Create a Third Party Identity Provider
In order for AD FS to authenticate our users, we need to create a Third Party Identity Provider (IdP) within Workspace ONE Access and use the FederationMetadata.xml downloaded from our Federation Service to establish trust between AD FS as the Identity Provider and Workspace ONE Access as the Service Provider.
1. Copy the ADFS Federation Metadata XML
- Click the File Explorer icon from the taskbar
- Click Downloads
- Right-click the FederationMetadata.xml
- Click Edit with Notepad++
1.1. Copy the Federation Metadata Contents
- Right-click and click Select All.
- Right-click and click Copy.
2. Create Third Party Identity Provider in Workspace ONE Access
Navigate to your Workspace ONE Access Administration Console in Google Chrome,
- Click Identity & Access Management
- Click Identity Providers
- Click Add Identity Provider
- Click Create Third Party IDP
2.1. Enter Identity Provider Name and SAML Metadata
AD FSfor the Identity Provider Name. This is just a display name that will be used for this Third Party IDP.
- Paste the XML text contained in your FederationMetadata.xml file into the SAML Metadata field.
- Click Process IdP Metadata. This configures certain settings in your IDP based on the specifications that are noted within the Federation Metadata.
2.2. Confirm Processed IdP Metadata
After selecting to Process the IdP Metadata, notice that the SAML AuthN Request Binding and the Name ID format mappings have been automatically configured. These values were pulled from the FederationMetadata.xml, which informs Workspace ONE Access how to send requests to our Third Party IDP to process authentication requests.
2.3. Select the Name ID Policy
Select urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress for the Name ID Policy.
2.4. Configure Users and Networks that can utilize this IDP
- Scroll down until you see the section for Just-in-Time user Provisioning
- Disable Just-in-Time User Provisioning
Just-in-Time user provisioning allows users to be created within Workspace ONE Access dynamically when they authenticate using this Third Party IDP if they do not already exist. This can be useful for dynamically adding any missed users or new users who have not been synced but still belong to your domain(s) that will be utilizing this Third Party IDP.
- Select the corp.local users
This determines which users will be allowed to use this Third Party IDP when authenticating.
- Select ALL RANGES for the Network
2.5. Configure Authentication Methods for this IDP
You need to specify which authentication methods this Third Party IDP will utilize to authenticate our selected users.
- Scroll down until you see the section for Authentication Methods.
Windows Authenticationfor the Authentication Method.
- Select urn:federation:authentication:windows for the SAML Context.
- Click the Add (+) button to add another Authentication Method.
ADFS Passwordfor the Authentication Method.
- Select urn:oasis:names:tc:SAML:2.0:ac:classes:Password for the SAML Context
The Authentication Methods column acts as a display name for the SAML Context. When creating Access Policies, the Authentication Methods column name will display as options for which authentication methods to use to authenticate our users. Note that these names must be unique across your Workspace ONE Access tenant, and cannot share names with the default Authentication Methods either!
The SAML Context informs the Identity Provider (AD FS in this instance) how the user should be authenticated. The SAML Context will be inserted as part of the SAML Assertion (under the AuthnStatement section). This SAML Assertion will be signed and sent to AD FS as a request to authenticate users when they attempt to login to Workspace ONE Access using this Third Party IDP.
For reference, here is a sample of a SAML Assertion that will be signed and sent to AD FS when users attempt to authenticate. Notice the AuthnStatement section, which details when the authentication request was made and contains how the user is attempting to authenticate (via Kerberos, in this case).
2.6. Configure Single Sign-Out and access Service Provider Metadata
- Scroll down to find the additional configuration options.
- Enable the Single Sign-Out Configuration, which will also sign users out of their IDP session when they sign out from Workspace ONE. You can optionally provide a Sign-Out URL, which will re-direct users to the provided URL upon logging out, and a Redirect Parameter, which will send URL parameters to the Sign-out URL which can be used by the IDP to perform certain actions based on the provided parameters. In our case, we just want our users to be re-directed to our Identity Provider (AD FS) using SAML single logout with no additional parameters so these will remain blank.
- Right-click the Service Provider (SP) Metadata link.
- Click Save link as...
You will be providing the Service Provider Metadata XML file to ADFS in an upcoming step to establish trust between the two parties as an Identity Provider and Service Provider.
2.6.1. Save the Service Provider (SP) Metadata file
- Click the Downloads folder
- Keep the default file name of
- Click Save
2.7. Add the Third Party Identity Provider
Click Add to save the configuration of our Third Party Identity Provider for AD FS.
2.8. Copy the sp.xml File
- Click the down arrow button for the sp.xml download
- Click Show in Folder
2.8.1. Copy the sp.xml File to the Clipboard
- Right-click the sp.xml file
- Click Copy.
You will be copying the Service Provider (SP) XML metadata file to the virtual machine that is hosting ADFS in an upcoming step in order to establish trust between ADFS and Workspace ONE Access.