Introduction
As organizations increasingly adopt cloud-based solutions, integrating identity access management with an existing endpoint management system has become crucial for security and operational efficiency. For organizations with a production Workspace ONE environment already in place, configuring Entra ID (formerly Azure AD) as an Identity Provider (IdP) offers a streamlined approach to user authentication while improving control over access to corporate resources on managed devices. This integration not only strengthens the existing WS1 environment with the additional security of Entra ID authentication but also creates the groundwork for integrating further enhancements, such as Microsoft Autopilot and Zero-Trust capabilities.
Note: If you’re interested in learning more about onboarding Windows devices with Microsoft Autopilot, check out my previous blog here.
This comprehensive, step-by-step guide is intended to cover all aspects of the integration and shift the authentication process of Workspace ONE from using its Active Directory connectors to Entra ID as the IdP and source of authentication. Readers should anticipate a longer read and may want to set aside sufficient time to work through each section. Even if your Workspace ONE environment is a greenfield deployment, this blog can be a valuable reference for gaining a deeper understanding before integration.
Objectives, Architecture Overview, and Prerequisites
The objectives of this blog focus on configuring Entra ID as an Identity Provider (IdP) for a production Workspace ONE environment that includes both Workspace ONE Unified Endpoint Management (WS1 UEM) and Workspace One Access (WS1 Access). This specific licensing edition, previously known as Workspace ONE Advanced, is commonly utilized by organizations aiming to streamline device management and identity integration. For detailed information about the available Workspace ONE licensing editions under Omnissa, please refer to the documentation here.
Note: If an organization has a Workspace ONE license that only includes WS1 UEM, configuring Entra ID as an IdP for WS1 UEM is still supported. However, this configuration will not be covered in this blog.
This blog is tailored for organizations that rely on on-premises Active Directory (AD) for user identity management. Typically, these organizations synchronize user identities from AD to Workspace ONE and Entra ID. In the existing production Workspace ONE setup, the organization has already configured WS1 UEM and WS1 Access to synchronize end-user AD accounts and facilitate authentication for all Workspace ONE actions via the AirWatch Cloud Connector (ACC) and the WS1 Access Connector, respectively. The Microsoft Entra Connector has also been set up to synchronize end-user accounts to the Entra ID tenant.
The goal of configuring Entra ID as the IdP for Workspace ONE is to shift authentication responsibilities from both WS1 connectors to Entra ID. Following this configuration, both WS1 connectors will solely handle the synchronization of user accounts from AD to the WS1 consoles, while Entra ID will manage authentication. End users will authenticate through Entra ID for key actions such as enrolling their devices into WS1 UEM, accessing the WS1 UEM Self-Service Portal (SSP), or using the Intelligent Hub app on managed devices. Entra ID’s conditional access policies will be enforced during these actions to ensure secure authentication.
The following diagram illustrates the result in the authentication flow once Entra ID is configured as the Identity Provider (IdP) for Workspace ONE.
- The user initiates a key action on their device, such as enrolling in WS1 UEM.
- WS1 UEM forwards the authentication request to WS1 Access, which prompts the user to enter their username. After submitting the username, WS1 Access evaluates its authentication policies and determines to defer the authentication request to Entra ID.
- Entra ID displays its login page, prompting the user to enter the Entra ID username. The user completes the authentication process, which includes enforcing the conditional access policies set in Entra ID.
- Upon successful authentication through Entra ID, the device completes its enrollment with WS1 UEM.
This setup also applies to Workspace ONE administrators, who will authenticate with Entra ID to access the WS1 UEM and WS1 Access admin consoles. This ensures consistent security posture across end-user and administrative endpoints.
The following high-level architecture diagram illustrates the interaction between the different Workspace ONE components, with Entra ID integrated as the Identity Provider (IdP) at the infrastructure level. It highlights the two critical authentication flows (shown in orange).
The objective of this blog is to guide administrators in performing the following two SAML federations:
- Configure WS1 Access as the IdP for WS1 UEM: the goal is for WS1 UEM to defer authentication for key actions to WS1 Access.
- Configure Entra ID as the IdP for WS1 Access: Administrators will add Entra ID as a third-party IdP within WS1 Access, then set up and leverage WS1 Access policies (conditional access) to delegate authentication to Entra ID. This configuration will result in WS1 Access acting as an identity broker between WS1 UEM and Entra ID.
To achieve these objectives, the following architectural prerequisites must be in place:
- WS1 UEM and WS1 Access must be bound together. If they are not yet bound, administrators can use this Omnissa KB to bind them.
- The “Source of Authentication for Intelligent Hub” within the WS1 UEM admin console is set to “Workspace ONE Access” as shown below:
- Directory Services of WS1 UEM and WS1 Access are configured to synchronize end-users AD accounts via LDAP, using the AirWatch Cloud Connector (ACC) and the WS1 Access Connector, respectively.
- WS1 UEM’s authentication processes are managed by the ACC(s) for end users and administrators. During key actions, such as device enrollment into WS1 UEM, end users authenticate with domain credentials. Similarly, WS1 UEM administrators use domain credentials when logging into the WS1 UEM admin console.
- WS1 Access’ authentication processes are managed by the WS1 Access Connector(s) and Policies for end users and administrators. End users authenticate with domain credentials when logging into the User Portal of WS1 Access. Similarly, WS1 Access administrators use domain credentials when logging into the WS1 Access admin console.
- Ensure that “break-glass” admin accounts are available for accessing the WS1 UEM and WS1 Access admin consoles during the integration. These local system accounts do not use AD authentication and are used in case any issues arise with AD authentication during the configuration process.
- The organization has adopted Entra ID as the primary IdP. All end-user accounts have been synchronized from on-premises AD to the Entra ID tenant via Microsoft Entra ID Connect. In addition, core conditional access must be implemented successfully, including Multi-Factor Authentication (MFA).
- User identities and attributes are the same across all environments (Entra ID and Workspace ONE). These environments use the on-premises AD as the source for end-user and administrative accounts.
- Administrative access to the Entra ID admin console using at least the Application Administrator role and administrative access to all WS1 consoles as administrator.
Integration Summary
In section 4, we will dive into the specifics of each integration step. But first, let us outline the sequence of integrations and the high-level objectives we will be achieving along the way:
Preparing AD Group(s) Synchronization to Workspace ONE and the Entra ID Tenant.
From an Identity and Access Management perspective, once an application like WS1 is federated with an Identity Provider (IdP) such as Entra ID, it is considered best practice to assign the federated application using group(s) rather than individual user accounts. The group can either be an Entra ID-native group or an Active Directory (AD)-sourced group. Since all components are synchronizing user accounts from AD, we will opt to use AD-sourced groups.
From an endpoint management perspective, WS1 administrators can leverage the same AD-sourced group to synchronize user accounts into the WS1 UEM and WS1 Access consoles. Specifically, for WS1, accounts are segmented into two types: end-user accounts and administrator accounts. The key difference with administrators’ accounts is that admin roles are assigned to them within the WS1 consoles. The configuration for this section will later explain the process of creating the two AD groups below and syncing them in both WS1 admin consoles:
- The “Workspace ONE Users” group will represent end users whose endpoint devices must be managed by the organization.
- The “EUC Administrators” represent accounts with admin access to the WS1 admin consoles.
As a result, the membership of these AD-sourced groups above will be synchronized with both WS1 consoles as well as the Entra ID tenant. Importantly, these two groups will also be assigned to the WS1 Access application via Entra ID once configured as the IdP for WS1 Access. Preparing these two AD groups in advance helps streamline the transition and ensures a smooth production rollout for Entra ID and WS1 administrators.
Configure WS1 Access as the IdP for WS1 UEM.
WS1 UEM is the endpoint management component of the Workspace ONE product suite. There are three important ways to access WS1 UEM when federating WS1 UEM with WS1 Access as an IDP. They are the following:
WS1 UEM – Enrollment
WS1 UEM – Self-Service Portal (SSP)
WS1 UEM – Administrator Console
The “Use SAML for Authentication” configuration under the Directory Services section in the WS1 UEM admin console enables WS1 administrators to integrate WS1 UEM with an IdP like WS1 Access. This process involves exchanging the IdP metadata of WS1 Access with WS1 UEM, followed by uploading the Service Provider (SP) metadata.
The unique advantage of WS1 UEM in terms of application federation lies in its “Enable SAML Authentication For” setting, which allows administrators to specify which WS1 UEM authentication method will require SAML authentication.
By leveraging the “Enable SAML Authentication For” setting, WS1 administrators can initially enforce SAML authentication on a low-impact authentication method, such as the WS1 UEM Self-Service Portal, to validate the SAML authentication flow with WS1 Access as the IdP. This provides a controlled testing environment, ensuring the setup works correctly without disrupting essential authentication processes like device enrollment or admin login for the time being. Once the SAML flow is confirmed to be successful, administrators can progressively extend it to the other WS1 UEM admin and enrollment authentication methods, facilitating a smoother transition to federated SAML authentication.
Configure Entra ID as the IdP for WS1 Access.
One key advantage of using WS1 Access as the IdP for Workspace ONE UEM is that it allows administrators to leverage WS1 Access’ authentication policies for advanced authentication evaluation, such as implementing step-up authentication in Zero Trust frameworks for endpoint management. For more information on these advanced authentication capabilities between WS1 UEM and WS1 Access, click here. While this blog won’t explore step-up authentication, the focus will be on leveraging WS1 Access’ authentication policies to integrate Entra ID as the IdP for Workspace ONE as smoothly as possible.
After integrating Entra ID as a third-party IdP in WS1 Access, the least disruptive approach is to create a WS1 Access authentication rule targeting a single test account for SAML authentication validation. Once the results are satisfactory, administrators can modify the existing WS1 Access authentication rule to include the “Workspace ONE Users” and “EUC Administrators” AD groups for authentication via Entra ID. Ultimately, WS1 administrators will enable Entra ID authentication for all WS1 UEM authentication.
Before proceeding with the configuration outlined in this section, ensure you have an AD account from one of the selected AD groups above for initial testing. Additionally, ensure you can access a “break-glass” admin account for your WS1 Access tenant to bypass Entra ID as the IdP to perform a rollback if needed.
Configuration
As outlined in the Integration Summary section above, the first step is to perform AD Group(s) synchronization to Workspace ONE and Entra ID.
AD Group(s) Synchronization to Workspace ONE and Entra ID.
Synchronize users via AD Groups to WS1 UEM:
- In Active Directory, create a user group. For this example, we create a group called “Workspace ONE Users.” Add all users whose devices are managed by WS1 UEM to this group.
In addition, another user group should be created that represents all the WS1 administrators who need access to the WS1 admin consoles. For this example, we will create a group called “EUC Administrators” and add all users who required access to the WS1 UEM console as admins to this group.
- Log into WS1 UEM admin console, go to Accounts > User Groups > List View > Add > Add User Group.
- In the Add User Group screen, under Search Text, type “Workspace ONE Users” > Search > Once WS1 UEM located the group, choose Custom for User Group Settings and click Enabled for Auto Sync with Directory.
- Save to add the group to WS1 UEM and validate that the number of synced users matches the group’s membership in Active Directory.
- Head to Accounts on the left menu > Administrators > Admin Groups > Add Admin Group > Group > Next.
- In the Add Admin Group screen, under Directory Group Name, type “EUC Administrators” and WS1 UEM performs a dynamic search to locate this group in AD > Choose “EUC Administrators” group > Click Next and get to the Settings configuration > Turn on Add Group Members Automatically.
- Under Role configuration, type in the top Organization Group of WS1 UEM tenant’s org structure. Under Role, type and choose Console Administrator role > Next > Save. Add the admin group to WS1 UEM and validate that the number of synced users matches the group’s membership in Active Directory.
This configuration allows all the “EUC Administrators” AD group members to sync to the WS1 UEM admin console via group and automatically be entitled to the WS1 UEM’s Console administrator role.
- Next, we will sync the same AD groups into the WS1 Access tenant for identity alignment. WS1 Access can only sync AD groups by using their Distinguished Name. Since we already synced these two groups to WS1 UEM, we have their Distinguished Name to provide to WS1 Access for the synchronization. To acquire their Distinguished Name, follow the instructions below:
- On WS1 UEM admin console > Accounts > User Groups > List View > Click on “Workspace ONE Users” > Capture the Distinguished Name.
- Accounts > Administrators > Admin Groups > Click on “EUC Administrators” > Capture the Distinguished Name under the Distinguished Name field.
Synchronize users via AD Groups to WS1 Access:
- Log into the WS1 Access admin console > Integrations > Directories > Click on the current integrated Active Directory > Sync Settings.
- Select the groups you want to sync, click “+ Add” > the Create Group screen appears > in the Name field, paste the Distinguished Name of the “Workspace ONE Users” group > Add. Repeat the same step for the “EUC Administrators” group.
- Under Select the groups you want to sync, ensure both groups are check-marked.
- Perform the sync by clicking on Sync > Sync with Safeguards.
- Once the sync is completed, ensure an accurate number of users appear in the WS1 Access admin console.
- The “EUC Administrators” group members should have automatic admin role assignments within the WS1 Access tenant. Click on the “EUC Administrators” group, then select Assign Group Role > Checkmark either Super Admin or a customized admin role if desired > Save.
Synchronize users via AD Groups to Entra ID Tenant:
For simplicity, this blog does not include instructions on synchronizing the “Workspace ONE Users” and “EUC Administrators” AD groups with the Entra ID tenant. However, you can synchronize these two groups using the Microsoft Entra Connector. Before proceeding make sure the members of both groups appear correctly in Entra ID as well.
Configure WS1 Access as the IdP for WS1 UEM
Collect the IdP metadata and signing certificate of WS1 Access:
- Log into the WS1 Access admin console > Resources > Settings.
- Click on SAML Metadata > under SAML metadata > Right-click on Identity Provider (IdP) metadata > From the pop-up menu, click on Save link as… > an “idP.xml” file is saved on your computer.
- Under the Signing Certificate section, click on Download > the “signingCertificate.cert” file is saved on your computer.
Enable “Use SAML for Authentication” and enforce only for the WS1 UEM SSP:
- Access the WS1 UEM admin console and ensure you are in the organization group where you configured Active Directory > Groups & Settings > Under System, expand Enterprise Integration > Directory Services > Expand Advanced > click Enabled for Use SAML for Authentication setting.
- For the “Enable SAML Authentication For” setting, checkmark only the Self-Service Portal box. Caution: Do not checkmark the Admin and Enrollment boxes at this point.
- Under the SAML 2.0 section, click on Upload for Import Identity Provider Settings> choose the downloaded IdP.xml file from your computer > Complete the upload.
- Most of the fields under SAML 2.0 are now automatically populated with values retrieved from the uploaded IdP metadata. Ensure the following before saving the configuration:
Request section:
Request Binding Type: POST
Response section:
Response Binding Type: POST
- Under the Certificate section, click on Upload for the Identity Provider Certificate setting > Upload the downloaded “signingCertificate.cer” file from your computer.
Collect the metadata of WS1 UEM as the Service Provider:
- Scroll down and click Export Service Provider Settings to download the WS1 UEM service metadata file to your computer. Once the file is downloaded, click on Save.
- The downloaded file named AirWatchSamlSettings.xml, contains the necessary SAML configuration details. We will use this file to gather the necessary Assertion Consumer Service URLs (ACS URLs) of the various WS1 UEM modules to perform access entitlement configuration within the WS1 Access tenant.
