REVIEWERS GUIDE NOVEMBER 2017 REVIEWER S GUIDE FOR CLOUD-BASED VMWARE WORKSPACE ONE: VMware Workspace ONE
Table of Contents Introduction.... 3 Purpose of This Guide....3 Audience...3 Before You Begin....3 Section A: Mobile Single Sign-On Configuration.... 4 Exercise A1: Configure Mobile Single Sign-On.... 4 Exercise A2: Configure the ios Device Profile... 6 Section B: Salesforce Single Sign-On Configuration.... 7 Exercise B1: Export SAML Metadata from VMware AirWatch.... 8 Exercise B2: Import the SAML Metadata File to Salesforce.... 8 Exercise B3: Update the SAML Settings.... 9 Exercise B4: Register Your Domain in Salesforce.... 10 Exercise B5: Update the Federation ID.... 12 Exercise B6: Configure the Salesforce Application for SSO... 13 Exercise B7: Add User Entitlement.... 14 Exercise B8: Test the Salesforce SSO Configuration in a Web Browser.... 15 Section C: VMware AirWatch Device Profile Assignment......................................16 Exercise C1: Assign a VMware AirWatch Device Profile... 16 Section D: Enrolling the ios Device and Logging In... 18 Exercise D1: Enable Adaptive Management.... 18 Exercise D2: Test Adaptive Management.... 20 Exercise D3: Install AirWatch Agent from the App Store and Enroll Device.... 21 Exercise D4: Test the SSO Configuration of Salesforce on Your Mobile Device.... 24 Exercise D5: Deploy the Workspace ONE Mobile Application.... 25 Summary.... 26 All Guides.... 26 Appendix: Terminology Used in This Guide.... 27 Additional Resources.... 28 About the Authors and Contributors.... 29 REVIEWER S GUIDE 2
Introduction Welcome to the Reviewer s Guide for Cloud-Based VMware Workspace ONE: Mobile Single Sign-On. This guide walks you through the process of configuring mobile single sign-on (SSO) on an ios device in VMware Workspace ONE. These steps include configuring SAML integration between VMware Identity Manager and Salesforce and assigning VMware AirWatch device profiles. Workspace ONE simplifies access to cloud, mobile, and enterprise applications from supported devices. IT administrators can deploy, manage, and secure applications and, at the same time, offer a flexible, bring-your-own-device (BYOD) option for users. Purpose of This Guide The Reviewer s Guide helps you evaluate a cloud-based Workspace ONE. This guide provides exercises to explore and evaluate the mobile SSO feature and how to configure and use it. For an overview of the product and information about other practical exercises, see All Guides. Important: This guide is for evaluation purposes only. It uses the minimum required resources for a basic deployment and does not explore all possible features. Do not use this evaluation environment as a template for deploying a production environment. To deploy a production environment, see the VMware Workspace ONE Documentation. Audience This guide is for prospective IT administrators of Workspace ONE and anyone who uses the product. Before You Begin Before you can perform the exercises in this guide, you must have the following components installed and configured, as described in the Reviewer s Guide for Cloud-Based VMware Workspace ONE: VMware Enterprise Systems Connector Installation and Configuration. Cloud-based VMware Identity Manager tenant Cloud-based VMware AirWatch tenant On-premises Active Directory with users available to add to the VMware AirWatch tenant Windows Server machine to access Workspace ONE from a web browser ios device of your choice Domain administrator added to AirWatch Console In addition, you need to create a trial Salesforce developer account. To register, you need a valid email address to receive your Salesforce password. REVIEWER S GUIDE 3
Section A: Mobile Single Sign-On Configuration Configure mobile SSO using the Getting Started wizard in AirWatch Console. The wizard configures the following. AirWatch Certificate Authority Sets up a connection to the AirWatch Certificate Authority (CA), and allows the CA to issue authentication certificates. AirWatch Certificate template Creates a preconfigured Certificate template to issue certificates for mobile SSO. VMware Tunnel Creates a connection with a proxy service within VMware Identity Manager, and authenticates certificates on behalf of the mobile application. Authentication methods Establishes a trust chain between the AirWatch CA and VMware Identity Manager. User profiles Creates an AirWatch configuration profile, which distributes a certificate and configures the device to authenticate with VMware Identity Manager. Access policies Configures access policies in VMware Identity Manager to authenticate using mobile SSO for managed devices. Unmanaged devices require a password to authenticate. Although we use an ios device to test the mobile SSO feature, the wizard also configures mobile SSO for Android and Windows 10 devices. The exercises are sequential and build upon one another, so make sure that you complete each exercise in the order presented. Exercise A1: Auto-Configure Mobile Single Sign-On Exercise A2: Complete ios Device Profile Configuration Exercise A1: Configure Mobile Single Sign-On The wizard guides you through configuring mobile SSOs. 1. In AirWatch Console, select Getting Started > Workspace ONE. 2. In the SETUP section, navigate to Mobile Single Sign-On, and click Configure. REVIEWER S GUIDE 4
3. Click Get Started. 4. Click Continue. 5. Click Start Configuration. 6. When the auto-configure checklist completes, click Finish. 7. Click Close. REVIEWER S GUIDE 5
Exercise A2: Configure the ios Device Profile The mobile SSO feature creates default device profiles. You must update the ios device profile to include the Salesforce application identifier. 1. Select Devices > Profiles & Resources > Profiles. 2. Select the ios device profile. 3. Select Single Sign-On. 4. In the Applications section, enter the following identifiers for the apps that can use this login. com.apple.mobilesafari com.air-watch.appcenter com.apple.safariviewcontroller com.salesforce.chatter 5. Click Save & Publish. Now that you have enabled mobile SSO, proceed to the next section to configure SSO for Salesforce. REVIEWER S GUIDE 6
Section B: Salesforce Single Sign-On Configuration Security Assertion Markup Language (SAML) is an open standard for SSO across multiple services. Using SAML authentication, a user logs in to an environment only once per web browser session to access all systems. SAML usually defines three components: Service provider (SP), such as an application Identity provider (IdP) that includes a database of users and authentication methods End user who needs to access the application The following steps provide a high-level overview of how SAML works. 1. A user launches the SAML application, which accesses the SP. 2. The SP sends a request to an IdP for authentication. 3. If the user is not already authenticated, the IdP requests authentication from the user (for example, user name and password). 4. The IdP then sends a response to the SP with a token for that user. In these exercises, you configure the Salesforce application with the identity provider metadata and integrate VMware Identity Manager to a trial Salesforce account. The exercises are sequential and build upon one another, so make sure that you complete each exercise in the order presented. Exercise B1: Export SAML Metadata from VMware AirWatch Exercise B2: Import the SAML Metadata File to Salesforce Exercise B3: Update the SAML Settings Exercise B4: Register Your Domain in Salesforce Exercise B5: Update the Federation ID Exercise B6: Configure the Salesforce Application for SSO Exercise B7: Add User Entitlement Exercise B8: Test the Salesforce SSO Configuration in a Web Browser REVIEWER S GUIDE 7
Exercise B1: Export SAML Metadata from VMware AirWatch Export the identity provider SAML metadata from VMware AirWatch. The metadata is used to configure the Salesforce application. 1. In AirWatch Console, select Apps & Books > Applications > Web > SaaS. 2. Click Settings. 3. Right-click Identity Provider (IdP) metatdata, and select Save Link As. 4. Save the metadata file. Exercise B2: Import the SAML Metadata File to Salesforce Import the metadata file to Salesforce. 1. In a web browser, navigate to https://login.salesforce.com. 2. Enter your Salesforce user name and password, and click Login. 3. In the search panel on the left, enter single to locate SSO settings. 4. Click Single Sign-On Settings. 5. Click Edit. 6. Select SAML Enabled to enable SSO using SAML. REVIEWER S GUIDE 8
7. Click New from Metadata File. 8. Click Choose File, and select the file saved in the previous exercise. 9. Click Create to populate the SAML SSO settings. Exercise B3: Update the SAML Settings Specify how the IdP identifies the Salesforce user, and complete the metadata download. 1. Select Assertion contains the Federation ID from the User object. 2. Click Save. 3. Click Download Metadata. REVIEWER S GUIDE 9
Exercise B4: Register Your Domain in Salesforce After you have downloaded the SAML metadata file, you need to register your domain in Salesforce. 1. In the search box on the left, enter my domain and click My Domain. 2. Under Choose Your Domain Name, enter a domain name in the text box. 3. To confirm that your domain name is not being used, click Check Availability. 4. Click Register Domain. It can take a few minutes for Salesforce to complete the process. When the domain is registered, you receive an email. After you receive the email, you can edit the authentication configuration in My Domain. REVIEWER S GUIDE 10
5. In the search box on the left, enter my domain and click My Domain. 6. Next to Authentication Configuration, click Edit. 7. To enable the authentication service, select your Identity Manager user name in the Authentication Service section. 8. Click Save. REVIEWER S GUIDE 11
Exercise B5: Update the Federation ID The federation ID in Salesforce is a unique user name that can be shared across multiple applications. The federation ID allows administrators to choose a user name format to pass to Salesforce from their user directory for SSO. The user name format is often an attribute, such as the user s email address. 1. In the search box on the left, enter users and click Users. 2. Next to the user name used for the trial account, click Edit. 3. In the Single Sign-On Information section, enter the federation ID as the UPN of the AD user account. For example, user1@kbs.local. 4. Click Save. REVIEWER S GUIDE 12
Exercise B6: Configure the Salesforce Application for SSO You now add the Salesforce application to the VMware AirWatch catalog and configure the application for SSO. To add a web application to AirWatch Console, you must be logged in as a domain administrator. 1. In AirWatch Console, select Apps & Books > Applications > Web > SaaS. 2. Click New. 3. In the Search text box, enter Salesforce. 4. Select Salesforce from the list. The remaining options are auto-filled. 5. Click Next. REVIEWER S GUIDE 13
6. Select URL/XML. 7. Open the previously saved metadata file (see Update the SAML Settings) using Notepad. 8. Copy the data, and paste it into the URL/XML text box. 9. Click Next. 10. Click Save. Exercise B7: Add User Entitlement You are now ready to entitle users to the Salesforce application. 1. In the VMware Identity Manager administration console, click the Catalog tab. 2. Click the Salesforce icon from the application list. 3. Click Entitlements, and click Add user entitlement. 4. Click browse. 5. Select the VMware Identity administrator user account. 6. Select Automatic from the drop-down menu. 7. Click Save, and click Done to complete the entitlement process. REVIEWER S GUIDE 14
Exercise B8: Test the Salesforce SSO Configuration in a Web Browser You can confirm that SSO is correctly configured by logging in to a web browser and accessing the Salesforce application from the VMware Identity Manager portal. 1. On a desktop computer, use a web browser to navigate to the VMware Identity Manager portal. 2. Enter the credentials for a user entitled to the Salesforce application. 3. Start the Salesforce application. If SSO is configured correctly, the Salesforce application starts without prompting for a user name and password. Proceed to the next section to assign a VMware AirWatch device profile. REVIEWER S GUIDE 15
Section C: VMware AirWatch Device Profile Assignment A device profile allows you to manage devices with specific settings and rules. You can enforce corporate rules and procedures when device profiles are combined with compliance policies. Exercise C1: Assign a VMware AirWatch Device Profile The mobile SSO setup feature creates a default ios device profile. After a device profile has been created, you can assign the profile to a smart group. 1. In AirWatch Console, select Devices > Profiles & Resources > Profiles. 2. Click the ios device profile. 3. On the General tab, click the Assigned Groups text box and select Create Assignment Group. REVIEWER S GUIDE 16
4. Enter the following information, and then click Save. Name Enter a name of your choice for the smart group. This exercise uses ios Smart Group. Platform and Operating System From the drop-down menus, select the following options: Apple ios, Greater Than or Equal To, ios 10.2.0. 5. Click Save & Publish. You have successfully assigned a VMware AirWatch device profile to the ios smart group. Proceed to the next section to enroll the ios device and log in. REVIEWER S GUIDE 17
Section D: Enrolling the ios Device and Logging In After you have assigned a smart group to the device profile, you are ready to log in to Workspace ONE and access applications from the catalog. You can deploy internal and public applications as either managed or unmanaged when using VMware AirWatch for native application delivery. This adaptive management approach protects data inside applications without requiring devices to be managed. Adaptive management is applied on a per-application basis in AirWatch Console. With an application profile, an administrator can require device management prior to allowing the device to use an application. These exercises are sequential and build upon one another, so make sure that you complete each exercise in the order presented. Exercise D1: Enable Adaptive Management Exercise D2: Test Adaptive Management Exercise D3: Install AirWatch Agent from the App Store and Enroll Device Exercise D4: Test the SSO Configuration of Salesforce on Your Mobile Device Exercise D5: Deploy Workspace ONE Mobile Application Exercise D1: Enable Adaptive Management Add the Socialcast by VMware application to the VMware AirWatch catalog, and enable adaptive management. 1. In AirWatch Console, select Apps & Books > Applications > Native > Public. 2. Click Add Application. 3. Provide the following information, and then click Next. Platform Select Apple ios. Name Enter Socialcast. 4. Click Select to select the Socialcast application. REVIEWER S GUIDE 18
5. Click Save & Assign. 6. Click Add Assignment. REVIEWER S GUIDE 19
7. Provide the following information. Selected Assignment Groups Select the ios smart group that you created in Assign AirWatch Device Profile. App Delivery Method Select On Demand. Managed Access Select Enabled. 8. Click Add. 9. Click Save & Publish, and then click Publish. Exercise D2: Test Adaptive Management To test the adaptive management feature, you need an unmanaged ios device a device that does not have AirWatch Agent installed. 1. On your ios device, download the Workspace ONE application from the App Store. 2. Start the Workspace ONE application, and log in using your user name and password. 3. On the Catalog tab, tap the Socialcast application, and tap Install. REVIEWER S GUIDE 20
4. To acknowledge the message, The use of Socialcast requires activation of Workspace Services to protect company data, tap Proceed. 5. To begin the Workspace Services profile installation, tap Install, and enter your passcode when prompted. 6. To confirm the installation, tap Install. 7. Tap Trust. 8. To access the Workspace ONE portal, tap Open. 9. Next to Socialcast, tap Install. 10. After the Socialcast installation completes, tap the application to launch it. Exercise D3: Install AirWatch Agent from the App Store and Enroll Device You enroll your ios device in VMware AirWatch by installing AirWatch Agent. Remove the Workspace Services profile you created in the adaptive management exercise. 1. On your ios device, tap Settings. 2. Select Profiles > Device Management. 3. Tap Workspace Services. 4. Tap Remove Management, and enter your passcode when prompted. Now install AirWatch Agent, and enroll the ios device in VMware AirWatch. 1. On your ios device, in the web browser, navigate to http://awagent.com. 2. Tap Go to Apple AppStore, and click the cloud icon to install AirWatch Agent. 3. Tap Open to start the agent. REVIEWER S GUIDE 21
4. Tap Server Details, enter the following information, and then tap Next. a. Server Enter the VMware AirWatch tenant name. b. Group ID Enter your organization group ID. 5. To install the Workspace Services profile, tap Install, and enter your passcode when prompted. 6. To confirm the installation, tap Install. REVIEWER S GUIDE 22
7. Tap Trust. 8. Tap Done. 9. To verify the device management settings on your ios device, navigate to Settings > Profiles > Device Management. You can see the installed Workspace Services profile. 10. Log in to the Workspace ONE portal. Logging in invokes TouchID on the ios device and automatically authenticates you. REVIEWER S GUIDE 23
Exercise D4: Test the SSO Configuration of Salesforce on Your Mobile Device When you install a Workspace Services profile, VMware AirWatch pushes Salesforce to your ios device. In this exercise, you log in to your enrolled ios device and start Salesforce. If SSO is configured correctly, the Salesforce application starts without prompting for a user name and password. 1. On your ios device, tap the Salesforce1 application. 2. Confirm redirection to Workspace ONE. 3. Validate SSO. Authentication completes, and the application starts without requiring a user name and password. REVIEWER S GUIDE 24
Exercise D5: Deploy the Workspace ONE Mobile Application In AirWatch Console, assign the Workspace ONE application to the previously created smart group. 1. In AirWatch Console, select Apps & Books > Native > Public > Add Application. 2. Provide the following information, and then click Next. Platform Select Apple ios. Name Enter VMware Workspace ONE. 3. Click Save & Assign. 4. Click Add Assignment. 5. Provide the following information, and then click Add. Selected Assignment Groups Select the ios smart group name that you created in Assign a VMware AirWatch Device Profile. App Delivery Method Select Auto. Application Configuration Select Enabled. Configuration Key Enter AppServiceHost. Value Type Select String. Configuration Value Enter the VMware Identity Manager tenant URL, for example, https://ksheehan.vmwareidentity.com. 6. Click Save & Publish, and then click Publish. After you enroll your device, the Workspace ONE application is available for installation in the application catalog. REVIEWER S GUIDE 25
