Workspace one, Web Application Integration Using SAML
When we want to integrate any web application with vmware workspace one using SAML 2.0. We need to take care of many concerns as below:
1) How SAML integration works ?
2) Where authentication/ authorization is taking place ?
3) Will my application will understand SAML integration ?
4) What data / parameters I will need to configure at both end ?
5) What parameters do I need to configure ?
First of all the most important question is "Does the application suppport SAML integration"
If YES then only we can move ahead, here is how saml works
SAML (Security Assertion Markup Language) is an open standard for exchanging authentication information between a service provider and an identity provider (IdP). A third-party IdP is used to authenticate users and to pass identity information to the service provider in the form of a digitally signed XML document.
In simple words Workspace One and your application exchange metadata, secretly use certificates to trust each other and after this when Workspace One passes SAML token with agreed parameters, application trust the token and process the same.
Authentication at Workspace One end : when we try to access application workspace one connector server does the authentication.
Authorization at application end : now once the authentication is done,
Workspace One generates the SAML token which basically has application information and more attributes about the user which helps the application to authorise when it process the SAML request coming from Workspace One end.
How metadata is exchanged/configured between workspace one and application:
Workspace One metadata is avaiable at below url for any instance
For example if my workspace one instanse is https://ws1-ui.xtra-virtual.com
which basically has information about our idp (identiity providor). This you have to share with your service provider and he will configure the same at application end.
Same kind of metadata your SP (service provider) will provide when you are going to integrate, you will configure the same at workspace one end when you will configure application.
Metadata can be of three types:
1) Your service provider can give you a link that has metadata(metadata URL)
2) your service provider can give you a txt file which has metadata(XML configuration)
3) Your service provider can provide you manual links to configure(Manual conifguration)
We dont have to worry about as there is option to accept all above mentioned metadata types in Workspace One.
Once metadata is exchanged and configured at both ends, its time to talk about the attributes.
We know that we configure lots of attributes in AD (Active Directory)
for example if ad has attiribute for a user as firstname,lastname,username,email
some times application wants to send "email" as diffirent name for example may be "emailaddress" in that case you have to map these attribute under application configuration as per your service provider's need.
Finally your application end should have your userdetails (may be a manually created user database or a read only AD connect ) and you are done !
Yes you should be able to launch your application now successfully !