- On your computer, locate and open the AirWatchSamlSettings.xml file using Notepad or Notepad++. From the metadata, collect the four ACS URLs and the Entity ID. In our example, their formats are as follows:
Master ACS URL: https://ds####.awmdm.com/IdentityService/SAML/AssertionService.ashx?binding=HttpPost
WS1 UEM Enrollment ACS URL: https://ds####.awmdm.com/DeviceManagement/SAML/AssertionService.ashx?binding=HttpPost
WS1 UEM Self-Service ACS URL:
https://ds####.awmdm.com/MyDevice/SAML/AssertionService.ashx?binding=HttpPost
WS1 UEM Administrative Console ACS URL: https://cn####.awmdm.com/AirWatch/SAML/AssertionService.ashx?binding=HttpPost
Entity ID:
AirWatch
Note: the “####” variable represents the actual number of your WS1 UEM tenant. For example, if your WS1 UEM tenant is cn1111.awmdm.com, these URLs in the metadata file include the “1111” instead of “####”.
Pre-configure the WS1 UEM Enrollment and SSP application authentication in WS1 Access:
- Hop back into the WS1 Access admin console > Resources > Web Apps > New.
- The New SaaS Application appears; configure the following:
Definition:
Name: WS1 UEM or provide a friendly name for this app
Configuration:
Authentication Type: SAML 2.0
Configuration: Manual
Single Sign-On URL: copy and paste the Master ACS URL
Recipient URL: copy and paste the Master ACS URL from the AirWatchSamlSettings.xml collected above
Audience ID: {audience}
Username Format: Unspecified
Username Value: ${user.username}
Application Parameters: configure as shown in the screenshot below:
Note:
For the “Value” of AWServername, put “ds” followed by the number of your WS1 UEM tenant.
For the “Value” of ac, put the Group ID of your WS1 UEM tenant which you have your Active Directory-integrated.
For the “Value” of audience, put the Entity ID gathered from the WS1 UEM’s metadata above which is “AirWatch”.
- Scroll down and expand the Advanced Properties setting > Locate the Custom Attribute Mapping field.
- Click on Add Row > input the values as shown in the screenshot below:
- In the Access Policies section > choose the current configured WS1 Access Policy in the environment. In our case, we are leveraging the Default Policy.
- Hit Next to get to the Summary section and review the accuracy of your configuration > Once satisfied, click Save & Assign.
- When the Assign screen appears, input the “Workspace ONE Users” group > Set the Deployment Type: Automatic > Save.
Pre-configure WS1 UEM Admin authentication in WS1 Access:
- Next, we will create another new application in WS1 Access to grant access entitlements to WS1 UEM admin console authentication. This application will be assigned to the “EUC Administrators” group. To proceed, navigate to Resources > Web Apps > New.
- The New SaaS Application appears; configure the following:
Definition:
Name: Workspace ONE UEM – Admin Console or a friendly name of your choice.
Configuration:
Authentication Type: SAML 2.0.
Configuration: Manual.
Single Sign-On URL: copy and paste the WS1 UEM Administrative Console ACS URL from the step above.
Recipient URL: copy and paste the WS1 UEM Administrative Console ACS URL from the step above.
Audience ID: {audience}
Username Format: Unspecified
Username Value: ${user.username}
Application Parameters: configure as shown in the screenshot below:
Note:
For the “Value” of AWServername, put “cn” followed by the number of your WS1 UEM tenant.
For the “Value” of ac, put the Group ID of your WS1 UEM tenant which you have your Active Directory-integrated.
For the “Value” of audience, put the Entity ID gathered from the WS1 UEM’s metadata above which is “AirWatch”.
- Scroll down and expand Advance Properties > Locate the field Custom Attribute Mapping.
- Click on Add Row > input the values as shown in the screenshot below:
- In the Access Policies section > choose the current configured WS1 Access Policy in the environment. Again, in our case, we are leveraging the Default Policy > Perform the Default Policy assignment for this application as well > Hit Next to get to the Summary section and review the accuracy of your configuration > Once satisfied, click Save & Assign to the “EUC Administrators” group.
Set up WS1 Access Policies for WS1 UEM application authentication:
- With all the assignments for the WS1 UEM application authentication methods completed in WS1 Access, the next step is to configure the WS1 Access Policy to manage the authentication. To do this, navigate to Resources > Policies > click Edit for the Default Policy (or use the policy you assigned to the applications previously).
