VMware Workspace ONE Access on Azure Active Directory With JIT Provisioning

Today I was working on our RawWorks VMware Workspace ONE Access Demo tenant. We did not want traditional AD by using a connector so we went with a full-on Azure AD integration with JIT. Documentation around this is available but took some time to get it really fixed. Thankfully I had access to my local Microsoft Azure Guru, Gerjon Kunst, to help me out on the Azure side! Thanks! Be sure to look at his awesome blog too! So let us show you how to do this properly! Both Gerjon and I bring you this gem.

So what is JIT? (Just-in-Time Provisioning)?

JIT provisioning is a method of automating user account creation for web applications. It uses the SAML (Security Assertion Markup Language) protocol to pass information from the identity provider to web applications. When a new user tries to log in to an authorized app for the first time, they trigger the flow of information from the identity provider to the app that’s required to create their account.

The requirements for User Accounts in Workspace ONE Access are:

  1. You must be using Azure Active Directory (doesn’t require a P1 or P2 subscription).

  2. User to have an account with a valid SAML attribute/NameID format for JIT to provision accounts into this service.

Adding Azure AD as a Third-Party IDP in Workspace ONE Access

In your Azure Portal you need to create an ‘Enterprise Application’ (your Workspace ONE Access (vIDM) Tenant) and then add Azure AD as a third-party IDP in Workspace ONE Access.

First, log in to your Azure Portal https://portal.azure.com and select Azure Active Directory and find ‘Enterprise Applications’ in the list under Manage and then ‘New Application’.

Select Non-Gallery Application.

Then give it a name and press add.

Select Single Sign-On.

Then click on SAML tile to start configuring the app.

To get the required information, you need to get your SP metadata .xml file from your Workspace ONE Access tenant. This can be found in the admin UI or at the following URL: https://yourAccessURL/SAAS/API/1.0/GET/metadata/sp.xml

From the UI you go to Catalog > Web Apps > Settings > SAML Metadata en you need the  Service Provider (SP) metadata.

To configure Enterprise Application parameters fields from the sp.xml

Identifier = EntityID Value from the .xml file
Reply URL = The POST Value from the Assertion Consumer Service in .xml

To set this up in the Azure app you need to edit the SSO.

And fill in those 2 URLs from your SP.xml.

Don’t forget to press the save button and skip the test. Now Map your user attributes & claims for SAML Assertion. Be sure you match the attributes used in VMware Workspace ONE Access and Azure AD.

Where we hit a roadblock was that azure automagically fills in the claims name with a URL. This needs to be exact as Access Attribute names, to the capitols exact!

Now, download the Metadata XML file from the Azure Enterprise Application.

Don’t forget to Assign Users to your application. Go to Users and Groups and assign it to your Users. Whichever user is assigned to this application the user will automatically provision in VMware Workspace ONE Access.

Now Login into Workspace ONE Access Admin Console, go to Identity & Access Management, then Identity Providers and Add Identity Provider. Select Create Third Party IDP.

Give your IDP a name (eg. Azure AD) then paste the entire contents of the metadata.xml file that you downloaded from the Azure Portal and paste it into the SAML Metadata field. Then, press Process IdP Metadata.

Be sure to have NamedID Element selected!
Under Name ID Format add two mappings:

unspecified = userName
emailaddress = emails

Also set Named ID Policy to Email.

Enable Just-in-Time User Provisioning.

Fill in the Directory name and Domain.

In Authentication Method fill in the below information.

Authentication Methods – Azure-Password (Any Name)
SAML Context – urn:oasis:names:tc:SAML:2.0:ac:classes:Password

Also select the All Ranges checkbox or the integration will not be mapped to be used.

Now you need to add this Authentication Method to your Default Access Policy.

All done now! Now we can test the user loginand see if the user is created.

Go to your VMware Workspace ONE Access URL and If the Access Policy is set up correctly you will see the Azure AD login page to enter your Account details.

As you can see I’m logged in with a new Azure user! If your user attribute mapping is correct you will be able to be logging in your VMware Access tenant. As your user is created in your access now.

Just to verify login back to your VMware Access admin page. Over there you will able to see the users created in the Azure directory.

Well, there you have it! VMware Workspace ONE Access on Azure Active Directory With JIT Provisioning!

Getting those Azure users into UEM from Access?

Now you can also enable the user sync between Workspace ONE Access and UEM so your Access users are added to UEM as users. Within UEM enable go to Settings > System > Enterprise Integration > Workspace ONE Access > Configuration. Enable “Basic User Sync”. Be aware that once enabled, it cannot be undone.

Now, when the users are synced you can also have SSO with SAML between Access and UEM on the User portal and Admin portal of UEM. And use the same user accounts to enroll devices.

3 thoughts on “VMware Workspace ONE Access on Azure Active Directory With JIT Provisioning

  1. Matt Paterno

    Hello! this was a great article. I was wondering how you synced your users to UEM. I was not able to get this working even though I have basic user sync enabled.

  2. LaurensvanDuijn Post author

    Yeah sync seems only to work when you log into the self service portal as the user. Then the account is created.

  3. ismail

    Can I use only Azure AD as directory in Workspace one access or UEM for directory , We did not have any on-prem or ldap directory.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.