integrating pingfederate: vmware workspace one ......integrating pingfederate: vmware workspace one...

GUIDE – APRIL 2019

PRINTED 2 OCTOBER 2019

INTEGRATINGPINGFEDERATE: VMWAREWORKSPACE ONEOPERATIONAL TUTORIALVMware Workspace ONE

INTEGRATING PINGFEDERATE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL

GUIDE | 2

Table of Contents

Overview

– Introduction

– Audience

Adding Workspace ONE as an IdP Connection in PingFederate

– Introduction

– Prerequisites

– Retrieving Metadata from Workspace ONE Access

– Creating Identity Provider Connection

– Creating a New Authentication Policy Contract

– Configuring the Authentication Policy Contract

– Configuring Protocol Settings

– Completing Identity Provider Connection

– Exporting Metadata from PingFederate

– Configuring PingFederate Application Source in Workspace ONE Access

– Configuring Salesforce in PingFederate

– Testing Authentication to Salesforce using PingFederate

Creating Authentication Policies in PingFederate

– Introduction

– Prerequisites

– Configuring Identity Provider Selectors


GUIDE | 3

– Configuring Authentication Policies in PingFederate

– Configuring HTML Form Adapter

– Configuring Identity Provider Connection

– Testing Authentication to Salesforce

Adding PingFederate Applications to the Workspace ONE Catalog

– Introduction

– Prerequisites

– Retrieving Salesforce Entity ID from PingFederate

– Adding Salesforce to Workspace ONE Catalog

– Testing Authentication to Salesforce from Workspace ONE Catalog

Adding PingFederate as Third-Party IdP in Workspace ONE

– Introduction

– Prerequisites

– Exporting SAML Metadata from Workspace ONE Access

– Adding Service Provider Connection in PingFederate

– Configuring Browser SSO Settings

– Reviewing Browser SSO Settings

– Completing Service Provider Connection Details

– Exporting Metadata from PingFederate

– Adding PingFederate as an IdP in Workspace ONE

– Modifying Authentication Policies in Workspace ONE Access

– Testing Single Sign-On to Workspace ONE

Configuring Authentication Failure Notification


GUIDE | 4

– Introduction

– Prerequisites

– Logging In to the Workspace ONE Access Console

– Enabling Authentication Failure Notification

– Modifying the Authentication Policy in PingFederate

– Testing Single Sign-On to MS Office 365

Summary and Additional Resources

– Conclusion

– Terminology Used in This Tutorial

– Additional Resources

– About the Author

– Feedback


GUIDE | 5

Integrating PingFederate: VMware Workspace ONEOperational Tutorial

OverviewIntroductionVMware provides this operational tutorial to help you with your VMware Workspace ONE®environment. In this tutorial, you integratePingFederate with Workspace ONE. Procedures include adding Workspace ONE as an IdP connector in PingFederate and addingPingFederate as a third-party IdP in Workspace ONE.

AudienceThis operational tutorial is intended for IT professionals and Workspace ONE administrators of existing production environments. Bothcurrent and new administrators can benefit from using this tutorial. Familiarity with networking and storage in a virtual environment isassumed, including Active Directory, identity management, and directory services. Knowledge of additional technologies such asVMware Workspace ONE® Access (formerly VMware Identity Manager) and VMware Workspace ONE® UEM is also helpful.

Adding Workspace ONE as an IdP Connection in PingFederateIntroductionThis tutorial helps you to integrate VMware Workspace ONE® with PingFederate®. In this section, you add Workspace ONE as anIdP connector in PingFederate. Procedures include:

Creating the IdP connectorCreating and configuring the authentication policy contractConfiguring protocol settingsConfiguring PingFederate application in Workspace ONE AccessConfiguring Salesforce in PingFederateTesting authentication to Salesforce using PingFederate

The steps are sequential and build upon one another, so make sure that you complete each step before going to the next step.

PrerequisitesBefore you can perform the procedures in this tutorial, you must satisfy the following requirements. For more information, see theVMware Identity Manager Documentation and VMware Workspace ONE UEM Documentation.

Check whether you have the following components installed and configured.

Admin access to both a Workspace ONE Access tenant and a PingFederate appliancePingFederate must have both Identity Provider and Service Provider roles enabledTest application federated with PingFederate (to follow the steps in this exercise, use Salesforce)Workspace ONE Access tenant and PingFederate appliance connected to the same Active Directory domainOptional: Mobile device to test redirection to Workspace ONE

Retrieving Metadata from Workspace ONE AccessBefore configuring Workspace ONE as an identity provider connector, you must collect the appropriate metadata from the WorkspaceONE Access tenant.

http://www.vmware.com/products/workspace-one.html

https://www.vmware.com/products/workspace-one/access.html

https://www.vmware.com/products/airwatch-enterprise-mobility-management.html

https://www.vmware.com/support/pubs/identitymanager-pubs.html

https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/index.html


GUIDE | 6

1. Navigate to Web Apps

Click Catalog.1.Click Web Apps.2.

2. Navigate to Settings

Click Settings.


GUIDE | 7

3. Navigate to SAML Metadata

Select the SAML Metadata menu.1.Right-click Identity Provider (IDP) metadata.2.Click Save link as...3.

4. Save Metadata File


GUIDE | 8

Click Save to save the idp.xml file locally on your computer.

Creating Identity Provider ConnectionAfter you have exported the metadata, you are ready to create the identity provider (IdP) connection.

1. Create New IdP Connection

In the PingFederate admin console:

Click Service Provider.1.Click Create New to create a new IdP Connection.2.

2. Configure Connection Type

https://media.screensteps.com/image_assets/assets/002/298/784/original/75cf01f8-3b71-4325-b23f-1909613b9d87.png

https://media.screensteps.com/image_assets/assets/002/310/575/original/4ef9e619-b49f-4656-b607-a92b21b6cbda.png


GUIDE | 9

Select BROWSER SSO PROFILES.1.Click Next.2.

3. Select Connection Options


GUIDE | 10

Select BROWSER SSO for this connection.1.Click Next.2.

4. Import Metadata


GUIDE | 11

Select File as the option to import metadata.1.Click Choose File.2.

5. Select Metadata File


GUIDE | 12

Select the idp.xml file previously downloaded from the Workspace ONE Access tenant.1.Click Open.2.

6. Confirm File Uploaded


GUIDE | 13

Verify that the correct file was uploaded.1.Click Next.2.

7. Confirm Entity ID


GUIDE | 14

Verify that the Entity ID matches your tenant.1.Click Next2.

8. Review Configuration

Click Next to configure Browser SSO settings.

https://media.screensteps.com/image_assets/assets/002/298/808/original/20750635-88b6-4e3e-ad51-de7ecf4c9a71.png


GUIDE | 15

9. Configure Browser SSO

Click Configure Browser SSO.

10. Select SAML Profiles

Select IDP-INITITATED SSO.1.Select SP-INITITATED SSO.2.Click Next.3.


GUIDE | 16

11. Configure User-Session Creation

Click Configure User-Session Creation.

12. Select Identity Mapping Mode


GUIDE | 17

Select Account Mapping.1.Click Next.2.

13. Confirm Attribute Contract


GUIDE | 18

In this exercise, Workspace ONE Access sends only a single attribute in the assertion (SAML_SUBJECT).

Click Next to Map a New Authentication Policy.

Creating a New Authentication Policy ContractIn this section, you continue to configure the IdP connection. This connection does not use any local adapter instances forauthentication. Instead, you map it to an authentication policy which you create in this exercise.

1. Map New Authentication Policy


GUIDE | 19

Click Map New Authentication Policy.

2. Manage Authentication Policy Contract

Click Manage Authentication Policy Contracts.

3. Create New Contract


GUIDE | 20

Click Create New Contract.

4. Enter Contract Name

Enter a contract name, for example, Workspace ONE.1.Click Next.2.


GUIDE | 21

5. Confirm Attribute Contract

This configuration uses a single attribute (SAML_Subject).

Click Next.

6. Review Contract Details


GUIDE | 22

Click Done.

7. Confirm Contract Creation


GUIDE | 23

Validate that the new contract has been created.

Click Save.

Configuring the Authentication Policy ContractIn this section, continue the IdP Connection wizard to configure the policy contract.

1. Select the New Policy Contract


GUIDE | 24

Select the new policy contract from the drop-down menu. For example, Workspace ONE.1.Click Next.2.

2. Select Authentication Policy Contract Subject


GUIDE | 25

For this setup, Salesforce requires only the attribute provided in the assertion to fulfill the contract. Depending on the SaaS applicationyou are using to test this configuration, you might need to use the assertion to look for additional information.

Select Use only the attributes available in the SSO assertion.1.Click Next.2.

3. Select Contract Fulfillment Values


GUIDE | 26

Select Assertion from the drop-down menu.1.Select SAML_Subject from the drop-down menu.2.Click Next.3.

4. Review Optional Issuance Criteria


GUIDE | 27

Click Next.

5. Confirm Authentication Policy Contract Details


GUIDE | 28

Verify the Authentication Policy Contract summary.

Click Done.

6. Confirm Policy Contract is Mapped


GUIDE | 29

Verify that the new Authentication Policy Contract has been mapped.1.Click Next.2.

7. Confirm User-Session Creation Details


GUIDE | 30

Click Done.

Configuring Protocol SettingsIn this section, configure the Browser SSO Protocol Settings including SSO service URLs, SAML bindings, and signature and


GUIDE | 31

encryption policy settings.

1. Continue to Protocol Settings

Click Next.

2. Configure Protocol Settings


GUIDE | 32

Click Configure Protocol Settings.

3. Confirm SSO Service URLs


GUIDE | 33

The Endpoint URLs for Redirect and Post bindings should be both automatically populated from the metadata. If not, you must1.manually enter the URL. The URL will be the same for both bindings in all tenants: /SAAS/auth/federation/SSO.Click Next.2.

4. Select SAML Bindings


GUIDE | 34

Select POST.1.Select REDIRECT.2.Click Next.3.

5. Review Optional Overrides


GUIDE | 35

Click Next.

6. Configure Signature Policy


GUIDE | 36

Select Specify Additional Signature Requirements.1.Select Sign Authn Requests Over Post and Redirect Bindings.2.Click Next.3.

7. Review Optional Encryption Policy Settings


GUIDE | 37

Encryption of the SAML assertion is optional. For this configuration, it is not required.

Click Next.

8. Confirm Protocol Settings Configuration


GUIDE | 38

Click Done.


GUIDE | 39

9. Confirm Protocol Settings Applied

Click Next.

10. Review Protocol Settings


GUIDE | 40

Review the Browser SSO summary.


GUIDE | 41

Scroll to the bottom.1.Click Done.2.

Completing Identity Provider ConnectionIn this section, complete the final IdP connection details.

1. Continue to Configure Credentials

Click Next.

2. Confirm Credential Requirement Details


GUIDE | 42

The signing certificate should be automatically populated from the metadata.1.Click Next.2.

3. Select Connection Status


GUIDE | 43

Select Active.


GUIDE | 44

4. Save Configuration

Scroll down to the bottom of the summary.1.Click Save.2.

5. Confirm IdP Connection Creation

https://media.screensteps.com/image_assets/assets/002/300/479/original/f66d2dd9-62ba-4a63-8f71-4855429300d4.png


GUIDE | 45

Validate that the new IdP Connection has been created.

Exporting Metadata from PingFederateThe next step is to add PingFederate as a service provider in Workspace ONE Access. First, export the corresponding metadata filefrom PingFederate.

1. Select Metadata Export


Click Server Configuration.1.Click Metadata Export.2.

2. Select Metadata Role


GUIDE | 46

Select I am the Service Provider (SP).1.Click Next.2.

3. Select Metadata Mode


GUIDE | 47

Select User a Connection for Metadata Generation.1.Click Next.2.

4. Review Connection Metadata


GUIDE | 48

Click Next.

