3

Setting up Single Sign-On (SSO) to Workspace ONE UEM Self Service Portal (SSP) a...

 3 years ago
source link: https://darrylmiles.blog/2021/06/13/setting-up-single-sign-on-sso-to-workspace-one-uem-self-service-portal-ssp-and-admin-console/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
neoserver,ios ssh client

Setting up Single Sign-On (SSO) to Workspace ONE UEM Self Service Portal (SSP) and Admin Console

Post navigation

Workspace ONE Access is an integral part of the Workspace ONE platform and supports Workspace ONE Intelligent Hub, Workspace ONE Unified Endpoint Management (UEM) and VMware Horizon.

Many administrators like the ability to then provide a Single Sign-On (SSO) capability into the Workspace ONE UEM console for both admin (console) access and the user self service portal (SSP).

The purpose of this guide is to step you through the configuration to enable this capability.

Self Service Portal

This section details the integration between Workspace ONE Access and UEM for the Self Service Portal (or SSP)

  1. Open the Workspace ONE Access admin console Download Identity provider metadata from Workspace ONE Access
  2. Click on Catalog > Web Apps > Settings
  3. Click on SAML Metadata from the left panel. 
  4. Click on Identity Provider (IdP) metadata link. 

5. Right-click on the page and save the idp.xml to the preferred location

6. Login to the Workspace One UEM, navigate to Group and Settings > All Settings > Expand System > Enterprise Integration > Directory Services

7. Below are the Advanced Settings to enable:

  • Use SAML for Authentication: Enabled
  • Enable SAML Authentication for: Admin and Self-Service Portal as shown:
  • Import Identity Provider Settings: Upload the idp.xml file downloaded from Workspace ONE Access. 
  • Click Save <- This is an important step to then view the imported information
  • Change Request and Response Binding Type to POST
  • The imported information in my lab is shown below:
  • Click Save
  1. To add the application please log into the Access console as an administrator who has rights to add the application. Navigate to Catalog > Web Apps
  2. Click on New
  3. Click on browse from Catalog
  4. Navigate to the app you want to add. Here we are adding the AirWatch application. There is a plus sign click on that.
  5. The application will be selected as shown:

6. Personal preference, replace the default icon with this new one and change the wording of the application as follows:

7. Click Next

8. All the details will be pre-filled and it does not need any modification. Details that need to be added are under Configuration > Application Parameters

  • AWServerName: <ds URL without https> ie.  ds500.awmdm.com
  • ac: This is the group id of the OG where the SAML would be set up in AirWatch Side> For my lab it’s eucau
  • audience: This is the Service Provider (AIrWatch ID), this needs to be exactly same from AirWatch console, this is found under Directory settings when you enable SAML. Let’s use AirWatch

    Note: Please try to keep capitalisation as it is in AirWatch, it should not matter however it is nice to be consistent throughout.

Important Note: AWServerName should be the WS1 Device Services server name.

Here are the application parameters from my lab environment:

9. Click Next

10. Select the default access policy and click Next

11. Click Save and Assign

12. Enter All Users and then click Save

Now login to Workspace ONE Access with a test user and you should be then displayed the new SSP icon as follows:

Click on this application and after a few moments you should be then SSO’ed into the user Self Service Portal for that user as shown:

Workspace ONE UEM Admin Portal

This section details the integration between Workspace ONE Access and the UEM Admin portal.

  1. Create an administrator in Workspace ONE UEM (basic) with the same userid as the account in Workspace ONE UEM. For example:
  1. To add the application please log into the Access console as an administrator who has rights to add the application. Navigate to Catalog > Web Apps
  2. Click on New
  3. Click on browse from Catalog
  4. Navigate to the app you want to add. Here we are adding the AirWatch Admin application. There is a plus sign click on that.
  5. The application will be selected as shown:

7. Personal preference, replace the default icon with this newone and change the wording of the application as follows:

8. Click Next

9. All the details will be pre-filled and it does not need any modification. Details that need to be added are under Configuration > Application Parameters

  • AWServerName: <ds URL without https> ie.  cn500.awmdm.com
  • ac: This is the group id of the OG where the SAML would be set up in AirWatch Side> For my lab it’s eucau
  • audience: This is the Service Provider (AIrWatch ID), this needs to be exactly same from AirWatch console, this is found under Directory settings when you enable SAML. Let’s use AirWatch

    Note: Please try to keep capitalisation as it is in AirWatch, it should not matter however it is nice to be consistent throughout.

Important Note: AWServerName should be the WS1 Console Server server name.

Here are the application parameters from my lab environment:

10. Click on Advanced Properties and create a new attribute called ObjectGUID with a value of ${user.Externalld}

11. Click Next

12. Select the default access policy and click Next

13. Click Save and Assign

14. Enter an appropriate admin group and then click Save

15. Now login to Workspace ONE Access with an admin account and you should be then displayed the new UEM console icon as follows:

16. Click on this application and after a few moments you should be then SSO’ed into the Workspace ONE UEM Admin console as shown:

That’s it! You’ve now enabled SSO from Access for both SSP and the UEM Admin Console.


report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK