Implementation Guide: Basic Configuration of Workspace ONE Access for Federated Authentication

Identity & Access Management (IAM), Security & Identity / Leave a Comment

Introduction: Foundation of Identity and Access Management

VMware Workspace ONE Access serves as the cornerstone of modern identity and access management in enterprise environments, providing single sign-on (SSO), multi-factor authentication (MFA), and conditional access capabilities. This implementation guide provides step-by-step instructions for configuring Workspace ONE Access for federated authentication, establishing the foundation for secure, seamless access to enterprise resources.

Proper configuration of Workspace ONE Access is critical for organizations seeking to implement zero-trust security models while maintaining user productivity and experience. This guide focuses on the essential configurations needed to establish a robust identity and access management platform.

Workspace ONE Access Architecture

Architecture Overview and Prerequisites

Workspace ONE Access Components

Core Components:

  • Identity Manager: Central authentication and authorization engine
  • Access Point: Reverse proxy and policy enforcement point
  • Directory Service: User and group management interface
  • Catalog Service: Application and resource catalog management
  • Policy Engine: Conditional access and risk-based authentication

Integration Points:

  • Active Directory: Primary user directory and authentication source
  • SAML Identity Providers: External identity providers for federation
  • Application Integrations: SaaS and on-premises applications
  • Certificate Authorities: PKI integration for certificate-based authentication
  • RADIUS Servers: Network access control integration

Infrastructure Requirements

Hardware and Virtual Machine Specifications:

Component Small Deployment Medium Deployment Large Deployment
Users Supported Up to 1,000 1,000 – 5,000 5,000+
vCPU 4 8 16
Memory (GB) 16 32 64
Storage (GB) 100 200 500
Network Interfaces 1 2 2

Network Requirements:

  • DNS Resolution: Forward and reverse DNS entries for all components
  • SSL Certificates: Valid SSL certificates for all public-facing endpoints
  • Firewall Rules: Required ports open between components and clients
  • Load Balancer: For high availability deployments
  • Time Synchronization: NTP configuration for accurate time keeping

Initial Deployment and Configuration

Workspace ONE Access Appliance Deployment

OVA Deployment Process:

  1. Download OVA: Obtain the latest Workspace ONE Access OVA from VMware
  2. Deploy Template: Deploy OVA to vSphere environment
  3. Network Configuration: Configure network settings during deployment
  4. Initial Boot: Complete initial configuration wizard
  5. License Application: Apply Workspace ONE Access licenses

Initial Configuration Script:

# PowerShell script for initial Workspace ONE Access configuration
# This script automates the basic configuration steps

param(
    [string]$ApplianceIP = "192.168.1.100",
    [string]$AdminPassword = "VMware123!",
    [string]$DomainName = "company.local",
    [string]$CertificatePath = "C:Certificatesworkspace-one-access.pfx"
)

# Configure basic appliance settings
$ConfigData = @{
    hostname = "workspace-one-access.$DomainName"
    ip_address = $ApplianceIP
    netmask = "255.255.255.0"
    gateway = "192.168.1.1"
    dns_servers = @("192.168.1.10", "192.168.1.11")
    ntp_servers = @("pool.ntp.org")
    timezone = "America/New_York"
}

# Apply network configuration
Write-Host "Configuring network settings..."
$NetworkUri = "https://$ApplianceIP:8443/cfg/network"
Invoke-RestMethod -Uri $NetworkUri -Method PUT -Body ($ConfigData | ConvertTo-Json) -ContentType "application/json" -SkipCertificateCheck

# Configure SSL certificate
Write-Host "Installing SSL certificate..."
$CertData = Get-Content $CertificatePath -Encoding Byte
$CertBase64 = [Convert]::ToBase64String($CertData)

$CertConfig = @{
    certificate = $CertBase64
    private_key_password = "CertPassword123!"
}

$CertUri = "https://$ApplianceIP:8443/cfg/certificate"
Invoke-RestMethod -Uri $CertUri -Method PUT -Body ($CertConfig | ConvertTo-Json) -ContentType "application/json" -SkipCertificateCheck

Write-Host "Initial configuration completed. Please reboot the appliance."

Administrative Console Access

Initial Admin Setup:

  1. Access the admin console at https://workspace-one-access.company.local:8443
  2. Complete the initial setup wizard
  3. Configure the default admin account
  4. Set up the initial tenant configuration
  5. Configure basic security settings

Admin Console Configuration:

# Admin console configuration parameters
Admin Console Settings:
- Admin Username: admin
- Admin Password: [Complex password meeting policy requirements]
- Session Timeout: 30 minutes
- Password Policy: Minimum 12 characters, complexity required
- Account Lockout: 5 failed attempts, 15-minute lockout
- Audit Logging: Enabled
- FIPS Mode: Enabled (if required for compliance)

Active Directory Integration

Directory Configuration

Active Directory Connector Setup:

  1. Navigate to Identity & Access Management > Setup > Connectors
  2. Click Add Connector and select Active Directory over LDAP
  3. Configure the connector with the following parameters:
# Active Directory Connector Configuration
Connector Name: Primary-AD-Connector
Directory Type: Active Directory over LDAP

# Connection Settings
Host Name: dc01.company.local
Port: 636 (LDAPS) or 389 (LDAP)
Use SSL: Yes (recommended)
Base DN: DC=company,DC=local

# Authentication Settings
Bind DN: CN=WorkspaceONE-Service,OU=Service Accounts,DC=company,DC=local
Bind Password: [Service account password]

# User Settings
User Base DN: OU=Users,DC=company,DC=local
User Search Filter: (&(objectClass=user)(!(objectClass=computer)))
Username Attribute: sAMAccountName
User Object Class: user

# Group Settings
Group Base DN: OU=Groups,DC=company,DC=local
Group Search Filter: (objectClass=group)
Group Object Class: group
Group Member Attribute: member

Service Account Configuration:

# PowerShell script to create and configure AD service account
Import-Module ActiveDirectory

# Create service account
$ServiceAccountName = "WorkspaceONE-Service"
$ServiceAccountPassword = ConvertTo-SecureString "ComplexPassword123!" -AsPlainText -Force
$ServiceAccountOU = "OU=Service Accounts,DC=company,DC=local"

New-ADUser -Name $ServiceAccountName `
           -SamAccountName $ServiceAccountName `
           -UserPrincipalName "$ServiceAccountName@company.local" `
           -Path $ServiceAccountOU `
           -AccountPassword $ServiceAccountPassword `
           -Enabled $true `
           -PasswordNeverExpires $true `
           -CannotChangePassword $true `
           -Description "Service account for Workspace ONE Access directory integration"

# Grant necessary permissions
$ServiceAccount = Get-ADUser $ServiceAccountName

# Grant read permissions to user and group OUs
$UserOU = "OU=Users,DC=company,DC=local"
$GroupOU = "OU=Groups,DC=company,DC=local"

# Set ACL permissions (requires additional ACL configuration)
Write-Host "Service account created. Manual ACL configuration required for read permissions."

User and Group Synchronization

Sync Configuration:

# Directory sync configuration
Sync Settings:
- Sync Schedule: Every 15 minutes
- Full Sync: Daily at 2:00 AM
- User Sync: Enabled
- Group Sync: Enabled
- Nested Groups: Enabled
- Deleted Object Cleanup: Enabled

# User Attribute Mapping
userName: sAMAccountName
email: mail
firstName: givenName
lastName: sn
displayName: displayName
department: department
title: title
manager: manager
telephoneNumber: telephoneNumber

# Group Attribute Mapping
groupName: cn
description: description
members: member

Sync Monitoring and Troubleshooting:

# PowerShell script for monitoring directory sync status
function Get-DirectorySyncStatus {
    param(
        [string]$WorkspaceOneURL = "https://workspace-one-access.company.local",
        [string]$AdminUsername = "admin",
        [string]$AdminPassword = "VMware123!"
    )
    
    # Authenticate to Workspace ONE Access
    $AuthBody = @{
        username = $AdminUsername
        password = $AdminPassword
        domain = "System Domain"
    }
    
    $AuthUri = "$WorkspaceOneURL/SAAS/API/1.0/REST/auth/system/login"
    $AuthResponse = Invoke-RestMethod -Uri $AuthUri -Method POST -Body ($AuthBody | ConvertTo-Json) -ContentType "application/json"
    
