SSO to Workspace ONE UEM SSP and Admin console using IBM/Novell Directory

I recently had a customer who like to setup Single Sign-on (SSO) using IBM e-Directory but not able to find specific guide/documentation to do this setup. I can find lots of guides and VMware documentation for SSO if you have a Microsoft AD but not for other type of LDAP.

In this guide we will go through the setup of Novell e-Directory LDAP and what changes are required to setup SSO with Workspace ONE Access.

* I assume that you have admin and basic knowledge of Workspace ONE UEM and Workspace ONE Access and other related components.

  • ACC is installed for UEM and Access connector for WS1 Access is installed to sync users on both admin consoles.
  • Active directory setup is done in WS1 UEM and WS1 Access

Setting up LDAP in WS1 UEM and WS1 Access:

ACC is already installed and running. We now need to setup LDAP in WS1 UEM and below is the one example of LDAP setup. You could find the VMware guide regarding integration of Active Directory in UEM here.

Groups & Settings –> All Settings –> System –> Enterprise Integration –> Directory Services

Graphical user interface, application

Description automatically generated

User tab setting in Directory Services:

In MS AD setup default values for Object Identifier attribute would be (objectGUID) and for Username mapping value would be (sAMAccountName).

For this setup we are going to change the mapping value to (uid) and we have also adjusted User Object Class and User Search Filter.

Graphical user interface, text, application, email

Description automatically generated

WS1 Access LDAP:

Access connector is installed and running for WS1 Access directory setup. You could find the VMware guide regarding setting up LDAP directory in WS1 Access here.

Graphical user interface

Description automatically generated

Graphical user interface, text, application, email

Description automatically generated

SSO setup:

Now for the SSO configuration we need to login to VMware Workspace ONE Access admin console and download Identity Provide (IdP) metadata.

Catalog –> Web apps –> Settings –> SAML Metadata

Graphical user interface, text, application, email

Description automatically generated

Right click and download idp.xml and save it to preferred location.

Now login to WS1 UEM console and navigate to Directory services and enable few options under advanced settings

Groups & Settings –> All Settings –> System –> Enterprise Integration –> Directory Services

  • Enable Use SAML for Authentication
  • Tick Admin and Self-Service Portal
  • Import idp.xml which we downloaded from WS1 Access in previous step
  • Click Save
  • After saving you would be able to see the imported settings
  • Change Request and Response Binding type to POST
  • Click save

Add SaaS apps and Configuration in WS1 Access:

In Workspace ONE Access we need to add apps as admin and assign them to users so that users could access either UEM Admin console (AirWatch Admin app) for UEM administrators or Self-Service Portal (AirWatch app) for all users.

Graphical user interface, application

Description automatically generated

To add these app in WS1 Access admin console, navigate to Catalog –> Web Apps and click new

Either Search or browse from catalog to add both above mentioned apps.

Graphical user interface, application

Description automatically generated

Once apps are added, most of the details don’t need changing except Application Parameters and Custom Attribute Mapping under Advanced Properties.

AWServerName: For AirWatch app (SSP), value would be your Device Services server URL. For AirWatch Admin app (UEM Admin Console) value would be the Console Services Server URL.

ac: This is the Group ID of the OG from UEM console, where SAML is configured.

audience: This Service Provider ID need to be same as UEM Console under SAML setup, which is normally AirWatch.

Graphical user interface, text, application, email

Description automatically generated

For Custom Attribute Mapping under Advanced Properties, we need to have uid name for value of {user.userName} because above during WS1 UEM LDAP setup in user tab settings we have setup uid for username.

Table

Description automatically generated

Save and assign the apps to related users. If default access policy is set properly for authentication, normally Password (Cloud Deployment) then users will be able to do SSO for both apps from WS1 Access user portal.

Graphical user interface, text, application

Description automatically generated

Written by
Website | + posts

Joined VMware in July 2015 as a consultant and worked in different BU over 7 years. Having experience in the IT industry of over 10 years with a Master's degree in IT.

2 thoughts on “SSO to Workspace ONE UEM SSP and Admin console using IBM/Novell Directory

  • Christian
    2022-09-26 at 09:50

    Hi,

    On our customer environment we have created a payload for sso extension. It seems work correctly (it ask for AD password and sync local one) ; after a reboot it ask again credentials.. do you have any suggestions?

    Thanks for help 😊

    • Muhammad Adnan Asim
      2022-09-26 at 10:57

      Hi,
      I am not sure what you are trying to achieve as you mentioned about “SSO Extension payload”. This guide is not related to that. Maybe explain more about the issue or contact support to get better assistance. Thanks

Leave a Reply

Your email address will not be published. Required fields are marked *.

*
*
You may use these <abbr title="HyperText Markup Language">HTML</abbr> tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

This site uses Akismet to reduce spam. Learn how your comment data is processed.

BCF Shop Theme By aThemeArt.
BACK TO TOP