This KB describes how to configure single sign-on (SSO) between Microsoft Azure Active Directory (Azure AD) as a 3rd Party IdP to provide seamless authentication into the VMware Identity Manager.
What is JIT(Just In Time) provisioning
JIT provisioning automates the creation of user accounts for web applications. It leverages the SAML (Security Assertion Markup Language) protocol to transfer data from the identity provider to the web applications. Upon a new user's initial login attempt to an authorized app, it initiates the transmission of necessary information from the identity provider to the app for the account creation process.
1. Log in to your Azure Portal https://portal.azure.com and select Azure Active Directory and find ‘Enterprise Applications’ in the list under Manage and then ‘New Application’.
2. Select Enterprise applications
3. Create your Own application
4. Click create
5. Click Single Sign On
6. Select SAML to start configuring app
7. Go to VMware Identity Manager >> Catalog >> Web apps >> Settings >> Click on SP metadata
Make a note of entity ID and Reply URL
Identifier = EntityID Value from the .xml file
Reply URL = The POST Value from the Assertion Consumer Service in .xml
8. In the Azure app you need to edit the SSO
9. Edit attributes and claims
Our stumbling block can occur when Azure automatically populates the claims name with a URL. It's crucial for these to precisely match the Access Attribute names, including capitalization. Make sure you remove these pre-populated claim entries
10. Download Federation Metadata XML
11. Remember to assign users to your application. Navigate to Users and Groups and assign it to your users. Any user assigned to this application will be automatically provisioned in VMware Identity Manager
12. Ensure that you populate email in the properties of the User assigned
13. Go to VMware Identity Manager and create a 3rd party IDP
15. Paste and process your metadata (Federation Metadata ). You can leave the Name ID Format same as shown below.
16. Enable Just in time user provisioning
17. In Authentication Method fill in the below information.
Authentication Methods – Azure-Password (Any Name)
SAML Context – urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified
In case its not unspecified we might hit an error "AADSTS75011: Authentication method 'MultiFactor, PasswordlessPhoneSignIn' by which the user authenticated with the service doesn't match requested authentication method 'Password".
18. Now we will need to add this Azure AD authentication method to our default policy and save this.
Select Resources >> Policies >> default_access_policy_set then click Edit
20. Once this setup is done launch your VMware Identity Manager URL in incognito mode and it will redirect you to Azure AD
21. Login to VMware Identity Manager and you can see the users being provisioned from Azure AD to VMware Identity Manager
NOTE: Whenever we change certificate on Azure AD we will have to reprocess the idp metadata in vIDM or else saml validation will fail.