PhenixID

Step by Step – VMWare Workspace One Unified Enterprise Management (formerly known as AirWatch) – MFA and SSO with PhenixID Authentication Services

Summary

This document will guide you through the steps to enable multi-factor authentication and Single-Sign On for the Enterprise Mobility Management platform VMWare Workspace One Unified Enterprise Management (formerly known as AirWatch).

System Requirements

  • PhenixID Authentication Server 3.0 or higher
  • VMWare Workspace One UEM administration rights

Instruction

Overview

This document will guide you through the steps to enable multi-factor authentication and Single-Sign on for VMWare Workspace One Unified Enterprise Management.

PhenixID Authentication Services acting as SAML IdP

  1. Login to Configuration Manager.
  2. Setup PhenixID Authentication Services as a SAML IdP using one of the Federation scenarios described here. (If the desired authentication method is not provided by a scenario, use the documentation for the SAML authenticator here)
  3. Fetch the userID value (corresponding to the UEM expected userID, normally sAMAccountName) from the user store configured.
  4. Use userID as Name ID attribute.
  5. Save changes.
  6. Click General->View SAML Metadata.
  7. Save the IDP Signing Certificate as a file (follow this instruction)
  8. Save the changes
  9. Copy these values from the IdP:
    1. EntityID
    2. Post SSO URL
    3. Post SLO URL

Configure VMWare Workspace One Unified Enterprise Management

  1. Login as a UEM admin
  2. Enable SAML Authentication.
  3. Fill out these values about the IdP:
    1. Identity Provider ID -> Entity ID fetched in previous step
    2. Identity Provider Single Sign-On URL – > POST SSO URL fetched in previous step
    3. Identity Provider Certificate -> Upload the IDP Signing certificate created in previous step.
  4. Example configuration:

Create VMWare Workspace One Unified Enterprise Management SAML SP Metadata

  1. Creating VMWare Workspace One Unified Enterprise Management SAML SP Metadata has to be done manually. The SAML SP metadata retrieval within UEM should not be used.
  2. Create a new text file. Name the file uem_saml_sp_meta.xml
  3. Paste this content into the file: 
    <?xml version="1.0" encoding="UTF-8"?>

<md:EntityDescriptor entityID="AirWatch" ID="_27fdaf45-332c-4033-91d0-4d8c17f322a8" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">

<md:SPSSODescriptor ID="_d77ba982-8389-44b9-91be-f3abcb0343f0" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">

<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>

<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>

<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://YOUR-UEM_DOMAIN/IdentityService/SAML/AssertionService.ashx?binding=HttpPost" index="2" isDefault="false" /><md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://YOUR-UEM_DOMAIN/MyDevice/SAML/AssertionService.ashx?binding=HttpPost" index="5" isDefault="false" /><md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://YOUR-UEM_DOMAIN/DeviceManagement/SAML/AssertionService.ashx?binding=HttpPost" index="8" isDefault="false"/><md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://YOUR-UEM_DOMAIN/AirWatch/SAML/AssertionService.ashx?binding=HttpPost" index="11" isDefault="false" /><md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://YOUR-UEM_DOMAIN/Catalog/SAML/AssertionService.ashx?binding=HttpPost" index="14" isDefault="false" />

</md:SPSSODescriptor>

</md:EntityDescriptor>
  4. Change YOUR-UEM_DOMAIN to match your environment. Example: uem.phenixid.se
  5. Save the file. 
    

    6. 



Add trust to VMWare Workspace One Unified Enterprise Management on PhenixID Authentication Services


    

  1. Login to configuration manager
    2. 

  2. Open Scenarios->Federation->SAML Metadata upload.
    3. 

  3. Click the plus sign
    4. 

  4. Add VMWare Workspace One Unified Enterprise Management SAML SP Metadata by uploading the file (uem_saml_sp_meta.xml) created in previous step.
    5. 



Test


    

  1. Browse to your VMWare Workspace One Unified Enterprise Management domain.
    2. 

  2. This should result in a redirect to PhenixID Authentication Server
    3. 

  3. Authenticate
    4. 

  4. If authentication was successful, a redirect to VMWare Workspace One Unified Enterprise Management should occur (with SAML assertion)
    5. 

  5. The user should now be logged in.
    6. 




				

			

			
DISCLAIMER

			Information provided in this document is for your information only. PhenixID makes no explicit or implied claims to the validity of this information. Any trademarks referenced in this document are the property of their respective owners.
			


			The origin of this information may be internal or external to PhenixID. PhenixID makes all reasonable efforts to verify this information.
			


			PhenixID - support.phenixid.se