- The Edit Policy screen appears > Click on the Configuration setting to see all the existing configured authentication rules > Scroll down and click on ADD POLICY RULE.
- Configure the following for a new authentication rule:
If a user’s network range is: All Ranges
And the user accessing content from: All Device Types
And user belongs to group(s): input the “Workspace ONE Users” and the “EUC Administrators” groups and select them.
Then, the user may authenticate using: select Password (cloud deployment)
- Save > Drag the newly created authentication rule to the top of the list for authentication evaluation priority by WS1 Access.
Note: This step’s authentication rule is moved to the top for testing since it will only affect the WS1 UEM SSP. If you have other authentication methods for edge cases, including the “Workspace ONE Users” and the “EUC Administrators” groups, you may need to move the priority down to accommodate the other authentication types. Things like Mobile SSO or local system authentication will still need to be a higher priority since those users should prioritize authentication with those methods over Entra ID.
- Hit Next > Summary > Review the accuracy > Save the configuration.
Initial validation that the WS1 Access Policies are set up correctly:
- On a computer, browse to your WS1 Access tenant > At the log-in page, enter the domain username of an account that belongs to the “Workspace ONE Users” or the “EUC Administrators” AD groups > authenticate using the account’s domain password > If authentication is successful, it confirms WS1 Access’ authentication rules are set up correctly. Otherwise, you can check Audit Events to identify and troubleshoot any authentication failures.
Validation of WS1 Access as an IdP for WS1 UEM’s SSP module:
- Validation: On a computer, browse to your WS1 UEM’s SSP Portal (the URL format is https://cn####.awmdm.com/MyDevice where the “####” represents an actual number of your WS1 UEM tenant) > Input in the email address of an AD account that belongs to the “Workspace ONE Users” AD group > hit Next > the page redirects to the WS1 Access tenant for authentication > At the WS1 Access log-in page, enter the AD username > authenticate using the account’s domain password > If authentication is successful, it confirms the WS1 Access Policies are configured correctly as an IdP for WS1 UEM. Otherwise, you can check Audit Events to identify and troubleshoot any authentication failures.
- Roll Back: In the worst-case scenario where more time is needed for troubleshooting, hop back into the WS1 UEM admin console > Directory Services > Advanced > Check “Disabled” for the “Use SAML for Authentication” settings. For now, WS1 UEM is reversing back to using the AirWatch Cloud Connectors to authenticate to the Self-Service Portal.
Enforcing WS1 Access as an IdP for WS1 UEM Admin & Enrollment:
- Next, we will configure WS1 Access as an IdP for WS1 UEM administrators by enabling SAML authentication for the WS1 UEM admin authentication method. This configuration will redirect all AD-based WS1 UEM admin accounts to WS1 Access for authentication. If any issues arise, AD-based admin accounts cannot access the WS1 UEM admin console. Therefore, before proceeding, ensure you have access to a “break-glass” local/system admin account for your WS1 UEM tenant, allowing you to bypass WS1 Access as an IdP and to perform a rollback if needed.
- This time, check marking Admin for the “Enable SAML Authentication For” setting is shown below.
- Validation: On your computer, browse to your WS1 UEM admin console > At the WS1 UEM log-in page, enter the username in the format of “domain\username” where the domain represents the domain that was configured under the Directory Services of WS1 UEM and the username is the username of an account that belongs to the “EUC Administrators” AD group > Hit Log In and WS1 UEM will redirect to the WS1 Access log page > input in the username > WS1 Access prompts for the domain password > Perform authentication using the domain password > if authentication is successful, the page will redirect back to the WS1 UEM admin console with full access.
- Roll Back: If any failure occurs, log back into the WS1 UEM admin console with the “break-glass” account > Un-check Admin for the rollback. By unchecking this authentication method, WS1 UEM reverses using the AirWatch Cloud Connectors to perform AD authentication for admin access.