    $Headers = @{
        "Authorization" = "HZN $($AuthResponse.sessionToken)"
        "Content-Type" = "application/vnd.vmware.horizon.manager.connector.management.directory.sync.status+json"
    }
    
    # Get sync status
    $SyncUri = "$WorkspaceOneURL/SAAS/jersey/manager/api/connectormanagement/directoryconfigs"
    $SyncStatus = Invoke-RestMethod -Uri $SyncUri -Headers $Headers
    
    foreach ($Directory in $SyncStatus.items) {
        Write-Host "Directory: $($Directory.name)"
        Write-Host "Status: $($Directory.status)"
        Write-Host "Last Sync: $($Directory.lastSyncTime)"
        Write-Host "Users Synced: $($Directory.userCount)"
        Write-Host "Groups Synced: $($Directory.groupCount)"
        Write-Host "---"
    }
}

Authentication Configuration

Authentication Methods Setup

Password Authentication:

  1. Navigate to Identity & Access Management > Authentication Methods
  2. Configure Password (Local Directory) authentication method
  3. Set password policy requirements
  4. Configure account lockout policies
# Password authentication configuration
Password Policy:
- Minimum Length: 12 characters
- Complexity Requirements: Upper, lower, number, special character
- Password History: Remember last 12 passwords
- Maximum Age: 90 days
- Minimum Age: 1 day
- Account Lockout Threshold: 5 failed attempts
- Account Lockout Duration: 15 minutes
- Reset Lockout Counter: 15 minutes

Multi-Factor Authentication (MFA):

# MFA configuration options
Available MFA Methods:

1. VMware Verify (Recommended)
   - Push notifications
   - TOTP codes
   - Biometric authentication
   - Offline access codes

2. RSA SecurID
   - Hardware tokens
   - Software tokens
   - On-demand tokens

3. RADIUS Authentication
   - Integration with existing RADIUS infrastructure
   - Support for various RADIUS-based MFA solutions

4. Certificate-Based Authentication
   - Smart cards
   - Software certificates
   - Mobile device certificates

5. SMS/Voice Authentication
   - SMS text messages
   - Voice calls
   - International support

VMware Verify Configuration

VMware Verify Setup:

  1. Navigate to Identity & Access Management > Authentication Methods
  2. Click Add Authentication Method
  3. Select VMware Verify
  4. Configure the following settings:
# VMware Verify configuration
Method Name: VMware-Verify-MFA
Description: Multi-factor authentication using VMware Verify app

# Configuration Settings
Allow Enrollment: Yes
Require Enrollment: Yes (for designated user groups)
Enrollment Grace Period: 7 days
Allow Backup Codes: Yes
Backup Code Count: 10
Code Validity Period: 30 seconds
Maximum Retry Attempts: 3

# Push Notification Settings
Enable Push Notifications: Yes
Push Timeout: 60 seconds
Fallback to TOTP: Yes
Allow Offline Access: Yes

# Device Management
Maximum Devices per User: 3
Device Registration Approval: Automatic
Device Naming: User-defined
Device Removal: User and Admin

User Enrollment Process:

# User enrollment workflow for VMware Verify
Enrollment Process:

1. User Login
   - User authenticates with username/password
   - System detects MFA requirement
   - Enrollment prompt displayed

2. QR Code Generation
   - Unique QR code generated for user
   - QR code contains enrollment information
   - Time-limited validity (5 minutes)

3. Mobile App Setup
   - User downloads VMware Verify app
   - Scans QR code with app
   - App registers with Workspace ONE Access
   - Device-specific keys generated

4. Verification
   - Test push notification sent
   - User approves test notification
   - Enrollment completed
   - Backup codes generated and displayed

5. Ongoing Authentication
   - Push notifications for login attempts
   - TOTP codes as fallback
   - Offline access codes for no connectivity

Access Policies Configuration

Policy Framework

Policy Types and Hierarchy:

  • Default Access Policy: Baseline policy for all users
  • Device Compliance Policies: Device-specific access requirements
  • Network Location Policies: Location-based access controls
  • Risk-Based Policies: Dynamic policies based on risk assessment
  • Application-Specific Policies: Granular policies for individual applications

Policy Configuration Example:

# Access policy configuration
Policy Name: Corporate-Standard-Access
Description: Standard access policy for corporate users

