppSelector.1.Enter an instance id. For example, AppSelector.2.Select Connection Set Authentication Selector from the Type drop-down menu.3.Click Next.4.
6. Configure Selector Connections
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 71
Click Add a new row to Connections.1.Select your test application (Salesforce) from the Connections drop-down menu.2.Click Update.3.Click Next.4.
7. Review Selector Summary
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 72
Verify the selector summary.
Click Done.
8. Save Selector Configuration
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 73
Click Save.
Configuring Authentication Policies in PingFederateNow that you have added Workspace ONE as an identity provider in PingFederate, you can create policies in PingFederate to decidewhen users will be authenticated in Workspace ONE versus with a local authentication adapter in PingFederate. For more information,see Policies in PingFederate documentation.
1. Navigate to Policies
Click Policies.
2. Enable Authentication Policies
Select the Enable IDP Authentication Policies check box.1.
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 74
Select the Enable SP Authentication Policies check box.2.
3. Add AppSelector
The first action in the policy tree is to identify the target application to which the end user is trying to authenticate into. Add thepreviously created AppSelector.
Select the Action drop-down menu.1.Click Selectors.2.Click AppSelector.3.
4. Define AppSelector Negative Values
If the AppSelector selector returns negative, you can choose to authenticate the end user locally using the HTML Form Adapter.
Select the Action drop-down menu next to the No Result.1.Select HTMLFormAdapter.2.
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 75
5. Define HTML Form Adapter Values
If the authentication attempt with the HTML Form Adapter fails, access to the application is denied. If the authentication attempt issuccessful, the Policy Contract associated with the application/connection is fulfilled.
Click Done next to the Fail result.1.Select the Action drop-down menu next to the Success result.2.Select Policy Contracts.3.Select the Workspace ONE policy contract.4.
6. Define AppSelector Positive Values
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 76
Now, return to the first action. If the AppSelector selector returns positive, you will use a second selector (MobileClientSelector) tocheck if the authentication request is from a mobile device.
Select the Action drop-down menu next to the Yes result.1.Click Selectors.2.Select the Mobile Client Selector.3.
7. Define Mobile Client Selector Values
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 77
If the Mobile Client Selector returns negative, authenticate the requests locally with the HTML Form Adapter.
Select the Action drop-down menu next to the No result.1.Select the HTMLFormAdapter.2.
8. Define HTML Form Adapter Values
Use the same settings for the result of this HTML Form Adapter as the previous one.
Click Done if the authentication fails.1.Select the Workspace ONE - (Policy Contract) if the authentication is successful.2.
9. Define Mobile Client Selector Positive Values
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 78
If the Mobile Client Selector returns positive, redirect the authentication request to Workspace ONE using the previously configuredIdP Connection.
Select the Action drop-down menu next to the Yes result.1.Select IdP Connections.2.Select the previously configured IdP Connection (your VMware Identity Manager tenant URL).3.
10. Define IdP Connection Values
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 79
The final policy decision is based on the response from Workspace ONE. If the authentication with Workspace ONE fails, access tothe application is denied. If the authentication is successful, fulfill Policy Contract (Workspace ONE) associated with the application.
Click Done next to the Fail result.1.Select the Action drop-down menu next to the Success result.2.Select Policy Contracts.3.Select the Workspace ONE policy contract.4.
11. Confirm Policy Tree Values
The policy tree should now look similar to the screenshot shown.
12. Select HTML Form Adapter Options
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 80
Next, finalize the configuration for each adapter and contract used in the policies. First, check the HTML Form Adapter options.
Click Options.
13. Define Incoming User ID
For the HTML Form Adapter, select one of the user credentials that are provided in the HTML form.
Select Context from the Source drop-down menu.1.Select Requested User from the Attribute drop-down menu.2.
Copy the same settings to the other HTML Form Adapter options used in the policies.
14. Select IdP Connection Options
Next, check the options for the IdP Connection used in the policies.
Click Options under the IdP Connection action.
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 81
15. Define Incoming User ID
Similar to the HTML Form Adapter, select a user ID that is authenticated into the IdP Connection.
Select Context from the Source drop-down menu.1.Select Requested User from the Attribute drop-down menu.2.Click Done.3.
Configuring HTML Form AdapterFinally, check the configuration of the Policy Contracts used in the policies. Although the settings are very similar for all PolicyContracts used, there is a slight variation between the Policy Contracts used after a HTML Form Adapter versus the one used after theIdP Connection. In this exercise, check the contract mapping used after HTML Form Adapter.
In this tutorial, the policy contract associated with our test application can be fulfilled using the default values from the authenticationpolicy— so there is no need to add an Attribute Source to retrieve additional attributes. This might be required in your setup dependingon the type of application you are testing with.
1. Select Contract Mapping
Click Contract Mapping under the Workspace ONE Policy Contract used after one of the HTML Form Adapters.
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 82
2. Skip Attribute Source
Click Next.
3. Define Contract Fulfillment Values
Use the HTML Form Adapter result to fulfill this policy contract. Note that the userPrincipalName value used in this example is thevalue required by Salesforce. This might be different in your setup.
Select Adapter (HTMLFormAdapter) from the Source drop-down menu.1.Select userPrincipalName from the Value drop-down menu.2.Click Next.3.
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 83
4. Skip Optional Issuance Criteria
Click Next.
5. Review Authentication Policy Summary
Verify the Contract Mapping summary.
Click Done.
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 84
Configuring Identity Provider ConnectionAfter you have configured the contract mapping used after HTML Form Adapter, configure the contract mapping for a policy contractused after the IdP connection.
1. Select Contract Mapping
In the IdP section, click Contract Mapping.
2. Skip Attribute Source
Click Next.
3. Define Contract Fulfillment Values
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 85
In this example, use the IdP Connection to fulfill the Policy Contract. Note that the value being used is not retrieved from the userprofile but rather from the SAML assertion issued by the IdP Connection. If your test application requires different or additionalattributes from that provided in the SAML assertion, you can either change the value(s) provided by the IdP Connection or configurethe Contract Mapping to retrieve the attributes from AD.
Select IdP Connection from the Source drop-down menu.1.Select SAML_SUBJECT from the Value drop-down menu.2.Click Next. 3.
4. Skip Issuance Criteria
Click Next.
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 86
5. Review Authentication Policy Summary
Validate the Policy Contract Mapping summary.
Click Next.
6. Review Authentication Policies Configuration
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 87
Click Save.
Testing Authentication to SalesforceAfter you have created and configured authentication policies in PingFederate, you are ready to test authentication to Salesforce usingdifferent device types.
If you are authenticating with a non-mobile device, you should be presented with the PingFederate HTML Form Adapter.
If you are authenticating with a mobile device, you should be redirected to Workspace ONE for authentication.
1. Log In to Salesforce from Non-Mobile Device
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 88
On a non-mobile device, launch the Salesforce application. Authentication is required through the PingFederate HTML Form.
2. Log In to Salesforce from a Mobile Device
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 89
On a mobile device, launch the Salesforce application. Authentication is required through Workspace ONE.
Adding PingFederate Applications to the Workspace ONECatalogIntroductionThis section helps you to add PingFederate applications to the Workspace ONE catalog. Procedures include:
Retrieving the Salesforce entity ID from PingFederateAdding Salesforce to the Workspace ONE catalogTesting authentication to Salesforce from Workspace ONE catalog
The steps are sequential and build upon one another, so make sure that you complete each step before going to the next step.
PrerequisitesBefore you can perform the procedures in this tutorial, you must satisfy the following requirements. For more information, see theVMware Identity Manager Documentation and VMware Workspace ONE UEM Documentation.
Check whether you have the following components installed and configured.
Admin access to both a Workspace ONE Access tenant and a PingFederate appliance
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 90
PingFederate must have both Identity Provider and Service Provider roles enabledTest application federated with PingFederate (to follow the steps in this exercise, use Salesforce)Workspace ONE Access tenant and PingFederate appliance connected to the same Active Directory domainOptional: Mobile device to test redirection to Workspace ONE
Retrieving Salesforce Entity ID from PingFederateRetrieve the Salesforce entity ID value from the PingFederate admin console. You need this entity ID value when configuring theSalesforce application in Workspace ONE Access.
