In this blog we are going to walk through the configuration of using HYPR Passwordless Authentication with Workspace ONE Access. HYPR can be integrated with Workspace ONE as a primary authentication method or as a second factor of authentication. Hypr can be integrated with Workspace ONE Access using either SAML, OIDC, or Radius. In this blog, we are going to focus on the SAML Integration.
Lets start by downloading our Workspace ONE Access metadata.
Download Workspace ONE Access Metadata
- Log into the Workspace ONE Access Admin Console
- Go to Catalog -> Web Apps
- Click on the settings button.
- Click on the Service Provider (SP) metdata and download a copy to your local file system.
Create a New Client in HYPR
- In your HYPR Keycloak Admin Console, go to Clients -> Create
- Under import, click select file and choose your Workspace ONE Access Metadata that you previously downloaded.
- The Client ID and Protocol should be automatically populated
- Click Save
- Edit the client you just created.
- Ensure that the correct Login Theme is selected
- Select RSA_SHA256 for the Signature Algorithm
- Ensure that the Name ID format is using the correct attribute to properly map to users in Workspace ONE Access.
- Click Save
- Download your IdP Metadata by going to https://{hyprserver}/auth/realms/{realm}/protocol/saml/descriptor
Create your 3rd Party IDP in Workspace ONE Access
- In the Workspace ONE Access Admin Console, go to Identity & Access Management-> Identity Providers
- Click on Add Identity Provider -> Create SAML IDP
- Provide a Name for this Identity Provider ie. HYPR
- Paste the IdP Metadata that was previously downloaded into the space provided.
- Click Process Metadata
- Select the Name ID Format “urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified”
- Select username for the value. Note: If you are mapping to a different attribute, select the appropriate value per your environment.
- Under Users, select the correct directory that will be used to match users from the assertion sent from Hypr:
- Select All Ranges
- Under Auth Methods, provide a unique name for this Authentication ie. HYRP-Passwordlesss
- Select “urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport” as the SAML Context.
- Click Add
Set up your Access Policy
In this example, we are going to use HYPR as a fallback authentication mechanism to Certificate Based Authentication. In my environment, all my managed devices will use Certificate Based Authentication or Mobile SSO with Device Compliance. For my unmanaged devices, I’m going to provide a fallback to Hypr for Authentication.
- In Identity & Access Management -> Policies
- Edit your default policy.
- Edit your Windows 10 and/or MacOS Policy
- Add HYPR as a Fallback to allow for managed devices
- Click Save,
- Click Next
- Click Save
Note: If you want to use HYPR as a second factor of authentication, you can add it along with Mobile SSO or Certificate Based Authentication
The one thing to be aware of is that HYPR can not currently support accepting usernames in the SAML Authentication request. This provides a less than ideal solution where the user has to enter a username when redirected to HYPR. The user will get an error in Workspace ONE Access if they authenticate with a different username than expected.
Testing the flow
- Access your HYPR Device Manager in your browser, click Add Device
- Select Smartphone and Scan the provided barcode with your HYPR App
- Now Log into Workspace ONE Access
- You should be redirected to HYPR
- Enter your username and select Smartphone
- You should get a notification on your device
- Click OK and complete the biometric challenge.
- You should now be successfully authenticated into Workspace ONE Access.
Steve The Identity Guy 