5. Select Metadata Signing Details


GUIDE | 49

Select the signing certificate for your PingFederate setup from the drop-down menu.1.Select RSA SHA256 as the signing algorithm.2.Click Next.3.

6. Review Summary and Export Metadata


GUIDE | 50

Click Export.



GUIDE | 51

Save the metadata.xml file locally on your computer.

Click Save.

8. Open Metadata File

Open the metadata.xml file downloaded from PingFederate and copy the contents of the file to the clipboard.


GUIDE | 52

Configuring PingFederate Application Source in Workspace ONE AccessNow that you have exported the metadata from PingFederate, you are ready to configure the PingFederate application source inWorkspace ONE Access.

1. Configure PING Application Source

In the Workspace ONE Access administration console:

Click Application Sources.1.Click PING.2.

2. Start PING Application Source Wizard

https://media.screensteps.com/image_assets/assets/002/300/551/original/08d20dee-3771-4fa1-87b3-ba7f83111edb.png


GUIDE | 53

Click Next.

3. Configure PING Application Source Single Sign-On


GUIDE | 54

Select URL/XML as the configuration method.1.Copy the contents from the metadata.xml file downloaded from PingFederate into the text box.2.Click Next.3.

4. Select PING Application Source Access Policies

https://media.screensteps.com/image_assets/assets/002/310/650/original/6afc46a6-0dca-442c-b4c0-5202a2b2072d.png


GUIDE | 55

Select an access policy from your Workspace ONE Access tenant using the drop-down menu. For this setup, we have1.selected an access policy which challenges for domain credentials to test the configuration.Click Next.2.

5. Complete PING Application Source Wizard


GUIDE | 56

Click Save.

Configuring Salesforce in PingFederateNext, modify the service provider connection (Salesforce) in PingFederate to authenticate with the newly created IdP Connection(Workspace ONE Access).

1. Select Service Provider Connection


GUIDE | 57

Navigate back to the PingFederate admin console.

Click Identity Provider.1.Select your test SP Connection.2.


Select Browser SSO.1.Click Configure Browser SSO.2.

3. Configure Assertion Creation

https://media.screensteps.com/image_assets/assets/002/300/578/original/8f457ce4-fa38-4c35-9ebf-af1a7255d2e8.png


GUIDE | 58

Select Assertion Creation.1.Click Configure Assertion Creation.2.

4. Map New Authentication Policy

Click Map New Authentication Policy.


GUIDE | 59

5. Select Authentication Policy Contract

Select the Workspace ONE authentication policy contract from the drop-down menu.1.Click Next.2.

6. Select Mapping Method


GUIDE | 60

Select Use Only the Authentication Policy Contract Values in the SAML Assertion.1.Click Next.2.

7. Select Attribute Contract Fulfillment Values


GUIDE | 61

Select Authentication Policy Contract from the Source drop-down menu.1.Select subject from the Value drop-down menu.2.Click Next.3.

8. Review Optional Issuance Criteria


GUIDE | 62

Click Next.

9. Review Summary


GUIDE | 63

Click Save.

10. Confirm Workspace ONE Contract Mapping


GUIDE | 64

Validate that the Workspace ONE contract has been mapped.1.Click Delete to delete the HTML Form Adapter mapping.2.Click Save.3.

Testing Authentication to Salesforce using PingFederateYou can now test authentication to your SaaS application. In this exercise, log in to Salesforce using PingFederate. PingFederateredirects you to Workspace ONE Access for authentication and then launches Salesforce. The SAML assertion created by WorkspaceONE Access is validated by PingFederate, which in turn issues a SAML assertion for Salesforce.

1. Navigate to Salesforce Login

https://media.screensteps.com/image_assets/assets/002/310/652/original/795164dc-b1b0-42eb-aa88-440073cf3495.png


GUIDE | 65

Navigate to the Salesforce login page and click PingFederate.

2. Enter Domain Credentials for Workspace ONE Access


GUIDE | 66

Enter the domain credentials for your test user in Workspace ONE Access.

Enter the username. For example, user.1.Enter the password. For example, VMware1!.2.Click Sign in.3.

3. Confirm Salesforce Launches


GUIDE | 67

After validating the credentials in Workspace ONE Access, you are redirected and logged directly into the Salesforce tenant.

Creating Authentication Policies in PingFederateIntroductionThis section helps you to create authentication policies in PingFederate. Procedures include:

Configuring identity provider selectorsConfiguring authentication policiesConfiguring HTML form adapter and IdP connectionTesting authentication to Salesforce using mobile and non-mobile devices




Admin access to both a Workspace ONE Access tenant and a PingFederate appliancePingFederate must have both Identity Provider and Service Provider roles enabledTest application federated with PingFederate (to follow the steps in this exercise, use Salesforce)




GUIDE | 68

Workspace ONE Access tenant and PingFederate appliance connected to the same Active Directory domainOptional: Mobile device to test redirection to Workspace ONE

Configuring Identity Provider SelectorsIn this exercise, you create a new selector that allows different authentication requests for different applications federated withPingFederate. You can choose to redirect authentication requests to Workspace ONE only for specific applications.

With a selector in PingFederate, you can differentiate mobile traffic versus non-mobile traffic, and decide how each will beauthenticated. For this exercise, use the built-in Mobile Client Selector.

For more information, see Selectors in PingFederate documentation.

1. Navigate to Selectors


Click Identity Provider.1.Click Selectors.2.

2. Select Mobile Client Selector

https://docs.pingidentity.com/bundle/pf_sm_enforceAuthenticationRequirements_topic/page/pf_c_authenticationSelectors.html


GUIDE | 69

Select the Mobile Client Selector.

3. Review Authentication Selector Details

This selector checks the user-agent in the authenticator header and returns positive if it matches one of the specified user agents foriOS or Android.

Click Done.


GUIDE | 70

4. Create New Selector Instance

Click Create New Instance.

