Setup an Identity Provider to use Password Cloud Deployment

You will now configure the Built-In Identity Provider (IdP) in Workspace ONE Access to allow your corp.local domain users to authenticate to Workspace ONE Access by using their Active Directory credentials.

1. Configure the Built-In Identity Provider

  1. Click Identity & Access  Management
  2. Click Identity Providers
  3. Click Built-In

1.1. Configure the Identity Provider

  1. Scroll down to find the Users and Network sections
  2. Enable the corp.local option under Users
  3. Enable the ALL RANGES option under Network

These settings specifies that the Built-in Identity Provider will be allowed to authenticate any corp.local domain user who is attempting to authenticate from any  network range.

1.2. Associate Connector with Identity Provider

  1. Scroll down to find the Connector(s) section
  2. Select conn-01a.corp.local from the list
  3. Click Add Connector

This setting specifies that the Lab Connector hosted on conn-01.corp.local that you configured will be allowed to authenticate users for this Built-In Identity Provider.  Associating the Connector with this Identity Provider allows it to use Password (Cloud Deployment) authentication methods, which will require the user to provide their Active Directory credentials.

NOTE: If you don't see a list of available connectors, you may need to wait a few moments until the connectors are queried.

1.3. Associate Connector Authentication Methods

  1. You will see the Lab (conn-01.corp.local) connector now listed as an active connector associated with the Built-In Identity Provider
    NOTE: You can associate multiple Connectors with a single Identity Provider to provide high availability for the associated connector authentication methods. This is beyond the scope of this lab, but you would associate additional connectors the same way you did in the previous step.
  2. Enable the Password (cloud deployment) Connector Authentication Method to associate this authentication method with the Built-In Identity Provider
  3. Click Save

1.4. Confirm the Identity Provider Was Created

The list of Identity Providers should now show your Built-In Identity Provider as having the Password (cloud deployment) authentication method enabled for the corp.local directory and that the conn-01a.corp.local connector is servicing this identity provider.

With your Built-In Identity Provider now configured, you are ready to configure your Access Polices to leverage this authentication method for your users.

2. Configure the Access Policy

  1. Click Identity & Access Management
  2. Click Policies
  3. Click Edit Default Policy

2.1. Add New Policy Rule

  1. Click Configuration
  2. Click Add Policy Rule

2.2. Configure Policy Rule Details

  1. Select ALL RANGES for the network range
  2. Select All Device Types for the device type
  3. Type [email protected] for the user group
  4. Click the [email protected] result

2.3. Configure the Authentication Method

  1. Scroll down to the bottom
  2. Select Authenticate using... for the action
  3. Select Password (cloud deployment) for the authentication method
  4. Click Save

You have now created an Access Policy rule that will apply to any user in the [email protected] group that connects from any device type and any network range.  When these users attempt to authenticate, they will be allowed to authenticate with the Password (cloud deployment) method, which will use their active directory credentials.

2.4. Re-Order the Access Policy Rules

  1. Click and drag the created policy rule, which is the bottom policy rule that shows Any for the Device Type column, to the top of the list
  2. Click Next

Access Policies apply from the top to the bottom order when users attempt to authenticate.  This is important because a policy rule that you create may not be triggered at all if a higher access policy is handling and processing the authentication request.    

2.5. Review and Save

Review as desired and click Save.

Your Policies and Identity Providers are now configured to authenticate your [email protected] group using Password (cloud deployment) through your conn-01a.corp.local connector.  Your System Domain (local users) will continue to be authenticated with their default methods (Password and Password (Local Directory)) as we did not modify these existing defualt policies.

3. Verify that corp.local Users Can Login

  1. Click Options
  2. Click New incognito window
  3. Enter https://{yourtenant} to navigate back to the login screen of your Workspace ONE Access tenant
    NOTE: Replace {yourtenant} with your tenant name!

3.1. Login as aduser

  1. Enter aduser for the username
  2. Click Next

3.2. Enter the Domain User's Password

  1. Enter VMware1! for the password
  2. Click Sign in

3.3. Open the Settings Page

  1. Click the User icon
  2. Click Settings

3.4. Confirm the User Details

Confirm the Profile for the user shows you've signed in as AD User.

This confirms that you have successfully allowed the Built-In Identity Provider to use the Lab Connector you installed and configured earlier to use the Password (cloud deployment) authentication method to authenticate your corp.local users.

Continue to the next steps to log back in as your local Administrator account.

3.5. Close the Incognito Session

Click the Close button in the top-right corner of the Incognito session to return to the Workspace ONE Access Administration Console.


Add your comment

E-Mail me when someone replies to this comment

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.