- By now, SSP and Admin modules of WS1 UEM are enforced to use WS1 Access as an IdP successfully. You can now safely checkmark the Enrollment authentication method for the “Enable SAML Authentication For” setting. Otherwise, repeat the same validation steps above for the WS1 UEM Enrollment authentication method.
Configure Entra ID as the IdP for WS1 Access
Collect the WS1 Access Service Provider metadata:
- Login into WS1 Access admin console > Web Apps > Settings > SAML Metadata > Download the Service Provider (SP) metadata file by right-clicking and choosing Save link as…
Configure Entra ID as an IdP for WS1 Access Application within Entra ID admin tenant.
- Login into the Entra ID admin tenant with an admin account that can perform application federation > Enterprise Applications.
- Click on New Application > Create your application > Provide a name. In our case, we will call it “Workspace ONE Access” > Create.
- Once the WS1 Access application is created, select “2. Set up Single sign-on”> Choose SAML as the single sign-on method.
- Click on Upload metadata file on the top menu bar > Select the downloaded WS1 Access SP metadata from the above step > Add. You will not need to modify anything at this point > Save.
- Close the SAML configuration page. If prompted to test the SAML, select “I’ll test later.”
- Now, under the Single Sign-on section, click on Edit for the Attribute & Claims section.
- We use the value user.userprincipalname under the Unique User Identified (Name ID) field.
- Close the User Attributes & Claims screen and click on the SAML Single sign-on at the top menu bar > under the SAML Certificate section and Federation Metadata XML, click on Download to acquire the Entra ID Federation Metadata XML file.
- Click on Users and groups on the left menu bar > Assign the WS1 Access application only to the selected test account for now for the initial testing.
Configure Entra ID as a third-party IdP within the WS1 Access admin console:
- Login into the WS1 Access admin console > Integrations > Identity Providers > Add > Create SAML IDP.
- Provide a name. We called it Entra ID > Under Identity Provider Type, choose Microsoft Entra ID.
- Open the previously downloaded Entra ID Federation metadata in a text editor application such as Notepad or Notepad++, copy and paste it into the SAML Metadata section > Click on the Process IdP Metadata button.
- Under the Name ID format mapping from SAML Response configuration, configure the following:
Name ID Format:urn:oasis:names:tc:1.1:nameid-format:unspecified.
Name ID Value: userPrincipalName.
- Click the blue Add button and configure another mapping as below:
Name ID Format: urn:oasis:names:tc:1.1:nameid-format:emailAddress.
Name ID Value: userPrincipalName.
- Under the Name ID Policy in SAML request, choose urn:oasis:names:tc:1.1:nameid-format:unspecified.
- Under the Users section, checkmark the current Active Directory integrated with the WS1 Access environment which contains Active Directory user accounts. By doing so, Entra ID as an IdP becomes available for WS1 Access to use for authentication evaluation.
- Under the Network, checkmark All Ranges.
- Under the Authentication Methods section, configure the following:
Authentication Method: provide a name to be used later for the WS1 Access Policy. For example, Entra ID.
SAML Context: choose urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport.
-
- Scroll back up to the top of the page > Save.
Configure a new WS1 Access Authentication Rule for initial testing of using Entra ID as an IdP:
- Since the WS1 Access Authentication Rule can only target a group and not a specific account, the first step is to create a WS1 Access local group for initial testing.
- Within the WS1 Access admin console, click on Accounts > User Groups > Add Group > Configure the following:
Group Name: Provide a name. For example: Test Entra ID as an IdP.
Under Group Users, type the AD username of the selected testing account > choose the selected account > Save.
- Click on Resources > Policies > Click on Edit for the Default Policy.
- Click on Configuration > ADD POLICY RULE.
The Add Policy Rule screens appear, configuring only the following settings:
And the user belongs to group(s): Type and choose the Test Entra ID as an IdP group created above.
Then the user may authenticate using: Entra ID.
- Save the new WS1 Access authentication rule.