1. Select Salesforce Application in PingFederate
In the PingFederate admin console:
Click Identity Provider.1.Select the IdP Connection or application (Salesforce) that you want to add to the Workspace One Catalog.2.
2. Copy Entity ID Value
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 91
Select Activation & Summary.1.Copy the Entity ID value of the application.2.
Adding Salesforce to Workspace ONE CatalogAfter you have retrieved the Salesforce entity ID from PingFederate, use this entity ID to add Salesforce to the Workspace ONECatalog and assign users to the application.
1. Add New Application
In the Workspace ONE Access admin console:
Click Catalog.1.Click Web Apps.2.
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 92
Click New to add a new application to the catalog.3.
2. Name the Application
Enter a Name for the application, for example, Salesforce (Ping).1.Click Next.2.
3. Configure Single Sign-On Details
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 93
With application sources, we can inherit the configuration from the PING application source that was previously configured whenadding new applications.
Select PING (Application Source) from the Authentication Type drop-down menu.1.Paste the EntityID copied in the previous exercise into the TargetURL box.2.Click Next.3.
4. Select Access Policies
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 94
Select an access policy for your application from the drop-down menu.1.Click Next.2.
5. Review the Configuration Summary
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 95
Review the configuration summary.
Click Save & Assign.
6. Assign Users to Salesforce
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 96
Search for your user or user group to assign the application.1.Select the user or user group from the drop-down menu.2.Click Save.3.
Testing Authentication to Salesforce from Workspace ONE CatalogAfter you have added Salesforce to the Workspace ONE catalog, confirm authentication to Salesforce from the Workspace ONEcatalog.
1. Log in to Workspace ONE Access Tenant
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 97
Navigate to your Workspace ONE Access tenant and log in with your test user.
2. Launch Salesforce Application
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 98
Select the Ping Salesforce application. This should redirect you to PingFederate with a valid SAML assertion, which in turn, redirectsyou seamlessly to the target application.
Adding PingFederate as Third-Party IdP in Workspace ONEIntroductionIn the previous exercises, you configured Workspace ONE to act as an IdP to PingFederate. This allows administrators to useWorkspace ONE authentication methods to authenticate PingFederate applications.
This section helps you to configure the inverse integration flow—where PingFederate is used as a third-party IdP within WorkspaceONE. This allows administrators to use PingFederate to authenticate users accessing the Workspace One catalog.
Procedures include:
Exporting the SAML metadata from Workspace ONE AccessAdding and configuring the SP connection in PingFederateExporting metadata from PingFederateAdding PingFederate as an IdP in Workspace ONEModifying authentication policies in Workspace ONE AccessTesting SSO from Workspace ONE to PingFederate
The steps are sequential and build upon one another, so make sure that you complete each step before going to the next step.
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 99
PrerequisitesBefore you can perform the procedures in this tutorial, you must satisfy the following requirements. For more information, see theVMware Identity Manager Documentation and VMware Workspace ONE UEM Documentation.
Check whether you have the following components installed and configured.
Admin access to both a Workspace ONE Access tenant and a PingFederate appliancePingFederate must have both Identity Provider and Service Provider roles enabledTest application federated with PingFederate (to follow the steps in this exercise, use Salesforce)Workspace ONE Access tenant and PingFederate appliance connected to the same Active Directory domainOptional: Mobile device to test redirection to Workspace ONE
Exporting SAML Metadata from Workspace ONE AccessBefore adding the service provider connection in PingFederate, you need to export the SAML metadata from Workspace ONE Access.
1. Navigate to Settings
In the Workspace ONE Access admin console:
Click Catalog.1.Click Web Apps.2.Click Settings.3.
2. Navigate to SAML Metadata
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 100
Click SAML Metadata.1.Right-click Service Provider (SP) metadata.2.Select Save link as.3.
3. Save Metadata File
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 101
Click Save to save the metadata file on your local machine.
Adding Service Provider Connection in PingFederateAfter you have exported the SAML metadata from Workspace ONE Access, you are ready to add a service provider connection inPingFederate.
1. Create New SP Connection
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 102
In the PingFederate Console:
Click Identity Provider.1.Click Create New.2.
