SSO to Workspace ONE UEM SSP and Admin console using IBM/Novell Directory
I recently had a customer who like to setup Single Sign-on (SSO) using IBM e-Directory but not able to find specific guide/documentation to do this setup. I can find lots of guides and VMware documentation for SSO if you have a Microsoft AD but not for other type of LDAP.
In this guide we will go through the setup of Novell e-Directory LDAP and what changes are required to setup SSO with Workspace ONE Access.
* I assume that you have admin and basic knowledge of Workspace ONE UEM and Workspace ONE Access and other related components.
- ACC is installed for UEM and Access connector for WS1 Access is installed to sync users on both admin consoles.
- Active directory setup is done in WS1 UEM and WS1 Access
Setting up LDAP in WS1 UEM and WS1 Access:
ACC is already installed and running. We now need to setup LDAP in WS1 UEM and below is the one example of LDAP setup. You could find the VMware guide regarding integration of Active Directory in UEM here.
Groups & Settings –> All Settings –> System –> Enterprise Integration –> Directory Services
User tab setting in Directory Services:
In MS AD setup default values for Object Identifier attribute would be (objectGUID) and for Username mapping value would be (sAMAccountName).
For this setup we are going to change the mapping value to (uid) and we have also adjusted User Object Class and User Search Filter.
WS1 Access LDAP:
Access connector is installed and running for WS1 Access directory setup. You could find the VMware guide regarding setting up LDAP directory in WS1 Access here.
SSO setup:
Now for the SSO configuration we need to login to VMware Workspace ONE Access admin console and download Identity Provide (IdP) metadata.
Catalog –> Web apps –> Settings –> SAML Metadata
Right click and download idp.xml and save it to preferred location.
Now login to WS1 UEM console and navigate to Directory services and enable few options under advanced settings
Groups & Settings –> All Settings –> System –> Enterprise Integration –> Directory Services
- Enable Use SAML for Authentication
- Tick Admin and Self-Service Portal
- Import idp.xml which we downloaded from WS1 Access in previous step
- Click Save
- After saving you would be able to see the imported settings
- Change Request and Response Binding type to POST
- Click save
Add SaaS apps and Configuration in WS1 Access:
In Workspace ONE Access we need to add apps as admin and assign them to users so that users could access either UEM Admin console (AirWatch Admin app) for UEM administrators or Self-Service Portal (AirWatch app) for all users.
To add these app in WS1 Access admin console, navigate to Catalog –> Web Apps and click new
Either Search or browse from catalog to add both above mentioned apps.
Once apps are added, most of the details don’t need changing except Application Parameters and Custom Attribute Mapping under Advanced Properties.
AWServerName: For AirWatch app (SSP), value would be your Device Services server URL. For AirWatch Admin app (UEM Admin Console) value would be the Console Services Server URL.
ac: This is the Group ID of the OG from UEM console, where SAML is configured.
audience: This Service Provider ID need to be same as UEM Console under SAML setup, which is normally AirWatch.
For Custom Attribute Mapping under Advanced Properties, we need to have uid name for value of {user.userName} because above during WS1 UEM LDAP setup in user tab settings we have setup uid for username.
Save and assign the apps to related users. If default access policy is set properly for authentication, normally Password (Cloud Deployment) then users will be able to do SSO for both apps from WS1 Access user portal.
Joined VMware in July 2015 as a consultant and worked in different BU over 7 years. Having experience in the IT industry of over 10 years with a Master's degree in IT.
Christian
Hi,
On our customer environment we have created a payload for sso extension. It seems work correctly (it ask for AD password and sync local one) ; after a reboot it ask again credentials.. do you have any suggestions?
Thanks for help 😊
Muhammad Adnan Asim
Hi,
I am not sure what you are trying to achieve as you mentioned about “SSO Extension payload”. This guide is not related to that. Maybe explain more about the issue or contact support to get better assistance. Thanks