UAG 2111 and Newer SAML IDP Integrations
Introduction:
In this post we will go over integration of VMware Unified Access Gateways - specifically the Admin Console login - with an Identity Provider (IDP). Here we will be using VMware Workspace ONE Access as the IDP.
Prerequisites:
- A UAG installed and running
- Admin Console login
- Workspace ONE Access tenant configured and working
- Workspace ONE Access Super Admin login
Process:
- Grab your Identity Provider's IDP XML Metadata.
- Login to the Workspace ONE Access tenant as Super Admin and switch to the Workspace ONE Access Console (i.e. the Workspace ONE Access +Admin UI).
- Browse to the WEB APPS subsection under the CATALOG drop down menu.
- Select the SETTINGS button.
- In the popup SETTINGS window, select SAML METADATA under SAAS APPS.
- Right-click the "Identity Provider (IdP) metadata" link and click SAVE AS in your browser's context menu and save your IDPs XML metadata file.
- Close the SETTINGS popup Window.
- Upload the IDP Metadata file to your UAG
- Login to your UAG as admin by browsing to your UAG's admin login page (i.e. https://
:9443/admin/index.html ). - Click SELECT under "Configure Manually".
- Under Identity Bridging, select the gear icon to the right of "Upload Identity Provider Metadata".
- Enter an Entity ID if desired (not needed).
- Click SELECT next to IDP Metadata and browse to the IDP Metadata file downloaded in Step 1 and select it to upload.
- Click SAVE.
- Enable SAML Login for Admins
- If not already logged in to your UAG, login to your UAG as admin by browsing to your UAG's admin login page (i.e. https://
:9443/admin/index.html ). - Click SELECT under "Configure Manually".
- Under Advanced Settings, select the gear icon to the right of "Account Settings".
- Click SAML Login Configuration.
- Click to Enable SAML Authentication.
- Select the drop down for the Identity Provider and select your IDP (which you uploaded the metadata for).
- Download the SAML Service Provider Metadata.
- Select DOWNLOAD SAML SERVICE PROVIDER METADATA.
- Enter the Management NIC FQDN for the External Host Name.
- Click DOWNLOAD and save the SP Metadata for the UAG Admin Login.
- Once saved, click CANCEL to close the download window.
- Click SAVE to save the SAML IDP Settings for Admin Login to the UAG.NOTE: The interface will reboot in about 20 seconds.If the UI reboots faster than you can create the app within your IDP below, it may come up with an IDP error screen stating something to the effect of "no application found" or similar.
- Click CLOSE.
- Create the UAG Admin Console app in the Workspace ONE Access Admin console.
- If not already logged in to your Workspace ONE Access Admin Console, login to the Workspace ONE Access tenant as Super Admin and switch to the Workspace ONE Access Console (i.e. the Workspace ONE Access +Admin UI).
- Browse to the WEB APPS subsection under the CATALOG drop down menu.
- Create the new SaaS app.
- Click NEW to create a new SaaS app.
- Type in a Name.
- If desired, type in a description, upload an icon, and select a desired category.
- Click NEXT.
- Ensure SAML 2.0 is selected for Authentication Type and URL/XML is selected for Configuration.
- Open the UAG Service Provider XML metadata file and copy the entire contents and paste into the URL/XML section.
- Click NEXT.
- Click NEXT on the Access Policies window.
- Click SAVE & ASSIGN on the Summary window.
- Assign the new SaaS app to the desired users and/or groups.
- Click SAVE.
- Test
- Navigate back to the User Portal on Workspace ONE Access and verify the new app exists. You may need to refresh your browser page or logout/login again.
- Click on the app to launch the UAG Admin Console and verify you are immediately signed on.
DONE!