2. Review the Connection Type
Click Next.
3. Review Connection Options
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 103
Click Next.
4. Import Metadata
Select File as the method to input the connection metadata.1.Click Choose File.2.Select the metadata file you downloaded from Workspace ONE Access. For example, sp.3.
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 104
Click Open.4.Click Next.5.
5. Review the Metadata Summary
Verify that the Entity ID is the Workspace ONE Access metadata xml URL, and click Next.
6. Review General Info
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 105
Click Next to continue configuring Browser SSO settings.
Configuring Browser SSO SettingsIn this section, continue configuring the SP Connection - Browser SSO settings.
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 106
1. Configure Browser SSO
Click Configure Browser SSO.
2. Assign SSO Profiles
Select the SP-Initiated SSO check box, to apply SSO to applications launched from within the Workspace ONE catalog.1.Click Next.2.
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 107
3. Review Assertion Lifetime Settings
Click Next.
4. Create an Assertion
Click Configure Assertion Creation.
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 108
5. Select the Attribute Contract Type
For this configuration, you send the SP (Workspace ONE) a standard attribute (userPrincipalName) as the main identifier in theassertion therefore select a Standard Attribute Contract.
Select Standard as the Attribute Contract type.1.Click Next.2.
6. Review the Attribute Contract
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 109
For the Subject Name Format, keep the default Unspecified format in this configuration.1.Click Next.2.
7. Configure Authentication Source Mapping
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 110
Click Map New Adapter Instance.1.Select HTML Form Adapter from the Adapter Instance drop-down menu.2.Click Next.3.
8. Configure Mapping Method
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 111
Select Use Only The Adapter Contract Values in the SAML Adapter. Because userPrincipalName is already a part of1.the Adapter Contract, we can choose to only use the values included in the contract.Click Next.2.
9. Configure Attribute Contract Values
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 112
Select Adapter from the Source drop-down menu.1.Select userPrincipalName from the Value drop-down menu. PingFederate passes userPrincipalName as the2.SAML_Subject value in the SAML assertion passed to Workspace ONE.Click Next.3.
10. Configure SAML Bindings
Select the Post binding.1.Select the Redirect binding.2.Click Next.3.
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 113
11. Configure Signature Policy
Select Always Sign the SAML Assertion.1.Click Next.2.
12. Select Encryption Policy
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 114
Select None to opt-out of encrypting the SAML messages.1.Click Next.2.
Reviewing Browser SSO SettingsIn this section, review the Browser SSO settings before completing the service provider connection details.
1. Review Protocol Settings Summary
Review the Protocol Settings and click Done.
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 115
2. Continue to Browser SSO Summary
On the Protocol Settings tab, click Next.
3. Review Browser SSO Summary
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 117
Review the Browser SSO summary and click Done.
Completing Service Provider Connection DetailsIn this section, continue through the wizard to complete the SP Connection details.
1. Continue Configuring the SP Connection
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 118
Click Next.
2. Review IdP Adapter Mapping
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 119
Click Next.1.Review the IDP Adapter Mapping summary, and click Done.2.
3. Review Assertion Creation
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 121
Click Next.1.Review the Assertion Creation summary, and click Done.2.
4. Continue to Protocol Settings
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 122
On the Assertion Creation tab, click Next.
5. Configure Protocol Settings
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 123
Click Configure Protocol Settings.1.Delete all pre-configured bindings except for POST.2.Click Next.3.
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 124
6. Configure Credentials
Click Configure Credentials.
7. Select a Certificate
Select your signing certificate from the Signing Certificate drop-down menu.1.Click Next.2.
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 125
8. Review Certificate Summary
Click Done.
9. Continue Configuring the SP Connection
Click Next.
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 126
10. Activate the Connection
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 127
Select Active as the Connection Status.1.Click Save.2.
11. Verify the Connection
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 128
Verify that the new SP Connection for Workspace ONE has been created.
Exporting Metadata from PingFederateNow that you have configured the SP connection for Workspace ONE in PingFederate, you must create and configure thePingFederate IdP in Workspace ONE. First, export the appropriate metadata file from PingFederate.
