Create a Third Party Identity Provider

In order for AD FS to authenticate our users, we need to create a Third Party Identity Provider (IdP) within VMware Identity Manager and use the FederationMetadata.xml downloaded from our Federation Service to establish trust between between AD FS as the Identity Provider and VMware Identity Manager as the Service Provider.  

1. Create Third Party Identity Provider in VMware Identity Manager

Navigate to your VMware Identity Manager Administration Console.

  1. Click Identity & Access Management
  2. Click Identity Providers
  3. Click Add Identity Provider
  4. Click Create Third Party IDP

2. Enter Identity Provider Name and SAML Metadata

Open the FederationMetadata.xml file you downloaded earlier and copy the full XML text contained within the document.

  1. Enter "AD FS" for the Identity Provider Name.  This is just a display name that will be used for this Third Party IDP.
  2. Paste the XML text contained in your FederationMetadata.xml file into the SAML Metadata field.
  3. Click Process IdP Metadata.  This configures certain settings in your IDP based on the specifications that are noted within the Federation Metadata.

3. Confirm Processed IdP Metadata

After selecting to Process the IdP Metadata, notice that the SAML AuthN Request Binding and the Name ID format mappings have been automatically configured.  These values were pulled from the FederationMetadata.xml, which informs VMware Identity Manager how to send requests to our Third Party IDP to process authentication requests.

4. Configure Users and Networks that can utilize this IDP

  1. Disable Just-in-Time User Provisioning for this lab.  Just-in-Time user provisioning allows users to be created within VMware Identity Manager dynamically when they authenticate using this Third Party IDP if they do not already exist.  This can be useful for dynamically adding any missed users or new users who have not been synced but still belong to your domain(s) that will be utilizing this Third Party IDP.
  2. Select all of the intended Users that will utilize this Third Party IDP.  In our case, we want to select the Company_Directory_#### users so that our synced domain users can login via AD FS.
  3. Select ALL RANGES for the Network.

5. Configure Authentication Methods for this IDP

We need to specify which authentication methods this Third Party IDP will utilize to authenticate our selected users.  For this lab, we want to setup the below Authentication Methods:

Authentication Methods SAML Context
SAML Password urn:oasis:names:tc:SAML:2.0:ac:classes:Password
SAML Kerberos urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos
Windows Authentication urn:federation:authentication:windows

Click the + button to add a new Authentication Method as needed.

The Authentication Methods column acts as a display name for the SAML Context.  When creating Access Policies, the Authentication Methods column name will display as options for which authentication methods to use to authenticate our users.  Note that these names must be unique across your VMware Identity Manager tenant, and cannot share names with the default Authentication Methods either!

The SAML Context informs the Identity Provider (AD FS in this instance) how the user should be authenticated.  The SAML Context will be inserted as part of the SAML Assertion (under the AuthnStatement section).  This SAML Assertion  will be signed and sent to AD FS as a request to authenticate users when they attempt to login to VMware Identity Manager using this Third Party IDP.

For reference, here is a sample of a SAML Assertion that will be signed and sent to AD FS when users attempt to authenticate.  Notice the AuthnStatement section, which details when the authentication request was made and contains how the user is attempting to authenticate (via Kerberos, in this case).

6. Configure Single Sign-Out and access Service Provider Metadata

  1. Scroll down to find the additional configuration options.
  2. Enable the Single Sign-Out Configuration, which will also sign users out of their IDP session when they sign out from Workspace ONE.  You can optionally provide a Sign-Out URL, which will re-direct users to the provided URL upon logging out, and a Redirect Parameter, which will send URL parameters to the Sign-out URL which can be used by the IDP to perform certain actions based on the provided parameters.  In our case, we just want our users to be re-directed to our Identity Provider (AD FS) using SAML single logout with no additional parameters so these will remain blank.
  3. Right-click the Service Provider (SP) Metadata link.
  4. Click Open link in new tab.
    Providing this Service Provider Metadata to a Identity Provider establishes trust between the two parties as Identity Provider and Service Provider.  This metadata will be provided to AD FS when we configure VMware Identity Manager as a Relying Party (Service Provider).

7. Add the Third Party Identity Provider

Click Add to save the configuration of our Third Party Identity Provider for AD FS.


Add your comment

E-Mail me when someone replies to this comment

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.