Login as a Domain User

Now that we've established trust between AD FS as the Identity Provider and our VMware Identity Manager tenant as the Service Provider and configured our Relying Party Claim Rules to transform and issue the incoming claim to a format that our VMware Identity Manager tenant can process, we now need to attempt to login using the corp.local domain users and validate that our configurations are working.

Remember that due to the SE Lab F5 requirements, we are not routing external traffic properly to your AD FS instance that was installed on your ControlCenter server.  Instead, we will validate that our Windows 10 VM within the vApp network can login from both a browser and the VMware Workspace ONE app.

1. Connect to the Windows 10 VM

Double-click the RDP shortcut Win-10.rdp from the Desktop.

2. Authenticate as a Domain User in the Browser

  1. Open Google Chrome.
  2. Navigate to your VMware Identity Manager tenant URL.
  3. Enter "imauser" for the username, which is one of the corp.local domain users we synced.
  4. Click Next.

2.1. Authentication via AD FS

Notice that the user is not being prompted to be authenticated through the typical flow in VMware Identity Manager and is instead being re-directed to AD FS for authentication.  

  1. Enter "imauser" for the username.
  2. Enter "VMware1!" for the password.
  3. Click Log in.

2.2. Confirm Authentication was Successful

After the Claim is processed in AD FS, the claim is transformed via the Claim Rules we created earlier and responds in a manner that VMware Identity Manager is able to process, thus authorizing the user to login.

3. Authenticate as a Domain User in the VMware Workspace ONE App

  1. Launch the VMware Workspace ONE app.
  2. Enter your VMware Identity Manager tenant URL.
  3. Click Next.

3.1. Login as a corp.local domain user

  1. Enter "imauser" for the username.  This is one of the corp.local domain users we synced.
  2. Click Next.

3.2. Authenticate via AD FS

Notice that the user is being prompted for authentication through the Windows authentication method through AD FS that we configured.

  1. Enter "imauser" for the username.
  2. Enter "VMware1!" for the password.
  3. Click OK.

3.3. Confirm Authentication was Successful

As seen in our browser session, the claim is transformed and the outgoing claim authorizes the user to access Workspace ONE.  

After successfully authenticating, you should see a message indicating that your workspace is being configured, and eventually that the workspace is ready.  Click Enter.

4. Clear Authorization Cookies (IF NEEDED)

The authorization cookies last 8 hours after you authenticate to VMware Identity Manager.  If you need to re-authenticate again to test, you can either shorten the re-authentication timers of the Access Policy rules you configured, or you can clear your authorization cookies so that the browser and VMware Workspace ONE app sessions are removed which forces the user to authenticate again.

  1. Open Google Chrome and click the Options button.
  2. Click Settings.
  1. Enter "Clear Browsing Data" in the search field.
  2. Scroll down and click Clear Browsing Data.

4.2. Clear Cookies

  1. Select the beginning of time for the period.
  2. Ensure Cookies and other site data is checked.
  3. Click Clear Browsing Data.

4.3. Confirm or Inspect Cookies

To check if any cookies exist or to see which cookies are being stored for your VMware Identity Manager session, navigate back to Google Chrome:

  1. Right-click anywhere to pull up the options menu.
  2. Click Inspect.  Alternatively, you can use Ctrl + Shift + i to view the console.
  3. Select the Application tab.
  4. Find the Cookies section under Storage.  If there are no cookies listed, then you currently have no authorization cookies for your VMware Identity Manager tenant.  If they do exist, you'll be able to see them once you select your tenant URL under Cookies.
  5. You can also use the Delete button from here to remove all cookies for this page.

0 Comments

Add your comment

E-Mail me when someone replies to this comment

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.