5. Enter Authentication Selector Values

Enter an instance name. For example, AppSelector.1.Enter an instance id. For example, AppSelector.2.Select Connection Set Authentication Selector from the Type drop-down menu.3.Click Next.4.

6. Configure Selector Connections


GUIDE | 71

Click Add a new row to Connections.1.Select your test application (Salesforce) from the Connections drop-down menu.2.Click Update.3.Click Next.4.

7. Review Selector Summary


GUIDE | 72

Verify the selector summary.

Click Done.

8. Save Selector Configuration


GUIDE | 73

Click Save.

Configuring Authentication Policies in PingFederateNow that you have added Workspace ONE as an identity provider in PingFederate, you can create policies in PingFederate to decidewhen users will be authenticated in Workspace ONE versus with a local authentication adapter in PingFederate. For more information,see Policies in PingFederate documentation.

1. Navigate to Policies

Click Policies.

2. Enable Authentication Policies

Select the Enable IDP Authentication Policies check box.1.

https://docs.pingidentity.com/bundle/pf_sm_enforceAuthenticationRequirements_topic/page/pf_c_authenticationPolicies.html


GUIDE | 74

Select the Enable SP Authentication Policies check box.2.

3. Add AppSelector

The first action in the policy tree is to identify the target application to which the end user is trying to authenticate into. Add thepreviously created AppSelector.

Select the Action drop-down menu.1.Click Selectors.2.Click AppSelector.3.

4. Define AppSelector Negative Values

If the AppSelector selector returns negative, you can choose to authenticate the end user locally using the HTML Form Adapter.

Select the Action drop-down menu next to the No Result.1.Select HTMLFormAdapter.2.


GUIDE | 75

5. Define HTML Form Adapter Values

If the authentication attempt with the HTML Form Adapter fails, access to the application is denied. If the authentication attempt issuccessful, the Policy Contract associated with the application/connection is fulfilled.

Click Done next to the Fail result.1.Select the Action drop-down menu next to the Success result.2.Select Policy Contracts.3.Select the Workspace ONE policy contract.4.

6. Define AppSelector Positive Values


GUIDE | 76

Now, return to the first action. If the AppSelector selector returns positive, you will use a second selector (MobileClientSelector) tocheck if the authentication request is from a mobile device.

Select the Action drop-down menu next to the Yes result.1.Click Selectors.2.Select the Mobile Client Selector.3.

7. Define Mobile Client Selector Values


GUIDE | 77

If the Mobile Client Selector returns negative, authenticate the requests locally with the HTML Form Adapter.

Select the Action drop-down menu next to the No result.1.Select the HTMLFormAdapter.2.

8. Define HTML Form Adapter Values

Use the same settings for the result of this HTML Form Adapter as the previous one.

Click Done if the authentication fails.1.Select the Workspace ONE - (Policy Contract) if the authentication is successful.2.

9. Define Mobile Client Selector Positive Values


GUIDE | 78

If the Mobile Client Selector returns positive, redirect the authentication request to Workspace ONE using the previously configuredIdP Connection.

Select the Action drop-down menu next to the Yes result.1.Select IdP Connections.2.Select the previously configured IdP Connection (your VMware Identity Manager tenant URL).3.

10. Define IdP Connection Values


GUIDE | 79

The final policy decision is based on the response from Workspace ONE. If the authentication with Workspace ONE fails, access tothe application is denied. If the authentication is successful, fulfill Policy Contract (Workspace ONE) associated with the application.

Click Done next to the Fail result.1.Select the Action drop-down menu next to the Success result.2.Select Policy Contracts.3.Select the Workspace ONE policy contract.4.

11. Confirm Policy Tree Values

The policy tree should now look similar to the screenshot shown.

12. Select HTML Form Adapter Options

https://media.screensteps.com/image_assets/assets/002/303/150/original/8aaeb6f5-962f-41b5-bf9d-bce1f492867b.png


GUIDE | 80

Next, finalize the configuration for each adapter and contract used in the policies. First, check the HTML Form Adapter options.

Click Options.

13. Define Incoming User ID

For the HTML Form Adapter, select one of the user credentials that are provided in the HTML form.

Select Context from the Source drop-down menu.1.Select Requested User from the Attribute drop-down menu.2.

Copy the same settings to the other HTML Form Adapter options used in the policies.

14. Select IdP Connection Options

Next, check the options for the IdP Connection used in the policies.

Click Options under the IdP Connection action.


GUIDE | 81

15. Define Incoming User ID

Similar to the HTML Form Adapter, select a user ID that is authenticated into the IdP Connection.

Select Context from the Source drop-down menu.1.Select Requested User from the Attribute drop-down menu.2.Click Done.3.

Configuring HTML Form AdapterFinally, check the configuration of the Policy Contracts used in the policies. Although the settings are very similar for all PolicyContracts used, there is a slight variation between the Policy Contracts used after a HTML Form Adapter versus the one used after theIdP Connection. In this exercise, check the contract mapping used after HTML Form Adapter.

In this tutorial, the policy contract associated with our test application can be fulfilled using the default values from the authenticationpolicy— so there is no need to add an Attribute Source to retrieve additional attributes. This might be required in your setup dependingon the type of application you are testing with.

1. Select Contract Mapping

Click Contract Mapping under the Workspace ONE Policy Contract used after one of the HTML Form Adapters.


GUIDE | 82

2. Skip Attribute Source

Click Next.

3. Define Contract Fulfillment Values

Use the HTML Form Adapter result to fulfill this policy contract. Note that the userPrincipalName value used in this example is thevalue required by Salesforce. This might be different in your setup.

Select Adapter (HTMLFormAdapter) from the Source drop-down menu.1.Select userPrincipalName from the Value drop-down menu.2.Click Next.3.


GUIDE | 83

4. Skip Optional Issuance Criteria

Click Next.

5. Review Authentication Policy Summary

Verify the Contract Mapping summary.

Click Done.


GUIDE | 84

Configuring Identity Provider ConnectionAfter you have configured the contract mapping used after HTML Form Adapter, configure the contract mapping for a policy contractused after the IdP connection.