Summary This guide is part of the Reviewer s Guide for Cloud-Based VMware Workspace ONE series, which introduces Workspace ONE through practical exercises. The Mobile SSO guide walks you through configuring SAML for an application in VMware Identity Manager and assigning access policies and device profiles. SSO and adaptive management features are also demonstrated. For information about the other guides in this series, see All Guides. For information about features not covered in this series, see the VMware Workspace ONE Documentation. All Guides You can explore many key features and capabilities in the Reviewer s Guide series for cloud-based Workspace ONE: Reviewer s Guide for Cloud-Based VMware Workspace ONE: Overview Reviewer s Guide for Cloud-Based VMware Workspace ONE: VMware Systems Enterprise Connector Installation and Configuration Reviewer s Guide for Cloud-Based VMware Workspace ONE: Mobile SSO Note: For information about features that are not covered in this series, see VMware Workspace ONE Documentation. REVIEWER S GUIDE 26
Appendix: Terminology Used in This Guide The following terms are used in this guide. catalog A user interface (UI) that displays a personalized set of virtual desktops and applications to users and administrators. These resources are available to be launched upon selection. cloud A set of securely accessed, network-based services and applications. A cloud can also host data storage. Clouds can be private or public, as well as hybrid, which is both private and public. identity provider (IdP) A mechanism used in a single-sign-on (SSO) framework to automatically give a user access to a resource based on their authentication to a different resource. service provider (SP) A host that offers resources, tools, and applications to users and devices. For more information, see the VMware Glossary. REVIEWER S GUIDE 27
Additional Resources For more information about Workspace ONE, you can explore the following resources. VMware Workspace ONE Product Page VMware Workspace ONE Documentation VMware Identity Manager Product Page VMware Identity Manager Documentation VMware AirWatch Product Page VMware AirWatch Documentation VMware Workspace ONE free trial VMware Workspace ONE Enterprise Edition Reference Architecture VMware End-User-Computing Blog Workspace ONE Hands-On Lab REVIEWER S GUIDE 28
About the Authors and Contributors The Reviewer s Guide for Cloud-Based VMware Workspace ONE was written and updated by Gina Daly, Technical Marketing Manager in End-User-Computing Technical Marketing, VMware Kevin Sheehan, Senior Product Manager, Windows 10 Unified Endpoint Management, VMware Appreciation and acknowledgment for considerable contributions from the following subject matter experts: Camilo Lotero, Senior Technical Marketing Manager, End-User-Computing Technical Marketing, VMware Justin Sheets, Senior Technical Marketing Manager, End-User-Computing Technical Marketing, VMware Contributors to this version include Andrew Hornsby, Product Manager, Mobile Identity, VMware Vikas Jain, Director, Product Management, VMware Workspace ONE, VMware Ben Siler, Product Marketing Manager, VMware Workspace ONE, VMware Contributors to the original document include Oliver Forder, Lead End-User-Computing Specialist, EMEA End-User-Computing Practice, VMware Neil Tarbit, Director, Systems Engineering, End-User Computing, VMware Roger Deane, Senior Manager, End-User-Computing Technical Marketing, VMware Hannah Jernigan, Technical Marketing Manager, End-User-Computing Technical Marketing, VMware To comment on this paper, contact VMware End-User-Computing Technical Marketing at euc_tech_content_feedback@vmware.com. REVIEWER S GUIDE 29
VMware, Inc. 3401 Hillview Avenue Palo Alto CA 94304 USA Tel 877-486-9273 Fax 650-427-5001 www.vmware.com Copyright 2017 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws. VMware products are covered by one or more patents listed at http://www.vmware.com/go/patents. VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marks and names mentioned herein may be trademarks of their respective companies. Item No: VMW-RG-CLDBASEDWKSPONEMOBISSO-IDM3_0-AW-9_2-USLTR-20171122-WEB 11/17