Using Workspace ONE Access as a Claims Provider in ADFS

There are many use cases when integrating ADFS with Workspace ONE. In this blog, I’m going to focus on the use case of using Workspace ONE as a claims provider.  The VMware documentation for integrating ADFS and Workspace ONE is quite good. Please reference the VMware Documentation for the official steps on this integration.  My blog is intended to compliment the official  documentation.

In this blog, we will focus on:

Warning – Do NOT Perform any of these steps on a production ADFS Server without testing in a lower environment. Once you add a second claims provider it will impact the experience for your users.

Creating Workspace ONE Access as a Claims Provider

Download Workspace ONE Access Metadata

  1. Log into your Workspace ONE Access Administration Console.
  2. Go to Catalog -> Web Apps
  3. Click on Settings
  4. Click on SAML Metadata
  1. Right-Click and Download your Identity Provider (IdP) Metadata.

Create your Claims Provider Trust


Warning – Do NOT Perform any of these steps on a production ADFS Server without testing in a lower environment. Once you add a second claims provider it will impact the experience for your users.

  1. Launch your ADFS Management Console
  2. Right Click on Claims Provider Trust and click “Add Claims Provider Trust”
  1. Click Start
  2. Select ” Import data about the claims provider from a file”
  3. Select the Workspace ONE Metadata file you just downloaded.
  4. Click Next
  5. Select a Display Name that is recognizable to your users. This name will appear on the ADFS Home Realm Discovery Page.
  6. Click Next
  7. Click Next
  8. Click Close

Configure Claim Rules

  1. Right Mouse on the newly created Claims Provider Trust and Click Edit Claims Rules
  2. Click Add Rule
  3. Select “Send Claims Using a Custom Rule” and Click Next
  4. Provide a Rule Name
  5. Paste the following Custom Rule. This rule will transform the incoming claim (Windows Account) and set AD as the source. In using this custom rule, we will not need to modify any existing Relying Parties that are already configured.
    c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] =="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"]=> issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname",Issuer = "AD AUTHORITY", OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType);

  1. Click Finish
  2. Click OK

Configuring the ADFS Application Source in Workspace ONE Access

  1. Download the federation metadata file for the AD FS server by navigating to the URL: https://{ADFSdomain}/FederationMetadata/2007-06/FederationMetadata.xml where {ADFSdomain} is replaced with the fully qualified domain name (FQDN) your AD FS server.
  2. Log into the Workspace ONE Access Admin Console
  3. Select Catalog -> Web Apps
  4. Click the Settings button
  5. Click Application Sources
  6. Click the ADFS Application Source
  1. Click Next
  2. Past the contents of the previously downloaded ADFS Metadata into the URL/XML box. It is recommended you paste the contents rather than pasting the URL.
  1. Click Next
  2. Click Next
  3. Click Save
  4. Click the ADFS Application Source again.
  5. Click the configuration tab
  6. Change the Username Format to Unspecified
  7. Change the Username Value to “${user.domain}\${user.userName}”
  1. Expand Advanced Properties
  2. Set Include Assertion Signature to Yes.
  3. For Signature Algorithm, select SHA256 with RSA.
  4. Change the Digest Algorithm to SHA256
  1. Click Next and Save

Testing the Workspace ONE Claims Provider

  1. Open a Private Browser
  2. Navigate to Service Provider that is using ADFS
  1. Verify that you see the ADFS Home Realm Discovery Page. Note: Your page will look different depending on how many claims providers you have configured.
  1. Select the option for Workspace ONE
  2. Enter your Credentials for Workspace ONE
  3. Verify that Workspace ONE responds with a successful SAML Response. Using a SAML Tracer, you can verify that the NameID is returned in a Domain\username format

Configure Workspace ONE Access as the default Claims Provider for an RP

If you have specific applications where you want to redirect all traffic for that application to Workspace ONE, you can perform the following steps:

  1. On the AD FS server, open a PowerShell session with elevated administrator rights.
  2. Run the following Powershell command
    Set-ADFSRelyingPartyTrust -TargetName "{RP_app}" -ClaimsProviderName “{VMWARE IDENTITY MANAGER CLAIMS PROVIDER}”
    -Replace the placeholders in the command as follows.
    -Replace {RP_app} with the name of the relying party trust corresponding to the target application.
    -Replace {VMWARE IDENTITY MANAGER CLAIMS PROVIDER} with the name of the claims provider trust that you configured for VMware Workspace ONE Access.
    -Use the names of the relying party trust and claims provider trust as they appear in the AD FS Management console.

Modifying your Onload.js

Depending on your use case, you may or may not want to do redirect all applications or all platforms for a particular application to Workspace ONE Access. As we saw above, the ADFS Home Realm Discovery page will by default prompt the user to select the claims provider.  Assuming you will not run the previous PowerShell command to default traffic for particular relying party to Workspace ONE Access, we will need to use the onload.js to automate the selection for the users.

We will walk through some of your options in the onload.js. First, lets address some things that you can NOT do:

  • You can not redirect to Workspace ONE Access based on username. Although it may appear that usernames appear in the request, you can not code for this reliably. If you use auto acceleration in Azure AD, you will not get usernames in the request.
  • You can not redirect based on groups.
  • You can not redirect based on network range.
  • You can not redirect based on having an enrolled device in Workspace ONE UEM.

Before we walk through what we can do, lets get started by exporting the current ADFS WebTheme.

