KB N°08: Configuring VMware Workspace ONE Access as an Identity Provider (IDP) with Olfeo Saas

Published on October 3, 2023Modified on November 29, 2023

Context

This document covers the basic configuration of VMware's Workspace ONE Access solution (formerly known as VMware Identity Manager) as an Identity Provider (IDP) with the Olfeo Saas product.

Workspace ONE Access from VMware is an authentication and identity management solution that enables organizations to secure and manage access to applications, data and resources for their end users. It acts as an IDP, providing single sign-on (SSO) and centralized identity management for cloud products.

Important note

The screenshots below were taken with Workspace One Access version 21.08, so there may be differences depending on the version you're using. However, the principle remains broadly the same.

Prerequisites

Have synchronized your corporate directory with Olfeo Saas. Please refer to the Olfeo Saas technical documentation: Configuring and managing directories.
Ensure that the endpoints required for authentication are publicly exposed on the Internet.
Select the SAML authentication method for your Olfeo Saas directory.

Configuration steps :

    1. Go to Catalog > Web Apps.
    2. Click on New to add a New application.
    3. Name the application and click Next.

null

    1. In the Configuration section :

Entrez les informations suivantes pour Single Sign-On :
Type d’authentification : SAML 2.0
– Configuration : manuelle
– URL Single Sign-On : URL de connexion : https://saas.trustlane.io/api/sso/saml/XXXXX/login
– URL destinataire : URL de réponse (ACS) : https://saas.trustlane.io/api/sso/saml/XXXXX/acs
– ID d’application : Identificateur d’entité : https://saas.trustlane.io/api/sso/saml/XXXXX/login
– Format du nom d’utilisateur : adresse e-mail (name@domain.com)
– Valeur du nom d’utilisateur : ${user.userPrincipalName}

Attention, la propriété identifiante définie lors de la synchronisation de votre annuaire avec Olfeo Saas doit être utilisée au niveau de l’attribut NameID (ici Valeur du nom d’utilisateur : ${user.userPrincipalName}).

null

Still in the configuration section, enter the signature information:
- Sign response: enabled
- Sign assertion: enabled
- Signature algorithm: SHA256 with RSA
- Pre-processing algorithm: SHA256

null

    1. On the Access Policies page, select the default policy or the one you have created. In fact, you can create access policies which, among other things, define the duration of the authentication token that the IDP will distribute to the SPs (Olfeo Saas) that depend on it.
    2. Click Next, then Save and Assign.
    3. Under Catalog > Web Apps, click Settings.
    4. In the Settings window, access the SAML Metadata section.

Click on Identity Provider (IdP) metadata. This opens a new browser window with XML data. Copy the URL "Entity ID". URL of the form: https: //YYYYYYY/SAAS/API/1.0/GET/metadata/idp.xml

Then return to the Olfeo Saas administration interface, go to Configuration, Directories, Directory editing, Authentication, and fill in this URL in the "Supplier metadata" section

  1. Then, in VMware Workspace ONE Access, all you have to do is go back to Catalog, select the application you've created and Assign the users of your choice.