1. Begin Metadata Export
Click Server Configuration.1.Click Metadata Export.2.
2. Select the Metadata Role
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 129
Select I am the Identity Provider.1.Click Next.2.
3. Select the Metadata Mode
Select Use a Connection for Metadata Generation.1.Click Next.2.
4. Configure Connection Metadata
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 130
Select the Workspace ONE SP Connection from the drop-down menu.1.Click Next.2.
5. Configure Metadata Signing
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 131
Select the signing certificate for your PingFederate setup from the Signing Certificate drop-down menu.1.Select RSA SHA256 as the Signing Algorithm from the drop-down menu.2.Click Next.3.
6. Begin Metadata Export
Click Export.
7. Save Metadata File
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 132
Save the metadata file locally on your computer.
Click Save.
8. Copy Contents of Metadata File
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 133
Copy the contents of the metadata file downloaded from PingFederate to your clipboard.
Adding PingFederate as an IdP in Workspace ONENext, add PingFederate as an identity provider in Workspace ONE.
1. Create Third-Party Identity Provider
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 134
In the Workspace ONE Access admin console:
Click Identity & Access Management.1.Click Identity Providers.2.Click Add Identity Provider.3.Click Create Third Party IDP.4.
2. Provide Identity Provider Details
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 135
Enter a name for Identity Provider Name. For example, PING.1.Paste the contents of the metadata file into the text box.2.Click Process IdP Metadata.3.Select Unspecified as the Name ID format.4.Select userPrincipalName as the Name ID Value.5.
3. Continue Entering Identity Provider Details
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 136
Enable the IdP for the same set of users (domain) configured in PingFederate.1.Enable the IdP configuration for All Ranges.2.Create a new Authentication Method with an appropriate name. For example, PingPassword.3.Select urn:oasis:names:tc:SAML:2.0:ac:classes:Password as the SAML Context for the Authentication Method.4.Click Add.5.
Modifying Authentication Policies in Workspace ONE AccessTo authenticate users with the new PING IdP configuration, you must modify the authentication policies in Workspace ONE Access tomake use of the authentication method associated with the IdP. In this section, you modify the default policy set because this is usedwhen accessing the Workspace ONE catalog.
1. Select Default Policy
Click Identity & Access Management.1.Click Policies.2.Click default_access_policy_set.3.
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 137
2. Edit Default Access Policy Set
Click Edit.
3. Select All Ranges Policy Rule
Click Configuration.1.For this setup, modify the last policy in the policy set as this is being used to authenticate desktop browsers in public networks.2.You might need to modify a different policy depending on the device type and source network you are using to test thisconfiguration.
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 138
4. Select Authentication Method
Select PingPasswords from the ...authenticate using.. drop-down menu. This is the Authentication Method associated with1.the PING IdP.Click Save.2.
5. Review Configuration Changes
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 139
Click Next.
6. Review Summary Details
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 140
Click Save.
Testing Single Sign-On to Workspace ONEYou can now test authentication into the Workspace ONE catalog. You should be automatically redirected to PingFederate forauthentication if using a device that matches the policy changes made.
1. Navigate to Workspace ONE URL and Confirm Redirect toPingFederate
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 141
Navigate to your Workspace ONE tenant URL and confirm redirection to PingFederate. Enter your PingFederate credentials.
Enter a username. For example, user.1.Enter a password. For example, password.2.Click Sign On.3.
2. Confirm Redirect to Workspace ONE App Catalog
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 142
After you have successfully authenticated with PingFederate, you should be redirected back and given access to the Workspace ONEcatalog.
Configuring Authentication Failure NotificationIntroductionThe latest update to SaaS-based Workspace ONE Access includes a new feature that allows Workspace ONE Access to sendfeedback to PingFederate when authentication fails through a parameter in the SAML assertion. PingFederate administrators canimplement more flexible authentication policies for those cases in which authentication fails in Workspace ONE Access.
Policy Rules Recap
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 143
This screenshot depicts a recap of the policy rules that have been created throughout this tutorial. The new feature allows you tomodify the lower section where Workspace ONE Access is involved as an IdP within Ping.