- Drag it onto the top of the authentication rule list for WS1 Access to prioritize the authentication evaluation as the number one rule. This way, Entra ID will be the first in the priority rule, superseding all other authentication, which will allow us to test the Entra ID authentication flow.
- Hit Next > Save the configuration of the Default Policy.
Validate the WS1 Access Policies are set up correctly to defer authentication to Entra ID using the selected test account:
On a computer, browse directly to your WS1 Access tenant > at the log-in page, input in the AD username of the selected test account > WS1 Access redirects the page to the Microsoft Entra ID log-in page for authentication > input in the email address of the selected test account > perform authentication with Entra ID including MFA > once authenticated, the page redirects back to the WS1 Access portal with a successful login.
This flow verifies that WS1 Access authentication rules are correctly configured. If issues arise, you can review WS1 Access Audit Events to identify and troubleshoot authentication failures. Additionally, the SAML-Tracer app can assist in troubleshooting metadata exchanges between WS1 Access and Entra ID.
Initial testing and validation for the full authentication flow involving WS1 UEM, WS1 Access, and Entra ID as an IdP:
Select one of the WS1 UEM authentication types to conduct the test. In our case, we opt for WS1 UEM SSP authentication since this authentication flow only involves the web browser, which is the easiest way to test and troubleshoot if any issues arise.
On a computer, browse to your WS1 UEM SSP Portal URL > At the log-in page, input in the email address of the selected test account > hit Next > the page redirects to the WS1 Access tenant for authentication > At the WS1 Access log-in page, enter the AD username of the selected test account > WS1 Access redirects the page to the Microsoft Entra ID log in page for authentication > input in the email address of the selected test account > perform authentication with Entra ID including MFA > once authenticated, the page should redirect back to the WS1 UEM SSP with a successful login.
This flow verifies that Entra ID is correctly configured as an IDP for WS1 during initial testing using the selected test account. You can also conduct further testing with the other WS1 UEM authentication types. Once satisfied, we can enforce Entra ID as an IDP for all WS1 Users who are members of the “Workspace ONE Users” and the “EUC Administrators” AD group.
Roll-out: enforcing Entra ID as an IdP for WS1:
- Log into the Entra ID admin tenant > Enterprise Applications > Search and choose the Workspace ONE Access application created above > Users and groups > Remove the selected test account from the assignment and perform the assignment to the “Workspace ONE Users” and the “EUC Administrators” directory-sourced groups instead > Save.
- Log into the WS1 Access admin console > Resources > Policies > Edit the Default Policy (or the policy assigned to the WS1 applications, if not using the default policy) > Locate the existing policy that is targeting the “Workspace ONE Users” and the “EUC Administrators” AD groups > adjust the setting of “Then the user may authenticate using:” Password (Cloud Deployment) > drop down and select Entra ID to make the shift to Entra ID for authentication responsibilities > Save > Drag this authentication rule to be number one on the authentication rule list.
Reminder: Since we have this policy as the first priority, Entra ID will be the default authentication and first priority for users. If you have other authentication methods for edge cases, that includes the “Workspace ONE Users” and the “EUC Administrators” groups, you may need to move the priority down, to accommodate the other authentication types. Things like Mobile SSO, or local system authentication will still need to be higher priority since those users should prioritize authentication with those methods over Entra ID.
- We are not done yet. Let’s perform some minor cleanup within the WS1 Access admin console by deleting all our configurations used for the initial testing. Locate the authentication rule targeting the WS1 Access local group called Test Entra ID as an IdP and delete it from the authentication rule list > Save. Head over to Accounts > User Groups > Locate the Test Entra ID as an IdP local group > Delete.
The configuration of Entra ID as an IdP for WS1 is complete!
-
Andre Nguyen
Andre is a dedicated professional with expertise in unified endpoint management (UEM), particularly Workspace ONE. Passionate about enhancing workplace productivity and security, he plays a pivotal role in implementing UEM strategies that empower organizations to manage and secure all endpoints seamlessly. His deep understanding of UEM principles and Workspace ONE's advanced features makes him a trusted advisor for businesses seeking to optimize their digital workspaces.