  1. Log into the ADFS Server
  2. Run PowerShell as an Administrator
  3. Create a working folder by running the following command
    mkdir c:\myscripts
  4. Export the default ADFS web theme
    Export-AdfsWebTheme –Name "Default" –DirectoryPath c:\myscripts
  5. In PowerShell, create a new AD FS web theme
    New-AdfsWebTheme –Name "VIDM" –SourceName "Default"
  6. Re-import the onload.js into the new Web Theme
    Set-AdfsWebTheme -TargetName VIDM -AdditionalFileResource @{Uri='/adfs/portal/script/onload.js';path="c:\myscripts\script\onload.js"}
  7. Activate the new web theme
    Set-AdfsWebConfig -ActiveThemeName "VIDM"
  8. To save your changes, you will need to restart the AD FS instance
    Restart-Service adfssrv
  9. Open C:\myscripts\script\onload.js in a text editor such as Notepad++
  10. In the next couple section we will go through the possible options that you can make in the onload.js.  Once you make a change, you will need to re-import the onload.js. You do not need to activate or restart ADFS.
    We are going to use the following placeholders in the following sections:
    {AccessTenant} = FQDN of the VMware Workspace ONE Access service ie. https://dsas.vmwareidentity.com
    {AD FS Claims Provider} = ‘AD Authority’  Note: For older ADFS environments, you might need to use: ‘http://{ADFSdomain}/adfs/services/trust’

Redirecting Mobile Traffic

// redirect mobile traffic to Workspace ONE
if (navigator.userAgent.match(/iPad|iPhone|Android|Windows Phone/i) != null)
{
HRD.selection('https://{AccessTenant}/SAAS/API/1.0/GET/metadata/idp.xml');
}else
{
HRD.selection(‘AD AUTHORITY’);
}

Support for IpadOS Devices

// ADDITIONAL LOGIC FOR iPadOS AND iOS 13 iPad DEVICES
if (navigator.userAgent.match(/Macintosh/i) != null)
{
if(navigator.maxTouchPoints > 2)
{
HRD.selection('https://{AccessTenant}/SAAS/API/1.0/GET/metadata/idp.xml');
}
else
{
HRD.selection(‘AD AUTHORITY’);
}
}

Hiding the HRD Selection

// hide HRD selector from user
var hrdui = document.getElementById("bySelection");
hrdui.style.display = "none";

Applying Conditions to Only Specific Relying Parties

You will need to do some testing to make sure you get the correct values. If you TEMPORARILLY add the following code it will help get the correct values:
document.write(“\nWindowsLocation=“);
document.write(window.location.href);
document.write(“\n\nUserAgent=“);
document.write(navigator.userAgent);
document.write(“\n\nDocumentReferer=“);
document.write(document.referrer);

There are two options to choose from:

Option 1:
if ( window.location.href.indexOf(“urn%3afederation%3aMicrosoftOnline”|“https%3a%2f%2flogin.microsoftonline.com%2fextSTS.srf”) != -1 )
{
HRD.selection('https://{AccessTenant}/SAAS/API/1.0/GET/metadata/idp.xml');
}

Option 2:
if (document.referrer.indexOf("https://tenant.my.salesforce.com/") != -1){
HRD.selection('https://{AccessTenant}/SAAS/API/1.0/GET/metadata/idp.xml');
}

Using ADFS Access Control Policies

If you are you using ADFS Access Control Policies, you might see some errors in the event viewer similar to:

“The caller is not authorized to request a token for the relying party “

“Microsoft.IdentityServer.Service.IssuancePipeline.CallerAuthorizationException: MSIS5007: The caller authorization failed for caller identity  for relying party trust “

In order to comply with your Access Control Policies, we will need to add a policy to allow requests coming from Workspace ONE.

Here are two approaches that you can use:

Check for ‘Federated Authority’ in the Claims Request

This approach will not necessarily ensure the claim came from Workspace ONE. It will check if it came from a federated claim provider.

  1. Edit your Access Policy in ADFS
  2. Create a new rule that will permit users for a specific claim in the request.
  3. Select “Account Store” as the the Claim type and “FEDERATED AUTHORITY” as the Claim Value
  1. Your Rule would look similar to this:

Check for Specific Claim sent by Workspace ONE Access

In this approach, ADFS will validate a specific claim sent by Workspace ONE Access. There are a few more steps required in this approach.

  1. In Workspace ONE Access, open the Application Source for ADFS (Identity & Access Management -> Catalog -> Web Apps -> Settings)
  2. Click on Configuration and Expand Advanced Configuration
  3. Scroll down to Custom Attribute Mapping
  4. Add the attribute “http://schemas.microsoft.com/ws/2008/06/identity/claims/role”
  5. Select the format “Unspecified”
  6. Set the value to something like “WS1”
  1. Click Next, Next, Save
  2. In ADFS, edit the Claim Rules for the Workspace ONE Claims Provider Trust
  3. Add A New Claim Rule
  4. Select “Pass Through or Filter an Incoming Claim”
  5. Provide a Name and Select “Role” as the incoming claim.
  1. Click Finish. You may receive a warning, You can click OK or filter the claim value even further.
  2. Edit your Access Policy in ADFS
  3. Create a new rule that will permit users for a specific claim in the request.
  4. Select “Role” as the the Claim and “WS1” as the Claim Value
  1. Your Rule would look similar to:

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s