Authentication Fail Options
With the current policies, when authentication fails at Workspace ONE Access, the policy is set to fail the authentication. Because noaction has been defined in the Fail section, there is no other option.
Authentication Failure Message
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 144
The expected experience is that when an un-managed device fails to authenticate with Workspace ONE Access, it is presented withan authentication failure message in Workspace ONE Access.
This section helps you to configure authentication failure notification. Procedures include:
Enabling authentication failure notificationModifying the authentication policiesTesting SSO to MS Office 365
The steps are sequential and build upon one another, so make sure that you complete each step before going to the next step.
PrerequisitesBefore you can perform the procedures in this tutorial, you must satisfy the following requirements. For more information, see theVMware Identity Manager Documentation and VMware Workspace ONE UEM Documentation.
Check whether you have the following components installed and configured.
Cloud-based Workspace ONE Access tenantAdmin access to a PingFederate appliancePingFederate must have both Identity Provider and Service Provider roles enabledTest application federated with PingFederate (to follow the steps in this exercise, use MS Office 365)Workspace ONE Access tenant and PingFederate appliance connected to the same Active Directory domainUnmanaged device to test redirection to Workspace ONE
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 145
Logging In to the Workspace ONE Access ConsoleTo perform most of the steps in this exercise, you must first log in to the Workspace ONE Access console.
1. Launch Google Chrome (If Needed)
If Google Chrome is not already open, launch Google Chrome by double-clicking the icon from the desktop.
2. Open a New Browser Tab
Click the Tab space to open a new tab.
3. Navigate to Your Workspace ONE Access Tenant
Paste or enter the Tenant URL into the navigation bar and press Enter to continue.
4. Login to Your Workspace ONE Access Tenant
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 146
Enter the Username, for example, Administrator.1.Enter the Password, for example, VMware1!.2.Click Sign In.3.
5. Navigate to the Administrator Console (If Necessary)
If you see the User Portal as shown in the screenshot, navigate to the Administrator Console.
Click the user drop-down icon.1.Select Administration Console.2.
This opens the Administration Console in a separate tab in your browser.
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 147
Enabling Authentication Failure NotificationThis section helps you to configure the authentication failure notification feature.
1. Navigate to Web Apps
In the Workspace ONE Access tenant:
Select the Catalog drop-down menu.1.Select Web Apps.2.
2. Open Web Apps Settings Menu
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 148
Click Settings.
3. Configure PING Application Source
Click Application Sources.1.Click PING.2.
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 149
4. Select Advanced Properties
Click Configuration.1.Click Advanced Properties.2.
5. Enable Authentication Failure Notification
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 150
Click the button to Enable Authentication Failure Notification.1.Click Next.2.
6. Complete PING Application Source Wizard
Click Summary.1.Click Save.2.
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 151
Confirm SAML Assertion
After the feature is enabled, when authentication fails in Workspace ONE Access, a SAML assertion is sent to PingFederatecontaining an AuthFailed status code, a status message, and detail.
You can verify the SAML assertion using a SAML plugin for your web browser, such as SAML Chrome Panel.
Modifying the Authentication Policy in PingFederateAfter you have enabled authentication failure notification, you are ready to modify the authentication policy in PingFederate to accountfor the AuthFailed SAML assertion that is sent from Workspace ONE Access. You must log in to the PingFederate admin console tocomplete this exercise.
Note: For the purpose of this exercise, the HTMLFormAdapter is selected as a simple example. Downgrading enrollment/complianceauthentication to a username/password-only challenge is not best practice in most use cases.
1. Navigate to Policies
In the PingFederate admin console:
Click Identity Provider.1.Click Policies.2.
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 152
2. Select HTMLFormAdapter
Scroll down to the Workspace ONE Access section, click the action drop-down menu next to Fail.1.Select IdP Adapters.2.Select HTMLFormAdapter.3.
3. Select the Workspace ONE Policy Contract
Click the action drop-down menu next to Success.1.Select Policy Contracts.2.Select Workspace ONE as the policy contact.3.
4. Skip Attribute Sources
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 153
Click Next.
5. Configure Contract Fulfillment
Select Adapter (HTMLFormAdapter) as the source.1.Select userPrincipalName as the value.2.Click Next.3.
