Create 3rd Party Identity Provider in Main IDM Tenant

With the Identity Provider Metadata (idp.xml) file saved, we can now establish trust between our two IDM tenants by supplying the Identity Provider Metadata to our Main IDM Tenant.  This process will allow users we designate to be authenticated by our IDP IDM Tenant rather than our Main IDM Tenant.

1. Create 3rd Party IDP

  1. Click the tab for your Main IDM Tenant Administrator Console.
    NOTE - Be sure you are accessing your MAIN IDM Tenant.  The URL should be https://{tenantName}
  2. Click Identity & Access Management.
  3. Click Identity Providers.
  4. Click Add Identity Provider.
  5. Click Create Third Party IDP.

1.1. Configure the 3rd Party IDP

  1. Enter "{yourtenant}-idp" for the Identity Provider Name.  
    NOTE - Replace {yourtenant} with the actual name of your IDP IDM Tenant!
  2. Click the File Explorer shortcut from the Task bar.

1.2. Open the idp.xml File

  1. Click Downloads.
  2. Double-click idp.xml to open the file.

1.2.1. Select the idp.xml File Text

Right-click anywhere in the idp.xml file and click Select All.

1.2.2. Copy the idp.xml File Text

Right-click again and click Copy.

1.3. Process the IdP Metadata

Back in the Main IDM Tenant,

  1. Right-click within the SAML Metadata text field.
  2. Click Paste.
  3. Click Process IdP Metadata.

1.4. Confirm the Name ID Format Mapping has Populated

After processing the provided IdP Metadata from IDP IDM Tenant, you'll see that the Name ID Format Mappings have been completed.  Rather than setting these values up manually, we simply provided the IdP Meatadata to populate these values.

Continue to the next step.

1.5. Configure 3rd Party IDP Authentication Details

  1. Scroll down to find the Users, Network, and Authentication Methods sections.
  2. Enable the Company_Directory_##### users to authenticate with this 3rd Party IDP.  The Company_Directory_##### directory was auto-created from AirWatch when we integrated VMware Identity Manager and synced our corp.local users.  This directory contains the users from corp.local.
  3. Enable ALL RANGES for the Network.
  4. Enter "{yourtenant}-idp-password" for the Authentication Methods name.  This name will be displayed in our Access Policies in the upcoming steps to determine how users authenticate.
    NOTE - Be sure to replace {yourtenant} with the name of your actual IDP IDM Tenant!
  5. Click the SAML Context dropdown and select urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport from the list.  This dictates how our SAML assertion will be sent to our IDP IDM Tenant for authentication.

1.6. Save the Service Provider (SP) Metadata

Scroll down to the bottom of the page.

  1. Right-click the Service Provider (SP) Metadata link.
  2. Click Save link as...

1.6.1. Save the sp.xml File

  1. Click Downloads.
  2. Click Save.

1.7. Add the 3rd Party Identity Provider

Click Add.

2. Update Access Policies to Use 3rd Party IDP

  1. Click Identity & Access Management.
  2. Click Policies.
  3. Click Edit Default Policy.

2.1. Add Policy Rule

  1. Click Configuration.
  2. Click Add Policy Rule.

2.2. Configure Policy Rule Details

  1. Select ALL RANGES for the network range.
  2. Select All Device Types for the device type.
  3. Click the Groups textbox to display the list of available groups.
  4. Click [email protected].

2.3. Configure Policy Rule Details (continued)

  1. Scroll down to the bottom.
  2. Select Authenticate Using... for the action.
  3. Select {yourtenant}-idp-password from the list for the primary authentication method.  REMEMBER - this will be the name of the authentication method you entered while configuring the 3rd Party IdP earlier and should have your actual tenant name instead of "yourtenant"!
  4. Select Password (Local Directory) from the list for the fallback authentication method.
  5. Click Save.

2.4. Re-Order the Policy Rules and Continue

  1. Click and drag the Policy Rule you created using the {yourtenant}-idp-password authentication type to the top of the list.
    NOTE - Your created Policy Rule should appear above the other default policy rules before continuing!
  2. Click Next.

2.5. Save the Access Policy Rule

Review the configuration details as desired and then click Save.


Add your comment

E-Mail me when someone replies to this comment

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.