Workspace ONE Access User Authentication Flows - Configuring Password (Cloud Deployment) From Start to Finish
Opening:
This is a quick and rough guide to enabling "Password (cloud deployment)" in Workspace ONE Access as VMware documentation no longer covers this completely.
Outcome:
This procedure will allow a customer admin to change from direct Password authentication via Workspace ONE Access Connector(s) to indirect Password (Cloud Deployment) authentication via Workspace ONE Access Connector(s).
Assumptions:
- Workspace ONE Access tenant exists
- Workspace ONE Access admin login capable
Logic Flow:
- Within the Workspace ONE Access admin console, navigate to Identity & Access Management > (Manage) > Identity Providers. Does Workspace ONE Access Built-in Identity Provider exist?
- Yes, continue on to 2.
- No.
- Create a new "Built-in" IDP by clicking the ADD IDENTITY PROVIDER button in the upper right.
- Is there a Connector assigned to the Built-in IDP?
- Yes, continue on to 3.
- No
- Go into Identity & Access Management > Identity Providers > Built-in (or whatever it might be renamed to). You should see a box in the Connectors section to select (and then add) your connector(s).
- After selecting your connector, click Add Connector.
- Repeat these three steps for each connector you wish to add.
- Does the Password (Cloud Deployment) box now appear under Connector Authentication Methods within the Built-in IDP?
- Yes, continue on to step 4.
- No, troubleshoot Step 2.NOTE: You may need to click the SAVE button and return back to the Built-in IDP screen in order to see a box. If one does not appear, ensure your connector(s) are properly added and show with a red X (which allows for deletion).
- Open a support ticket with VMware Support if necessary.
- Is the Password (Cloud Deployment) box checked?
- Yes, continue on to step 5.
- No, check the Password (Cloud Deployment) box.
- Click the SAVE button at the bottom of the Built-in IDP screen.
- Within the Workspace ONE Access admin console, navigate to Identity & Access Management > (Manage) > Policies and open the default_access_policy_set.
- Edit the default_access_policy_set and navigate to step "2 Configuration" within the EDIT POLICY wizard. Open each policy rule one at a time.
- Does the policy rule show "Password" as the authentication type in the "then the user may authenticate using" drop-down box?
- If NO, then continue on to the next policy rule.
- If YES, then modify the policy rule to replace Password with Password (cloud deployment) and click SAVE.
- If no more policy rules, click NEXT and SAVE on the EDIT POLICY wizard.
- Do the Password (Cloud Deployment) modifications now work locally and remotely?
- Yes. You are finished.
- No. Troubleshoot policy modifications in step 8. If necessary open a support ticket with VMware Support.
Resources:
Notes on Creating (or recreating) the Built-in IdP:
This is assuming the default "Built-in" IdP was deleted or not created from the start. iIn this event, one can just create a new "Built-in" IDP by clicking the ADD IDENTITY PROVIDER button in the upper right and selecting the option in the menu to create a built-in IdP.
Go into Identity & Access Management > Identity Providers > Built-in (or whatever it might be renamed to).You should see a box in the Connectors section to select (and then add) your connector(s). Do so.
Once you finish adding your connector(s), you will see "Password (cloud deployment)" show in the Connectors Authentication Methods section.Check it and click SAVE
Now go back to Identity & Access Management > Policies and edit your default_authentication_policy and swap out "Password" for "Password (Cloud Deployment)" for ALL policy rules which use "Password". Save each rule.
Edit each policy rule and change out "Password" for "Password (cloud deployment)". Click Save on each Policy Rule until all are correctly modified.