# Policy Conditions
User Groups: Domain Users, Corporate-Employees
Device Types: All managed devices
Network Locations: Corporate network, VPN
Time Restrictions: Business hours (7 AM - 7 PM)
Risk Level: Low to Medium

# Authentication Requirements
Primary Authentication: Active Directory Password
Secondary Authentication: VMware Verify (required)
Session Duration: 8 hours
Re-authentication: Required for high-risk applications

# Device Requirements
Device Compliance: Required
Device Encryption: Required
Jailbreak/Root Detection: Block access
Minimum OS Version: iOS 14.0, Android 10, Windows 10

# Network Requirements
Allowed Networks: Corporate, VPN, Trusted WiFi
Blocked Networks: Public WiFi, Unknown networks
VPN Requirement: Required for external access

Conditional Access Policies

Risk-Based Access Control:

# Risk-based conditional access policy
Policy Name: High-Risk-Access-Control
Description: Enhanced security for high-risk scenarios

# High-Risk Conditions
- Login from new device
- Login from new location
- Multiple failed authentication attempts
- Unusual login times
- Suspicious network activity
- Compromised credential alerts

# High-Risk Actions
- Require additional MFA factor
- Limit session duration (2 hours)
- Restrict application access
- Enable enhanced monitoring
- Require device re-enrollment
- Block access (if risk score > threshold)

# Risk Scoring Factors
Device Trust Score: 40%
Location Trust Score: 30%
User Behavior Score: 20%
Network Trust Score: 10%

# Risk Thresholds
Low Risk: 0-30 (Standard access)
Medium Risk: 31-70 (Additional MFA)
High Risk: 71-90 (Restricted access)
Critical Risk: 91-100 (Block access)

Single Sign-On (SSO) Configuration

SAML Application Integration

Generic SAML Application Setup:

  1. Navigate to Catalog > Web Apps
  2. Click Add Application
  3. Select Manual configuration
  4. Choose SAML 2.0 as the authentication method
  5. Configure the SAML settings:
# SAML application configuration template
Application Name: [Application Name]
Description: [Application Description]
Icon: [Upload application icon]

# SAML Configuration
Configuration Type: Manual
Authentication Type: SAML 2.0

# Service Provider Settings
Single Sign-On URL: [Application SSO URL]
Recipient URL: [Same as SSO URL]
Application ID: [Unique application identifier]
Username Format: Email Address
Username Value: ${user.email}

# Attribute Mapping
firstName: ${user.firstName}
lastName: ${user.lastName}
email: ${user.email}
department: ${user.department}
groups: ${user.groups}

# Advanced Settings
Sign SAML Assertion: Yes
Sign SAML Response: Yes
Signature Algorithm: RSA-SHA256
Digest Algorithm: SHA256
NameID Format: Email Address
Audience Restriction: [Application entity ID]

Popular SaaS Application Templates:

Application Template Available Configuration Complexity Key Features
Microsoft 365 Yes Low Automatic provisioning, group sync
Salesforce Yes Medium User provisioning, role mapping
ServiceNow Yes Medium Group-based access, custom attributes
Slack Yes Low Team provisioning, user sync
Zoom Yes Low Meeting integration, user provisioning

Application Catalog Management

Catalog Organization:

# Application catalog structure
Catalog Categories:

1. Productivity
   - Microsoft 365
   - Google Workspace
   - Adobe Creative Suite
   - Slack

2. Business Applications
   - Salesforce
   - ServiceNow
   - Workday
   - SAP SuccessFactors

3. Development Tools
   - GitHub
   - Jira
   - Confluence
   - Jenkins

4. Communication
   - Zoom
   - Microsoft Teams
   - Webex
   - Skype for Business

5. Security Tools
   - Splunk
   - CrowdStrike
   - Qualys
   - Rapid7

Monitoring and Troubleshooting

Logging and Monitoring

Log Configuration:

# Logging configuration for Workspace ONE Access
Log Categories:

1. Authentication Logs
   - Successful logins
   - Failed login attempts
   - MFA events
   - Password changes

2. Authorization Logs
   - Application access attempts
   - Policy evaluations
   - Access denials
   - Privilege escalations

3. Administrative Logs
   - Configuration changes
   - User management actions
   - Policy modifications
   - System maintenance

