Enterprise Federation using VMware Workspace One Access Connector

                       Enterprise Federation using VMware Workspace One Access Connector


Workspace One Access Connector.

VMware Workspace ONE Access was formerly called VMware Identity Manager. It is Responsible for directory synchronization and handles some of the authentication methods between on-premises resources such as Active Directory, VMware Horizon, Citrix, and the Workspace ONE Access service.


The main components of a cloud-based Workspace ONE Access implementation are described in the following table.




  

Please note that to perform the federation, the organization Owner needs to kick the federated setup from CSP and then can assign an Enterprise Admin role to manage the directory service and identity providers.

 



 

Authentication flow using IDP and vIDM.

 



The four services of the Workspace ONE Access Connector



 Key requirements for the Deployment:

 

1). Org Owner of CSP to kick-start the federation setup from CSP and assign Enterprise Admin to manage the directory services and identity providers.

 

2). Latest Windows Server.


3). Latest Connector which can be downloaded from VMware Customer Connect Portal.


4). Service Account to be used to authenticate with AD.


5). Open Firewall rules from a windows box to domain controller and CSP tenant.



Workspace One connector Deployment:


  • Deploy Workspace One connector on a windows box.
  • Download the executable from VMware Customer connect portal or during the setup of      Enterprise federation when it gives the option to Install the connector. 
            Click Start, it will give the option to download the executable.

            Link to download from customer connect portal:

https://customerconnect.vmware.com/downloads/details?downloadGroup=WS1ACCESS_ONPREM_CONNECTOR&productId=1192

 





 

 

  • Depending upon the services used, install the services.



 

  • Go to CSP and from Enterprise federation Org download the Config file by clicking on Step2 to start the connector install.



  •  Keep Config file and password handy as this will be used to establish the connectivity between CSP and Workspace One connector.



 

  •  Browse to the location where the config file is saved and select the file. Enter the Password of the file.



  •  Enter Proxy information if it is used to connect to the internet from the server.



 

 

 

  •   If there is any  Syslog server use, enter the details of sys log server or skip.



  •  If any root Certificate is used, upload the certificate here, and if not click next





  •  Specify Ports:



  •    Click Install and wait for the installation to finish.

  • Once the connector is installed go to Services.msc to check the installed services are in a running state.





     Configuring CSP Federation post Workspace One Connector Installation:


    Pre Connector installation steps:


Ø  Start the Self-Service Federation Setup:

 

            



 

Ø  Verify Domains: In this step, you verify the ownership of the domains that you want to federate. The verification process involves adding DNS TXT records for your domains. Before you begin, verify that you can modify the DNS records for your corporate domains.

 

            

 

                



 

Ø  Install Workspace One Access Connector: In this step, you download the Workspace ONE Access connector executable file and install it on a Windows machine with access to your enterprise directory.

 

 

 

    Post Connector installation steps:

 

Ø  Sync groups and users: In this step, you bind to your enterprise Active Directory. If necessary, upload security certificates for SSL/TLS communication from the Workspace ONE Access connector to the Active Directory.

 


           






 


 

Ø  Configure the Identity Provider (PING or some other).

 

    

 

 

Ø  Complete Setup :

 

In this final step of the federation setup, you must perform a list of actions.

  • Validate that the users from your enterprise can log in to VMware Cloud services by using your corporate IdP.
  • Notify the enterprise users of the domains that you specified in Step 1 that they have to log in to VMware Cloud services by using their corporate credentials.
  • Acknowledge the changes and enable the federation for your enterprise.

After you complete the federation setup, the self-service workflow is no longer available for changes. Enterprise Administrators can modify the initial setup from the Enterprise Federation dashboard.



 

Ø  Add Active Directory Groups to Custom Groups in each Organization

 

Ø  Test login and Link VMware ID Accounts

 

All existing users of VMware Cloud services who used to access their services using a VMware ID account must link their VMware ID to their federated account. This step has to be completed when you first log in to Cloud Services Console with your federated account after the federation setup for your corporate domain has been completed.

 





 

Ø     Email Invite to users: All the users who are synced as part of the above process will receive an email invite notification from CSP and then they have to log in to CSP portal to validate the access. New users synced with your corporate domain post federation don't need to have a VMware ID unless they need to view billing information or file support tickets. In this case, they have to create a VMware account first, and then link their VMware ID to their federated account.

 

Ø  Once logged in, it will take you to your identity provider to register yourself. Follow the instructions on the identity provider screen and proceed with the login. 








Comments

Post a Comment

Popular posts from this blog

Troubleshooting NonVMwareDevice Filtering in VMware SRM using Dell EMC SRDF SRA.

Image
    Troubleshooting NonVMwareDevice Filtering in VMware SRM using Dell EMC SRDF SRA. Problem description:  While running device discovery in VMware SRM while using DELL EMC SRDF SRA, it shows all the replicated devices not just the VMware devices.     In this post, I will like to highlight about my experience which I had faced while configuring VMware SRM with DELL EMC SRDF SRA.   For those who are not aware what these products are, I will like to take some time in giving a brief indroduction about the same.   VMware SRM: VMware provides the VMware Site Recovery Manager (SRM) as part of its vSphere suite, which lets you automate backups and orchestrate the recovery of entire data centers from a disaster recovery site. SRM can be used both on-premises and as a Disaster Recovery as a Service (DRaaS).   Dell EMC SRDF SRA:   SRDF: The Symmetrix Remote Data Facility (SRDF) is a family of software products that facilitates the data replication from one Symmetrix storage array
Read more

VMware vRealize Automation 7.x Troubleshooting Infra issues

Image
Troubleshooting Infra Issues in vRA 7.x     To manually troubleshoot vRA issues, we must know what all things we need to check.   1). In the vRA portal one should check the status of all the services whether the status is registered, fail or blank.   https://vRAserver_name:5480   If the status is registered than all good but if it is showing failed then it seems something is wrong with that service. If the status of service is blank it means that the service is responding but not correctly. XML link to check why services are not running are as follows:   https://vRA/component-registry/services/status/current?page=1&limit=50   2) If in the vra page one is giving Error 503 then please check below things to isolate that: -->IIS Pools -->SQL DB Connectivity -->Certificate Issues -->Service Account Issues -->Service Dependency   3). Service which need to checked to monitor load balancing is "shell-ui-app" and it can be c
Read more

Replacing NSX-T Certificate with Custom Certificate

Image
                                Replacing NSX-T Certificate with Custom Certificate.   As part of best practice, it is always recommended to replace VMware self-signed Platform certificates with your organization's CA signed certificate. To do the same we need to create a Certificate Signing Request for the NSX Manager. NSX-T Data Center deployment install VMware self-signed certificated by default. The same can be checked by navigating to System > Certificates to view the platform certificates created by the system. By default, these are self-signed X.509 RSA 2048/SHA256 certificates for internal communication within NSX-T Data Center and for external authentication when NSX Manager is accessed using APIs or the UI.   To replace the VMware self-signed certificate with the custom cert there are four main steps:   1). Generate CSR. 2). Request the certificate from Certificate Authority. 3). Import Certificate 4). Validate and Replace the certificate on eac
Read more