1. Select Contract Mapping

In the IdP section, click Contract Mapping.

2. Skip Attribute Source

Click Next.

3. Define Contract Fulfillment Values


GUIDE | 85

In this example, use the IdP Connection to fulfill the Policy Contract. Note that the value being used is not retrieved from the userprofile but rather from the SAML assertion issued by the IdP Connection. If your test application requires different or additionalattributes from that provided in the SAML assertion, you can either change the value(s) provided by the IdP Connection or configurethe Contract Mapping to retrieve the attributes from AD.

Select IdP Connection from the Source drop-down menu.1.Select SAML_SUBJECT from the Value drop-down menu.2.Click Next. 3.

4. Skip Issuance Criteria

Click Next.


GUIDE | 86

5. Review Authentication Policy Summary

Validate the Policy Contract Mapping summary.

Click Next.

6. Review Authentication Policies Configuration


GUIDE | 87

Click Save.

Testing Authentication to SalesforceAfter you have created and configured authentication policies in PingFederate, you are ready to test authentication to Salesforce usingdifferent device types.

If you are authenticating with a non-mobile device, you should be presented with the PingFederate HTML Form Adapter.

If you are authenticating with a mobile device, you should be redirected to Workspace ONE for authentication.

1. Log In to Salesforce from Non-Mobile Device

https://media.screensteps.com/image_assets/assets/002/304/168/original/43080520-03b2-49b8-ae7f-b409849db7d7.png


GUIDE | 88

On a non-mobile device, launch the Salesforce application. Authentication is required through the PingFederate HTML Form.

2. Log In to Salesforce from a Mobile Device


GUIDE | 89

On a mobile device, launch the Salesforce application. Authentication is required through Workspace ONE.

Adding PingFederate Applications to the Workspace ONECatalogIntroductionThis section helps you to add PingFederate applications to the Workspace ONE catalog. Procedures include:

Retrieving the Salesforce entity ID from PingFederateAdding Salesforce to the Workspace ONE catalogTesting authentication to Salesforce from Workspace ONE catalog




Admin access to both a Workspace ONE Access tenant and a PingFederate appliance




GUIDE | 90

PingFederate must have both Identity Provider and Service Provider roles enabledTest application federated with PingFederate (to follow the steps in this exercise, use Salesforce)Workspace ONE Access tenant and PingFederate appliance connected to the same Active Directory domainOptional: Mobile device to test redirection to Workspace ONE

Retrieving Salesforce Entity ID from PingFederateRetrieve the Salesforce entity ID value from the PingFederate admin console. You need this entity ID value when configuring theSalesforce application in Workspace ONE Access.

1. Select Salesforce Application in PingFederate


Click Identity Provider.1.Select the IdP Connection or application (Salesforce) that you want to add to the Workspace One Catalog.2.

2. Copy Entity ID Value


GUIDE | 91

Select Activation & Summary.1.Copy the Entity ID value of the application.2.

Adding Salesforce to Workspace ONE CatalogAfter you have retrieved the Salesforce entity ID from PingFederate, use this entity ID to add Salesforce to the Workspace ONECatalog and assign users to the application.

1. Add New Application

In the Workspace ONE Access admin console:

Click Catalog.1.Click Web Apps.2.

https://media.screensteps.com/image_assets/assets/002/314/079/original/41b853f8-9018-4895-9e64-12b19908920c.png


GUIDE | 92

Click New to add a new application to the catalog.3.

2. Name the Application

Enter a Name for the application, for example, Salesforce (Ping).1.Click Next.2.

3. Configure Single Sign-On Details


GUIDE | 93

With application sources, we can inherit the configuration from the PING application source that was previously configured whenadding new applications.

Select PING (Application Source) from the Authentication Type drop-down menu.1.Paste the EntityID copied in the previous exercise into the TargetURL box.2.Click Next.3.

4. Select Access Policies


GUIDE | 94

Select an access policy for your application from the drop-down menu.1.Click Next.2.

5. Review the Configuration Summary


GUIDE | 95

Review the configuration summary.

Click Save & Assign.

6. Assign Users to Salesforce


GUIDE | 96

Search for your user or user group to assign the application.1.Select the user or user group from the drop-down menu.2.Click Save.3.

Testing Authentication to Salesforce from Workspace ONE CatalogAfter you have added Salesforce to the Workspace ONE catalog, confirm authentication to Salesforce from the Workspace ONEcatalog.

1. Log in to Workspace ONE Access Tenant

https://media.screensteps.com/image_assets/assets/002/305/773/original/46f3473e-beba-49aa-9104-f23572a4a633.png


GUIDE | 97

Navigate to your Workspace ONE Access tenant and log in with your test user.

2. Launch Salesforce Application


GUIDE | 98

Select the Ping Salesforce application. This should redirect you to PingFederate with a valid SAML assertion, which in turn, redirectsyou seamlessly to the target application.

Adding PingFederate as Third-Party IdP in Workspace ONEIntroductionIn the previous exercises, you configured Workspace ONE to act as an IdP to PingFederate. This allows administrators to useWorkspace ONE authentication methods to authenticate PingFederate applications.

This section helps you to configure the inverse integration flow—where PingFederate is used as a third-party IdP within WorkspaceONE. This allows administrators to use PingFederate to authenticate users accessing the Workspace One catalog.

Procedures include:

Exporting the SAML metadata from Workspace ONE AccessAdding and configuring the SP connection in PingFederateExporting metadata from PingFederateAdding PingFederate as an IdP in Workspace ONEModifying authentication policies in Workspace ONE AccessTesting SSO from Workspace ONE to PingFederate



GUIDE | 99



Admin access to both a Workspace ONE Access tenant and a PingFederate appliancePingFederate must have both Identity Provider and Service Provider roles enabledTest application federated with PingFederate (to follow the steps in this exercise, use Salesforce)Workspace ONE Access tenant and PingFederate appliance connected to the same Active Directory domainOptional: Mobile device to test redirection to Workspace ONE

Exporting SAML Metadata from Workspace ONE AccessBefore adding the service provider connection in PingFederate, you need to export the SAML metadata from Workspace ONE Access.

1. Navigate to Settings


Click Catalog.1.Click Web Apps.2.Click Settings.3.

2. Navigate to SAML Metadata




GUIDE | 100

Click SAML Metadata.1.Right-click Service Provider (SP) metadata.2.Select Save link as.3.



GUIDE | 101

Click Save to save the metadata file on your local machine.

Adding Service Provider Connection in PingFederateAfter you have exported the SAML metadata from Workspace ONE Access, you are ready to add a service provider connection inPingFederate.

1. Create New SP Connection


GUIDE | 102

In the PingFederate Console:

Click Identity Provider.1.Click Create New.2.

2. Review the Connection Type

Click Next.

3. Review Connection Options


GUIDE | 103

Click Next.

4. Import Metadata

Select File as the method to input the connection metadata.1.Click Choose File.2.Select the metadata file you downloaded from Workspace ONE Access. For example, sp.3.


GUIDE | 104

Click Open.4.Click Next.5.

5. Review the Metadata Summary

Verify that the Entity ID is the Workspace ONE Access metadata xml URL, and click Next.

6. Review General Info


GUIDE | 105

Click Next to continue configuring Browser SSO settings.

Configuring Browser SSO SettingsIn this section, continue configuring the SP Connection - Browser SSO settings.


GUIDE | 106


Click Configure Browser SSO.

2. Assign SSO Profiles

Select the SP-Initiated SSO check box, to apply SSO to applications launched from within the Workspace ONE catalog.1.Click Next.2.


GUIDE | 107

3. Review Assertion Lifetime Settings

Click Next.

4. Create an Assertion

Click Configure Assertion Creation.


GUIDE | 108

5. Select the Attribute Contract Type

For this configuration, you send the SP (Workspace ONE) a standard attribute (userPrincipalName) as the main identifier in theassertion therefore select a Standard Attribute Contract.

Select Standard as the Attribute Contract type.1.Click Next.2.

6. Review the Attribute Contract


GUIDE | 109

For the Subject Name Format, keep the default Unspecified format in this configuration.1.Click Next.2.

7. Configure Authentication Source Mapping


GUIDE | 110

Click Map New Adapter Instance.1.Select HTML Form Adapter from the Adapter Instance drop-down menu.2.Click Next.3.

8. Configure Mapping Method


GUIDE | 111

Select Use Only The Adapter Contract Values in the SAML Adapter. Because userPrincipalName is already a part of1.the Adapter Contract, we can choose to only use the values included in the contract.Click Next.2.

9. Configure Attribute Contract Values


GUIDE | 112

Select Adapter from the Source drop-down menu.1.Select userPrincipalName from the Value drop-down menu. PingFederate passes userPrincipalName as the2.SAML_Subject value in the SAML assertion passed to Workspace ONE.Click Next.3.

10. Configure SAML Bindings

Select the Post binding.1.Select the Redirect binding.2.Click Next.3.


GUIDE | 113

11. Configure Signature Policy

Select Always Sign the SAML Assertion.1.Click Next.2.

12. Select Encryption Policy


GUIDE | 114

Select None to opt-out of encrypting the SAML messages.1.Click Next.2.

Reviewing Browser SSO SettingsIn this section, review the Browser SSO settings before completing the service provider connection details.

1. Review Protocol Settings Summary

Review the Protocol Settings and click Done.


GUIDE | 115

2. Continue to Browser SSO Summary

On the Protocol Settings tab, click Next.

3. Review Browser SSO Summary


GUIDE | 116


GUIDE | 117

Review the Browser SSO summary and click Done.

Completing Service Provider Connection DetailsIn this section, continue through the wizard to complete the SP Connection details.

1. Continue Configuring the SP Connection


GUIDE | 118

Click Next.

2. Review IdP Adapter Mapping


GUIDE | 119

Click Next.1.Review the IDP Adapter Mapping summary, and click Done.2.

3. Review Assertion Creation


GUIDE | 120


GUIDE | 121

Click Next.1.Review the Assertion Creation summary, and click Done.2.

4. Continue to Protocol Settings


GUIDE | 122

On the Assertion Creation tab, click Next.

5. Configure Protocol Settings


GUIDE | 123

Click Configure Protocol Settings.1.Delete all pre-configured bindings except for POST.2.Click Next.3.


GUIDE | 124

6. Configure Credentials

Click Configure Credentials.

7. Select a Certificate

Select your signing certificate from the Signing Certificate drop-down menu.1.Click Next.2.


GUIDE | 125

8. Review Certificate Summary

Click Done.

9. Continue Configuring the SP Connection

Click Next.


GUIDE | 126

10. Activate the Connection


GUIDE | 127

Select Active as the Connection Status.1.Click Save.2.

11. Verify the Connection


GUIDE | 128

Verify that the new SP Connection for Workspace ONE has been created.

Exporting Metadata from PingFederateNow that you have configured the SP connection for Workspace ONE in PingFederate, you must create and configure thePingFederate IdP in Workspace ONE. First, export the appropriate metadata file from PingFederate.

1. Begin Metadata Export

Click Server Configuration.1.Click Metadata Export.2.

2. Select the Metadata Role


GUIDE | 129

Select I am the Identity Provider.1.Click Next.2.

3. Select the Metadata Mode

Select Use a Connection for Metadata Generation.1.Click Next.2.

4. Configure Connection Metadata


GUIDE | 130

Select the Workspace ONE SP Connection from the drop-down menu.1.Click Next.2.

5. Configure Metadata Signing


GUIDE | 131

Select the signing certificate for your PingFederate setup from the Signing Certificate drop-down menu.1.Select RSA SHA256 as the Signing Algorithm from the drop-down menu.2.Click Next.3.

6. Begin Metadata Export

Click Export.



GUIDE | 132

Save the metadata file locally on your computer.

Click Save.

8. Copy Contents of Metadata File


GUIDE | 133

Copy the contents of the metadata file downloaded from PingFederate to your clipboard.