4. System Logs
   - Service status changes
   - Performance metrics
   - Error conditions
   - Security events

# Log Retention
Authentication Logs: 90 days
Authorization Logs: 90 days
Administrative Logs: 1 year
System Logs: 30 days
Audit Logs: 7 years (compliance requirement)

SIEM Integration:

# PowerShell script for SIEM log forwarding
function Send-LogsToSIEM {
    param(
        [string]$SIEMEndpoint = "https://siem.company.local:8088",
        [string]$APIKey = "your-siem-api-key"
    )
    
    # Get authentication logs from last hour
    $StartTime = (Get-Date).AddHours(-1)
    $EndTime = Get-Date
    
    $LogQuery = @{
        startTime = $StartTime.ToString("yyyy-MM-ddTHH:mm:ss.fffZ")
        endTime = $EndTime.ToString("yyyy-MM-ddTHH:mm:ss.fffZ")
        logType = "authentication"
        format = "json"
    }
    
    $Headers = @{
        "Authorization" = "Bearer $APIKey"
        "Content-Type" = "application/json"
    }
    
    # Retrieve logs from Workspace ONE Access
    $LogUri = "$WorkspaceOneURL/SAAS/API/1.0/REST/audit/logs"
    $Logs = Invoke-RestMethod -Uri $LogUri -Headers $Headers -Body ($LogQuery | ConvertTo-Json)
    
    # Forward logs to SIEM
    foreach ($Log in $Logs.items) {
        $SIEMPayload = @{
            timestamp = $Log.timestamp
            source = "WorkspaceONE-Access"
            event_type = $Log.eventType
            user = $Log.username
            result = $Log.result
            details = $Log.details
        }
        
        try {
            Invoke-RestMethod -Uri $SIEMEndpoint -Method POST -Headers $Headers -Body ($SIEMPayload | ConvertTo-Json)
        } catch {
            Write-Error "Failed to send log to SIEM: $($_.Exception.Message)"
        }
    }
}

Performance Monitoring

Key Performance Indicators:

Metric Target Warning Threshold Critical Threshold
Authentication Response Time < 2 seconds > 3 seconds > 5 seconds
SSO Success Rate > 99% < 98% < 95%
Directory Sync Success 100% < 100% Failed sync
System Availability 99.9% < 99.5% < 99%
Concurrent Users Within capacity > 80% capacity > 95% capacity

Security Hardening

Security Best Practices

Network Security:

  • SSL/TLS Configuration: Use TLS 1.2 or higher for all communications
  • Certificate Management: Implement proper certificate lifecycle management
  • Network Segmentation: Place Workspace ONE Access in appropriate network segments
  • Firewall Rules: Implement least-privilege firewall rules
  • DDoS Protection: Implement DDoS protection for public-facing endpoints

Application Security:

  • Regular Updates: Keep Workspace ONE Access updated with latest patches
  • Security Scanning: Regular vulnerability assessments and penetration testing
  • Backup and Recovery: Implement comprehensive backup and disaster recovery
  • Monitoring: Continuous security monitoring and alerting
  • Incident Response: Develop and test incident response procedures

Conclusion

Configuring VMware Workspace ONE Access for federated authentication provides organizations with a robust foundation for modern identity and access management. The platform’s comprehensive feature set enables secure, seamless access to enterprise resources while maintaining strong security controls and compliance requirements.

Key benefits of proper Workspace ONE Access configuration include:

  • Enhanced Security: Multi-factor authentication and conditional access policies
  • Improved User Experience: Single sign-on across all enterprise applications
  • Operational Efficiency: Centralized identity management and automated provisioning
  • Compliance Support: Comprehensive audit trails and access controls
  • Scalability: Support for large-scale enterprise deployments

Success with Workspace ONE Access requires careful planning, proper configuration, and ongoing maintenance. Organizations should focus on security best practices, user training, and continuous monitoring to maximize the benefits of their identity and access management investment.

“Workspace ONE Access has transformed our approach to identity and access management, providing the security and user experience our organization needs while reducing administrative overhead and improving compliance posture.” – IT Security Manager

As organizations continue to adopt cloud services and remote work models, robust identity and access management becomes increasingly critical. Workspace ONE Access provides the foundation needed to secure modern enterprise environments while enabling productivity and innovation.

Must Read

Leave a Comment

Your email address will not be published. Required fields are marked *