Use Case:
Configure VMware Identity Manager as trusted federation Service Provider with OneLogin (IDP).
Prerequisites:
- Access to VMware Identity Manager administrative interface.
- Access to OneLogin administrative interface.
- At least one test user account in VMware Identity Manager and OneLogin. For this tutorial, the user email should match in both systems.
- Basic understanding of federated identity concepts.
Approach and Steps:
We will use OneLogin "SAML Test Connector" to setup VMware Identity Manager as a federated application. The OneLogin SAML Test Connector allows you to build custom application connectors for applications that are not found within the OneLogin catalog. Following steps will be configured:
- Open VMware Identity Manager Service Provider metadata.
- Configure VMware Identity Manager as custom application (Service Provider) in OneLogin.
- Assign VMWare Identity Manager to users in OneLogin.
- Configure OneLogin as third party Identity Provider in VMware Identity Manager.
- Test federation connection for IDP and SP initiated authentication flows.
Detailed steps are provided below.
1. Open VMware Identity Manager Service Provider metadata
- Log into VMware Identity Manager admin console and navigate to Catalog > Settings > SAML Metadata > Service Provider (SP) metadata.
- Keep SP metadata open in a web browser window. This will be needed in the next step.
2. Configure VMware Identity Manager as custom application (Service Provider) in OneLogin.
- Log in to your OneLogin tenant with an Admin account.
- Navigate to Apps > Add Apps.
- Search for 'SAML Test Connector' and select the first search result.
Additional informaiton on other OneLogin Test Connectors is available here: How to Use the OneLogin SAML Test Connector – OneLogin Help Center
- Enter Display Name (i.e. VMware Identity Manager) and click Save.
- Under Configuration tab, enter following information from VMware Identity Manager SP SAML metadata (from Step 1):
entityID ==> Audience
Example: https://acmecorp.vmwareidentity.com/SAAS/API/1.0/GET/metadata/sp.xml
HTTP-POST Location ==> Recipient
Example: https://acmecorp.vmwareidentity.com/SAAS/auth/saml/response
HTTP-POST Location ==> ACS (Consumer) URL Validator
Example: https://acmecorp.vmwareidentity.com/SAAS/auth/saml/response
HTTP-POST Location ==> ACS (Consumer) URL
Example: https://acmecorp.vmwareidentity.com/SAAS/auth/saml/response
- Click Save
- Under Parameters tab, select "Email"
- Expand "MORE ACTIONS" tab and download OneLogin IDP SAML Metadata. This will be used in Step 4.
3. Assign VMWare Identity Manager to users in OneLogin
In OneLogin, ensure that users are assigned to VMWare Identity Manager application. OneLogin provides various ways to assign users, for testing purposes we can assign a single user under "Users" > "All Users" > [click on user name] > "Applications tab". Click on '+' sign to assign your test user to application.
4. Configure OneLogin as third party Identity Provider in VMware Identity Manager
- In VMware Identity Manager admin console, navigate to Identity & Access Management > Identity Providers > Add Identity Provider > Create Third Party IDP.
- Enter Identity Provider Name (i.e. OneLogin).
- In "SAML Metadata" text box, paste OneLogin IDP SAML metadata from Step 2 and Click "Process IdP Metadata". Ensure there are no error messages.
- Under Users section, select a Directory for your test user(s).
- Under Network select ALL RANGES.
- Under Authentication Methods:
- Authentication Methods = "OneLogin_Password"
- SAML Context = urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
- Click Save.
- Navigate to Identity & Access Management > Policies > default_access_policy_set.
- Click on the row for device type "Web Browser"
- Select OneLogin_Password as the authentication method.
- Click OK
- Don't forget to click Save.
5. Test federation connection
- SP initiated authentication flow
This can be tested by going to your VMware Identity Manager URL.
Following video demonstrates this login flow:
- IDP initiated authentication flow
This can be tested by going to your OneLogin tenant URL.
Following video demonstrates this login flow:
Also check out: