VMware Identity Manager(vIDM 3.3.x) on Azure Active Directory With JIT Provisioning
search cancel

VMware Identity Manager(vIDM 3.3.x) on Azure Active Directory With JIT Provisioning

book

Article ID: 368196

calendar_today

Updated On:

Products

VMware Aria Suite

Issue/Introduction

This KB describes how to configure single sign-on (SSO) between Microsoft Azure Active Directory (Azure AD) as a 3rd Party IdP to provide seamless authentication into the VMware Identity Manager.

 

Environment

What is JIT(Just In Time) provisioning

JIT provisioning automates the creation of user accounts for web applications. It leverages the SAML (Security Assertion Markup Language) protocol to transfer data from the identity provider to the web applications. Upon a new user's initial login attempt to an authorized app, it initiates the transmission of necessary information from the identity provider to the app for the account creation process.

 

Resolution

1. Log in to your Azure Portal https://portal.azure.com and select Azure Active Directory and find ‘Enterprise Applications’ in the list under Manage and then ‘New Application’.

2. Select Enterprise applications

3. Create your Own application

4. Click create

5. Click Single Sign On 

6. Select SAML to start configuring app

7. Go to VMware Identity Manager >> Catalog >> Web apps >> Settings >> Click on SP metadata

Make a note of entity ID and Reply URL

Identifier = EntityID Value from the .xml file
Reply URL = The POST Value from the Assertion Consumer Service in .xml

8.  In the Azure app you need to edit the SSO

9. Edit attributes and claims

Our stumbling block can occur when Azure automatically populates the claims name with a URL. It's crucial for these to precisely match the Access Attribute names, including capitalization. Make sure you remove these pre-populated claim entries

10. Download Federation Metadata XML

11. Remember to assign users to your application. Navigate to Users and Groups and assign it to your users. Any user assigned to this application will be automatically provisioned in VMware Identity Manager

12. Ensure that you populate email in the properties of the User assigned

13. Go to VMware Identity Manager and create a 3rd party IDP

15. Paste and process your metadata (Federation Metadata ). You can leave the Name ID Format same as shown below.

 

16. Enable Just in time user provisioning

17. In Authentication Method fill in the below information.

Authentication Methods – Azure-Password (Any Name)
SAML Context – urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified

In case its not unspecified we might hit an error "AADSTS75011: Authentication method 'MultiFactor, PasswordlessPhoneSignIn' by which the user authenticated with the service doesn't match requested authentication method 'Password".

18. Now we will need to add this Azure AD  authentication method to our default policy and save this.

Select Resources >> Policies >> default_access_policy_set then click Edit

20. Once this setup is done launch your VMware Identity Manager URL in incognito mode and it will redirect you to Azure AD

21. Login to VMware Identity Manager and you can see the users being provisioned from Azure AD to VMware Identity Manager

Additional Information

NOTE: Whenever we change certificate on Azure AD we will have to reprocess the idp metadata in vIDM or else saml validation will fail.