Using Azure AD as a SAML IdP in Workspace ONE Access

In this blog, we are going to setup Azure AD as a 3rd Party IdP to provide seamless authentication into the Workspace ONE Access Digital Workspace. This blog assumes that you are using native Azure AD authentication or using a federated domain that is NOT Workspace ONE Access.

Lets start by logging into our downloading our Workspace ONE Access Metadata

Workspace ONE Access SP Metadata

  1. Log into your Workspace ONE Access Administration Console
  2. Click on Catalog -> Web Apps
  3. Click on Settings
  4. Click on SAML Metadata
  1. Download your Service Provider (SP) metadata file

Azure AD Configuration

  1. In your Azure AD Console, click on Enterprise Applications
  1. Click on “New Application”
  2. Click “Create your own application”
  3. Provide a name for this application. ie. Workspace ONE Access
  1. Click Create
  2. Click on Single-sign-on
  3. Select SAML
  1. Click on “Upload metadata file” on the top bar
  1. Select the file you downloaded earlier and click Add
  2. You will not need to modify anything at this point. Click Save
  1. Close the SAML Configuration Window. If prompted to test the SAML, select you’ll test later.
  2. Under “User Attributes & Claims”, click Edit
    1. In this scenario, we are going to assume users are being synchronized by a connector. If you are configuring JIT provisioning of users into Workspace ONE Access, see the section on JIT.
    2. Delete all the additional claims
  3. We will leave the User Principal Name as the NameID and close this configuration
  1. Under SAML Signing Certificate, click Add a Certificate
  2. Select New Certificate (or Import if you have a 3rd party certificate)
  3. Click Save and Close the Certificate Window when complete
  4. Download your Metadata
  1. Click on Users and Groups
  2. Assign the appropriate users to the application

Creating Azure AD as a 3rd Party IDP in Workspace ONE Access

  1. Log into the Workspace ONE Administration Console
  2. Click on Identity & Access Management -> Identity Providers
  3. Click Add Identity Provider -> Create SAML IDP
  1. Provide a name ie. Azure AD
  2. Open the previously downloaded Azure AD Metadata in a text editor and copy and paste it into the metadata section
  1. Click “Process Metadata”
  2. Under Name ID format mapping, click the plus sign twice
  3. Add a mapping for “urn:oasis:names:tc:1.1:nameid-format:unspecified” and map it to “userPrincipalName”.
  4. Add a mapping for “urn:oasis:names:tc:1.1:nameid-format:emailAddress” and map it to “userPrincipalName”.
  1. Under “Just in Time Provisioning”, leave this blank. See Section on JIT if you are using JIT.
  2. Under Users, select the user store where the users exist.
  3. Under Network, select “All Ranges”
  4. Under Authentication Methods, provide a name such as “AzureADPassword”
  5. Under SAML Context, select “urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport”
  1. Create additional Authentication Methods as required
  2. Enable Single Logout
  3. Click Add

Workspace ONE Access Policy

  1. Click on Identity & Access Management -> Policies
  2. Edit your appropriate policy to include the new Azure AD Password Method and save.

Testing the Configuration

  1. In a browser, launch your Workspace ONE Access Console
  2. You should automatically get redirected to Azure AD
  3. Enter your email and password
  4. Hopefully, you are authenticated successfully into Workspace ONE Access
  5. If not, use a SAML tracer to see your response back to Workspace ONE Access
  1. Verify the Name ID Format and corresponding value match our configuration in Workspace ONE Access. The value in the Name ID should match the userPrincipalName in Workspace ONE Access. Adjust the configuration accordingly to match your environment.
Note: The reason we include the unspecified format is because under certain conditions, Microsoft will use “unspecified” instead of “emailAddress”

Just-in-Time User Provisioning

While I strongly advise against Just-in-Time User Provisioning as a best practice (because there is no user lifecycle management), I’ll document the steps to configure it as there are many that still want to use it.

Azure AD User Attributes & Claims

We will need to modify the user claims that Azure AD will send to Workspace ONE Access:
Note: Do not add any Namespace with the attribute claims.

Claim NameValue
emailuser.mail
ExternalIDuser.objectid
firstNameuser.givenname
lastNameuser.surname
userNameuserprincipalName
Another popular variation:
ExtractMailPrefix (user.userprincipalname)
userPrincipalNameuser.userprincipalname

Workspace ONE Access 3rd Party IDP Configuration

If you are doing JIT into Workspace ONE Access, you will need to enable this when creating the 3rd Party IDP. Enable the Checkbox and provide a directory name and domain name that will be used (internally).

Testing

When you test this configuration, you will see the attributes in the SAML:

If you look at the user which was created in Workspace ONE Access:

Make note that we are setting the External ID. If you are using Workspace ONE UEM, these two values need to match in both systems. You can use the AirWatch Provisioning Adaptor to create accounts in UEM.

Note: You can NOT update the External ID Attribute on an existing user in Workspace ONE Access.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s