Introduction
This guide provides information on how to:
- Set up Beyond Identity as a passwordless authentication solution for your VMware Access Manager environment.
- Set up VMware Access Manager to use Beyond Identity as an Identity Provider.
Notes
- VMware Access Manager currently does support outbound SCIM operations.
- Beyond Identity Admin Console and User Console integration with VMware Access Manager using OIDC is not supported. But customers can use SAML for this. (OIDC support is being worked upon.)
Prerequisites
Ensure that you have a VMware Access Manager account with admin privileges.
Beyond Identity Configuration
Information to provide to the Beyond Identity Field Team:
Your Company Name | |
Your VMware Access Manager Instance URL e.g. https://[your-domain]. workspaceoneaccess.com |
|
(Optional) A logo for your corporation Logo requirements: 300 x 150 pixels or less File size of 10kb or less File types accepted: SVG, PNG, JPG, or GIF |
Information you will receive from the Beyond Identity Field Team
Beyond Identity Org ID | [From Beyond Identity SE] |
VMWare Access Manager Configuration
To configure Beyond Identity as the IdP in VMware Access Manager, follow the steps below. Once these steps are taken, you will be ready to enable Beyond Identity for test users.
Step 1: Create a new user group in VMware
- Go to VMware Access Manager Admin Console.
- Click on Accounts
- Click on User Groups
- Click on Add Group
- Enter Beyond Identity
-
Click Save
Step 2: Setup Beyond Identity as the Identity Provider in VMware
- First start with the Beyond Identity Admin Console
- Click on Integrations -> SAML -> Add SAML Connection
- Name: Beyond Identity IdP for VMware
- Click on Save Changes
- Copy IdP Issuer
- Now go to VMware Access Manager Admin Console.
- Click on Integrations -> Identity Providers -> Add Identity Provider -> Create SAML IDP
- Paste the IdP metadata link in SAML metadata field.
- Click on Process IdP metadata.
- Network: ALL RANGES
- Authentication Methods:
Authentication Methods: Beyond Identity SAML
SAML Context: urn:oasis:names:tc:SAML:2.0:ac:classes:X509
- Click on Save.
- Click on Download Service Provider (SP) Metadata.
- Now go back to Beyond Identity Admin Console.
- Edit the SAML integration.
- Click on Upload XML and select the SP metadata file.
-
Click Save Changes.
Step 3: Setup Beyond Identity as authentication Policy in VMware
- Go to VMware Access Manager Admin Console
- Click on Resources -> Policies -> Add Policy
- Select only Beyond Identity group
- Use Beyond Identity SAML as authentication option.
- Click Save Changes.
Step 4: Setup Beyond Identity Admin Console Application in VMware
- First start with the Beyond Identity Support Console.
- Click on Admin Console -> Add SAML SSO.
- Note down SP SSO URL and SP Issuer
- Now go to VMware Access Manager Admin Console
- Click on Resources / Catalog -> Web Apps -> NEW -> Add Application
- Name: Beyond Identity Admin Console
- Icon: Add Beyond Identity Logo
- Click Next
- Authentication Type: SAML 2.0
- Configuration: Manual
- Single Sign-on URL:
- Recipient URL:
- Application ID:
- Username Format: Email Address
- Username Value: ${user.userName}
- Advanced Properties: Sign Response, Sign Assertion, Include Assertion Signature
- Click Next
- Access Policies: Select Beyond Identity policy
- Click Next
- Click SAVE
- Now go to Web Apps, select the newly created app, click on Settings
- Click on SaaS Apps -> SAML Metadata -> Identity Provider Metadata
- Save the metadata file.
- Now go back to the Beyond Identity Support Console.
- Click on Upload XML and Upload the metadata file.
-
Click on Save Changes.
Step 5: Setup Beyond Identity User Console Application in VMware
- First start with the Beyond Identity Support Console.
- Click on User Console -> Add SAML SSO.
- Note down SP SSO URL and SP Issuer
- Now go to VMware Access Manager Admin Console
- Click on Resources / Catalog -> Web Apps -> NEW -> Add Application
- Name: Beyond Identity User Console
- Icon: Add Beyond Identity Logo
- Click Next
- Authentication Type: SAML2.0
- Configuration: Manual
- Single Sign-on URL:
- Recipient URL:
- Application ID:
- Username Format: Email Address
- Username Value: ${user.userName}
- Advanced Properties: Sign Response, Sign Assertion, Include Assertion Signature
- Click Next
- Access Policies: Select Beyond Identity policy
- Click Next
- Click SAVE
- Now go to Web Apps, select the newly created app, click on Settings
- Click on SaaS Apps -> SAML Metadata -> Identity Provider Metadata
- Save the metadata file.
- Now go back to the Beyond Identity Support Console.
- Click on Upload XML and Upload the metadata file.
-
Click on Save Changes.
Setting up test users
User Enrollment
- Until the SCIM support is added, to enroll a user in the Beyond Identity experience, users will have to be created in both VMware Access Manager and in Beyond Identity.
First, go to the VMware Access Manager Access Console, add a new user to Beyond Identity group.
- Click on Accounts
- Click on Users
- Click on NEW
- Enter required details in the User Profile
- Add the user to the Beyond Identity User group.
-
Click Save.
Now, go to the Beyond Identity Admin Console and create a new user.
- Click on Users
- Click on Add User
- Enter External ID, Email, Username and Display Name
-
Click Save Changes.
This triggers the enrollment process for the user.
-
Enrolled users will receive an email from Beyond Identity welcoming them to the new Identity Provider.
- See image below for reference:
- See image below for reference:
-
Each enrolled user will be asked to follow the two steps below:
-
Step 1: Download the Beyond Identity Authenticator to their device.
- When the user clicks “View Download Options”, the Beyond Identity Authenticator downloads page will open in a browser with all supported platforms displayed. The user should download and install the Beyond Identity Authenticator on their device if they have not already.
- Now that the user has the Authenticator installed on their device, they should proceed to Step 2 as there is not yet a user credential associated with the Authenticator on that device.
- Step 2: Register their Credential in the Beyond Identity IdP.
- By clicking on Step 2 “Register New Credential”, the user’s credential will get enrolled in the Beyond Identity service on the back end. On the front end, users who click Step 2 will be taken to the Beyond Identity Authenticator where they will see the progress of their credential registration. Once completed, the user will see the credentials in the Authenticator.
- See example image below:
-
Step 1: Download the Beyond Identity Authenticator to their device.
User Authentication (Signing in)
- Each enrolled user can visit their VMware Access Manager instance or any application supported by your SSO to sign into their corporate applications.
User Deprovisioning
- To deprovision a user from the Beyond Identity experience, delete the user from the Beyond Identity Admin Console and then go to the VMware Access Manager Access Console.
- Click on Accounts
- Click on User Groups
- Remove the user from Beyond Identity Group
- Click Save.
Comments
0 comments
Please sign in to leave a comment.