Adding PingFederate as an IdP in Workspace ONENext, add PingFederate as an identity provider in Workspace ONE.

1. Create Third-Party Identity Provider


GUIDE | 134


Click Identity & Access Management.1.Click Identity Providers.2.Click Add Identity Provider.3.Click Create Third Party IDP.4.

2. Provide Identity Provider Details

https://media.screensteps.com/image_assets/assets/002/311/783/original/96c3f139-72f9-41f8-8028-080dbca3e078.png


GUIDE | 135

Enter a name for Identity Provider Name. For example, PING.1.Paste the contents of the metadata file into the text box.2.Click Process IdP Metadata.3.Select Unspecified as the Name ID format.4.Select userPrincipalName as the Name ID Value.5.

3. Continue Entering Identity Provider Details


GUIDE | 136

Enable the IdP for the same set of users (domain) configured in PingFederate.1.Enable the IdP configuration for All Ranges.2.Create a new Authentication Method with an appropriate name. For example, PingPassword.3.Select urn:oasis:names:tc:SAML:2.0:ac:classes:Password as the SAML Context for the Authentication Method.4.Click Add.5.

Modifying Authentication Policies in Workspace ONE AccessTo authenticate users with the new PING IdP configuration, you must modify the authentication policies in Workspace ONE Access tomake use of the authentication method associated with the IdP. In this section, you modify the default policy set because this is usedwhen accessing the Workspace ONE catalog.

1. Select Default Policy

Click Identity & Access Management.1.Click Policies.2.Click default_access_policy_set.3.


GUIDE | 137

2. Edit Default Access Policy Set

Click Edit.

3. Select All Ranges Policy Rule

Click Configuration.1.For this setup, modify the last policy in the policy set as this is being used to authenticate desktop browsers in public networks.2.You might need to modify a different policy depending on the device type and source network you are using to test thisconfiguration.


GUIDE | 138

4. Select Authentication Method

Select PingPasswords from the ...authenticate using.. drop-down menu. This is the Authentication Method associated with1.the PING IdP.Click Save.2.

5. Review Configuration Changes


GUIDE | 139

Click Next.

6. Review Summary Details


GUIDE | 140

Click Save.

Testing Single Sign-On to Workspace ONEYou can now test authentication into the Workspace ONE catalog. You should be automatically redirected to PingFederate forauthentication if using a device that matches the policy changes made.

1. Navigate to Workspace ONE URL and Confirm Redirect toPingFederate


GUIDE | 141

Navigate to your Workspace ONE tenant URL and confirm redirection to PingFederate. Enter your PingFederate credentials.

Enter a username. For example, user.1.Enter a password. For example, password.2.Click Sign On.3.

2. Confirm Redirect to Workspace ONE App Catalog


GUIDE | 142

After you have successfully authenticated with PingFederate, you should be redirected back and given access to the Workspace ONEcatalog.

Configuring Authentication Failure NotificationIntroductionThe latest update to SaaS-based Workspace ONE Access includes a new feature that allows Workspace ONE Access to sendfeedback to PingFederate when authentication fails through a parameter in the SAML assertion. PingFederate administrators canimplement more flexible authentication policies for those cases in which authentication fails in Workspace ONE Access.

Policy Rules Recap


GUIDE | 143

This screenshot depicts a recap of the policy rules that have been created throughout this tutorial. The new feature allows you tomodify the lower section where Workspace ONE Access is involved as an IdP within Ping.

Authentication Fail Options

With the current policies, when authentication fails at Workspace ONE Access, the policy is set to fail the authentication. Because noaction has been defined in the Fail section, there is no other option.

Authentication Failure Message


GUIDE | 144

The expected experience is that when an un-managed device fails to authenticate with Workspace ONE Access, it is presented withan authentication failure message in Workspace ONE Access.

This section helps you to configure authentication failure notification. Procedures include:

Enabling authentication failure notificationModifying the authentication policiesTesting SSO to MS Office 365




Cloud-based Workspace ONE Access tenantAdmin access to a PingFederate appliancePingFederate must have both Identity Provider and Service Provider roles enabledTest application federated with PingFederate (to follow the steps in this exercise, use MS Office 365)Workspace ONE Access tenant and PingFederate appliance connected to the same Active Directory domainUnmanaged device to test redirection to Workspace ONE




GUIDE | 145

Logging In to the Workspace ONE Access ConsoleTo perform most of the steps in this exercise, you must first log in to the Workspace ONE Access console.

1. Launch Google Chrome (If Needed)

If Google Chrome is not already open, launch Google Chrome by double-clicking the icon from the desktop.

2. Open a New Browser Tab

Click the Tab space to open a new tab.

3. Navigate to Your Workspace ONE Access Tenant

Paste or enter the Tenant URL into the navigation bar and press Enter to continue.

4. Login to Your Workspace ONE Access Tenant


GUIDE | 146

Enter the Username, for example, Administrator.1.Enter the Password, for example, VMware1!.2.Click Sign In.3.

5. Navigate to the Administrator Console (If Necessary)

If you see the User Portal as shown in the screenshot, navigate to the Administrator Console.

Click the user drop-down icon.1.Select Administration Console.2.

This opens the Administration Console in a separate tab in your browser.


GUIDE | 147

Enabling Authentication Failure NotificationThis section helps you to configure the authentication failure notification feature.

1. Navigate to Web Apps

In the Workspace ONE Access tenant:

Select the Catalog drop-down menu.1.Select Web Apps.2.

2. Open Web Apps Settings Menu


GUIDE | 148

Click Settings.

3. Configure PING Application Source

Click Application Sources.1.Click PING.2.


GUIDE | 149

4. Select Advanced Properties

Click Configuration.1.Click Advanced Properties.2.

5. Enable Authentication Failure Notification


GUIDE | 150

Click the button to Enable Authentication Failure Notification.1.Click Next.2.

6. Complete PING Application Source Wizard

Click Summary.1.Click Save.2.