6. Skip Issuance Criteria
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 154
Click Next.
7. Complete Authentication Policy Configuration
Review the summary and click Done.
8. Review the Authentication Policy
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 155
The authentication policy in PingFederate should now resemble the example shown—with an action for both a successful and failedauthentication in Workspace ONE Access.
Testing Single Sign-On to MS Office 365After you have enabled authentication failure notification and modified the authentication policy in PingFederate, you are ready to testSSO from an unmanaged device to a federated application, such as MS Office 365. The result of this authentication flow is a HTMLform authentication challenge from PingFederate.
1. Log in to MS Office 365
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 156
Open MS Office 365.
2. Enter User Credentials for PingFederate
You should be redirected to PIngFederate for authentication. Enter your user details for PingFederate.
3. Validate Successful Authentication
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 157
Validate the the end user is successfully authenticated into the target application.
Summary and Additional ResourcesConclusionThis tutorial provided steps to integrate PingFederate with Workspace ONE. Procedures included:
Adding Workspace ONE as an IdP connector in PingFederateCreating authentication policies in PingFederateAdding PingFederate applications to the Workspace ONE catalogAdding PingFederate as a third-party IdP in Workspace ONEConfiguring authentication failure notification in SaaS-based Workspace ONE Access
Terminology Used in This TutorialThe following terms are used in this tutorial:
INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL
GUIDE | 158
application storeA user interface (UI) framework that provides access to a self-service catalog, publicexamples of which include the Apple App Store, the Google Play Store, and the MicrosoftStore.
auto-enrollmentAuto-enrollment simplifies the enrollment process by automatically enrolling registereddevices following the Out-of-Box-Experience.
catalogA user interface (UI) that displays a personalized set of virtual desktops and applications tousers and administrators. These resources are available to be launched upon selection.
cloudAsset of securely accessed, network-based services and applications. A cloud can also hostdata storage. Clouds can be private or public, as well as hybrid, which is both private andpublic.
device enrollmentThe process of installing the mobile device management agent on an authorized device.This allows access to VMware products with application stores, such as Workspace ONEAccess (formerly VMware Identity Manager).
identity provider (IdP)A mechanism used in a single-sign-on (SSO) framework to automatically give a user accessto a resource based on their authentication to a different resource.
mobile devicemanagement(MDM) agent
Software installed on an authorized device to monitor, manage, and secure end-user accessto enterprise resources.
one-touch loginA mechanism that provides single sign-on (SSO) from an authorized device to enterpriseresources.
service provider (SP) A host that offers resources, tools, and applications to users and devices.
virtual desktop The user interface of a virtual machine that is made available to an end user.
virtual machineA software-based computer, running an operating system or application environment, that islocated in the data center and backed by the resources of a physical computer.
For more information, see the VMware Glossary.
Additional ResourcesFor more information about Workspace ONE, explore the VMware Workspace ONE Activity Path. The activity path provides step-by-step guidance to help you level-up in your Workspace ONE knowledge. You will find everything from beginner to advanced curatedassets in the form of articles, videos, and labs.
Additionally, you can check out the VMware Workspace ONE and VMware Horizon Reference Architecture which provides aframework and guidance for architecting an integrated digital workspace using VMware Workspace ONE and VMware Horizon.
About the AuthorThis tutorial was written by:
Camilo Lotero, Senior Technical Marketing Manager, End-User-Computing Technical Marketing, VMware
FeedbackThe purpose of this tutorial is to assist you. Your feedback is valuable. To comment on this tutorial, contact VMware End-User-Computing Technical Marketing at [email protected].
VMware, Inc. 3401 Hillview Avenue Palo Alto CA 94304 USA Tel 877-486-9273 Fax 650-427-5001
www.vmware.com
Copyright © 2019 VMware, Inc. All rights reserved. This product is protected by U.S. and international
copyright and intellectual property laws. VMware products are covered by one or more patents listed at
http://www.vmware.com/go/patents. VMware is a registered trademark or trademark of VMware, Inc. in
the United States and/or other jurisdictions. All other marks and names mentioned herein may be
trademarks of their respective companies.