Integrating User Authentication with Workspace ONE Access to VMware Cloud Web Security
What is VMware Cloud Web Security (CWS) ?
VMware Cloud Web Security is a cloud hosted Proxy Service within the VMware VeloCloud SASE Points of presence. It offers multiple Security Features and helps organisations to protect their sensitive data. For more Information on the CWS please have a look on the VMware website: https://www.vmware.com/products/cloud-web-security.html
If you integrate Workspace ONE Access and Cloud Web Security , you can use Groups for you Ruleset on CWS and also you add an Additional Laver of security. Also in the Web Logs you can see the Users that are trying to browse to Vulnerable Webservices or that get blocked to this. In total you get really gerat insights to you web traffic.
So let us start to enable the Authentication and Configure the existing Workspace ONE Access now.
Configuration on Workspace ONE Access
Login to Workspace ONE Access , go to “Catalog” and Add a new App with the Click to “NEW”
Give it a Name and Click to “NEXT”
On the Single Sign-On Screen configure the following things:
| Setting | Value |
| Authentication Type | SAML 2.0 |
| Configuration | Manual |
| Single Sign-On URL | https://safe-cws-sase.vmware.com/safeview-auth-server/saml |
| Recipient URL | https://safe-cws-sase.vmware.com/safeview-auth-server/saml |
| Application ID | https://safe-cws-sase.vmware.com/safeview-auth-server/saml/metadata |
| Username Format | Email Address |
| Username Value | ${user.email} |
| Advanced Properties: Custom Attribute Mapping | Name: groups Format: Basic Value: ${groupNames} |
| Show in User Portal | No (users do not need to see the Icon in portal as it is used once the user accesses CWS anyway) |
After the SSO Settings select the Access Policy. I highly recommend on using something that is doing SSO as the user has already access to the Network (like via Tunnel) so MFA would really hurt the user much.
Once done click to “SAVE & ASSIGN”:
Now select the User Group that should be able to use CWS and click to “SAVE”
As we need the Signing Cert , Coppy out the from the Settings in Catalog the SAML Metadata that is shown under Signing Certificate. this will be required later on the CWS Certificates Page.
This is now all the Configuration needed on Workspace ONE Access. Now lets configure it on VMware Cloud Web Security
Configuration on Cloud Web Security
Login to VMware Velocloud Orchestrator (New UI) and Select Clout Web Security. Once there go to Authentication:
Enable the Signle Sign On settings and set the following Values.
| Setting | Value |
| SAML Server Internet Accessible? | Yes |
| SAML Provider | Workspace ONE Access |
| SAML 2.0 Endpoint | https://yourURL.vmwareidentiy.com/SAAS/auth/federation/sso |
| Service Identifier (Issuer) | https://yourURL.vmwareidentiy.com/SAAS/API/1.0/GET/metadata/idp.xml |
NOTE: the URL for Access needs to match with your Workspace ONE Access Tenant, so just replace the “yourURL.vmwareidentiy.com” with your real URL.
Once done add the Signing Cert to the Certificate Section:
This is the content that you copied out from the Metadata Section on Workspace ONE Access:
Just a Reminder , here is where you get the Signing Cert:
Once done Click to “Save Changes”
When you now hit the CWS , Authentication will happen , depending on the Settings it will do SSO, MFA etc.
and the User has Access.
Also you can then see the User ID in the Web Log and use Groups for your Ruleset:
This helps you to use groups for Cloud Web Security and add an additional Layer of Security to your users while browsing the Web.
vExpert, blogger and VMware champion. Worked 10 years as a VMware & Microsoft consultant for a partner before joining VMware in 2017.