GUIDE | 151

Confirm SAML Assertion

After the feature is enabled, when authentication fails in Workspace ONE Access, a SAML assertion is sent to PingFederatecontaining an AuthFailed status code, a status message, and detail.

You can verify the SAML assertion using a SAML plugin for your web browser, such as SAML Chrome Panel.

Modifying the Authentication Policy in PingFederateAfter you have enabled authentication failure notification, you are ready to modify the authentication policy in PingFederate to accountfor the AuthFailed SAML assertion that is sent from Workspace ONE Access. You must log in to the PingFederate admin console tocomplete this exercise.

Note: For the purpose of this exercise, the HTMLFormAdapter is selected as a simple example. Downgrading enrollment/complianceauthentication to a username/password-only challenge is not best practice in most use cases.

1. Navigate to Policies


Click Identity Provider.1.Click Policies.2.

https://chrome.google.com/webstore/detail/saml-chrome-panel/paijfdbeoenhembfhkhllainmocckace?hl=en


GUIDE | 152

2. Select HTMLFormAdapter

Scroll down to the Workspace ONE Access section, click the action drop-down menu next to Fail.1.Select IdP Adapters.2.Select HTMLFormAdapter.3.

3. Select the Workspace ONE Policy Contract

Click the action drop-down menu next to Success.1.Select Policy Contracts.2.Select Workspace ONE as the policy contact.3.

4. Skip Attribute Sources


GUIDE | 153

Click Next.

5. Configure Contract Fulfillment

Select Adapter (HTMLFormAdapter) as the source.1.Select userPrincipalName as the value.2.Click Next.3.

6. Skip Issuance Criteria


GUIDE | 154

Click Next.

7. Complete Authentication Policy Configuration

Review the summary and click Done.

8. Review the Authentication Policy


GUIDE | 155

The authentication policy in PingFederate should now resemble the example shown—with an action for both a successful and failedauthentication in Workspace ONE Access.

Testing Single Sign-On to MS Office 365After you have enabled authentication failure notification and modified the authentication policy in PingFederate, you are ready to testSSO from an unmanaged device to a federated application, such as MS Office 365. The result of this authentication flow is a HTMLform authentication challenge from PingFederate.

1. Log in to MS Office 365


GUIDE | 156

Open MS Office 365.

2. Enter User Credentials for PingFederate

You should be redirected to PIngFederate for authentication. Enter your user details for PingFederate.

3. Validate Successful Authentication


GUIDE | 157

Validate the the end user is successfully authenticated into the target application.

Summary and Additional ResourcesConclusionThis tutorial provided steps to integrate PingFederate with Workspace ONE. Procedures included:

Adding Workspace ONE as an IdP connector in PingFederateCreating authentication policies in PingFederateAdding PingFederate applications to the Workspace ONE catalogAdding PingFederate as a third-party IdP in Workspace ONEConfiguring authentication failure notification in SaaS-based Workspace ONE Access

Terminology Used in This TutorialThe following terms are used in this tutorial:


GUIDE | 158

application storeA user interface (UI) framework that provides access to a self-service catalog, publicexamples of which include the Apple App Store, the Google Play Store, and the MicrosoftStore.

auto-enrollmentAuto-enrollment simplifies the enrollment process by automatically enrolling registereddevices following the Out-of-Box-Experience.

catalogA user interface (UI) that displays a personalized set of virtual desktops and applications tousers and administrators. These resources are available to be launched upon selection.

cloudAsset of securely accessed, network-based services and applications. A cloud can also hostdata storage. Clouds can be private or public, as well as hybrid, which is both private andpublic.

device enrollmentThe process of installing the mobile device management agent on an authorized device.This allows access to VMware products with application stores, such as Workspace ONEAccess (formerly VMware Identity Manager).

identity provider (IdP)A mechanism used in a single-sign-on (SSO) framework to automatically give a user accessto a resource based on their authentication to a different resource.

mobile devicemanagement(MDM) agent

Software installed on an authorized device to monitor, manage, and secure end-user accessto enterprise resources.

one-touch loginA mechanism that provides single sign-on (SSO) from an authorized device to enterpriseresources.

service provider (SP) A host that offers resources, tools, and applications to users and devices.

virtual desktop The user interface of a virtual machine that is made available to an end user.

virtual machineA software-based computer, running an operating system or application environment, that islocated in the data center and backed by the resources of a physical computer.

For more information, see the VMware Glossary.

Additional ResourcesFor more information about Workspace ONE, explore the VMware Workspace ONE Activity Path. The activity path provides step-by-step guidance to help you level-up in your Workspace ONE knowledge. You will find everything from beginner to advanced curatedassets in the form of articles, videos, and labs.

Additionally, you can check out the VMware Workspace ONE and VMware Horizon Reference Architecture which provides aframework and guidance for architecting an integrated digital workspace using VMware Workspace ONE and VMware Horizon.

About the AuthorThis tutorial was written by:

Camilo Lotero, Senior Technical Marketing Manager, End-User-Computing Technical Marketing, VMware

FeedbackThe purpose of this tutorial is to assist you. Your feedback is valuable. To comment on this tutorial, contact VMware End-User-Computing Technical Marketing at [email protected].

https://www.vmware.com/support/pubs/

https://techzone.vmware.com/becoming-workspace-one-hero

https://techzone.vmware.com/resource/workspace-one-and-horizon-reference-architecture

mailto:[email protected]


GUIDE | 159

VMware, Inc. 3401 Hillview Avenue Palo Alto CA 94304 USA Tel 877-486-9273 Fax 650-427-5001

www.vmware.com

Copyright © 2019 VMware, Inc. All rights reserved. This product is protected by U.S. and international

copyright and intellectual property laws. VMware products are covered by one or more patents listed at

http://www.vmware.com/go/patents. VMware is a registered trademark or trademark of VMware, Inc. in

the United States and/or other jurisdictions. All other marks and names mentioned herein may be

trademarks of their respective companies.

integrating pingfederate: vmware workspace one ......integrating pingfederate: vmware workspace one...

Documents