Week 3 - VMware Digital Workspace Newsletter

   Weekly highlight:    VMware Workspace ONE ITSM Connector  is now a ServiceNow certified app:   The Workspace ONE ITSM Connector supports common Workspace ONE UEM commands, such as change passcode, device lock, device and enterprise wipe, log requests, messages, soft reset, device sync, and more. Integration with Workspace ONE Assist enables help desks to quickly launch remote support sessions and view or control employee devices, directly from ServiceNow.   https://store.servicenow.com/sn_appstore_store.do#!/store/application/b110a7a11b12b41092ce8514604bcb28/1.0.2?referer=%2Fstore%2Fsearch%3Flistingtype%3Dallintegrations%25253Bancillary_app%25253Bcertified_apps%25253Bcontent%25253Bindustry_solution%25253Boem%25253Butility%25253Btemplate%26q%3DVMware&sl=sh   Release Notes Initial release  Integration with Workspace ONE UEM via REST api Guided setup for HTTP connection Configurable device managment actions  Role based access for actions Seamless integration with standard Incident

Single Sign On to Office 365 with a Third Party Identity Provider (Workspace ONE)

 Federate Office 365 to a Third Party Identity Provider (Workspace ONE Access)

To use Single Sign On with Office 365, you will need to federate your Office 365 domain to a Third Party Identity Provider. In this case I will use VMware Workspace ONE Access. 

In the following video you can see the seamless user experience when the federation is configured:

- Powershell on Windows is required

First the necessary modules needs to be installed with the following command:

Install-Module -Name MSOnline

After the MS Online module is installed, you should be able to connect to MS Online with the following: (login with your tenant administrator in the popup)


After logging in, you can get the current domains listed with the following command:


This is what i see and you can see that none of my domains are federated at this point:

To federate your Office 365 domain, you will need to use the following command and fill in your domain and urls in the highlighted areas:

To get the correct Signing Certificate format, navigate to your Workspace ONE Access tenant and go to: Catalog - Settings - SAML Metadata:


In this screen you will find the Signing Certificate in the correct text format (without spaces etc.) 

Set-MsolDomainAuthentication –DomainName example.nl –IssuerUri example.workspaceoneaccess.com  –Authentication Federated -FederationBrandName "Zevenster" -PassiveLogOnUri https://example.workspaceoneaccess.com:443/SAAS/API/1.0/POST/sso -ActiveLogOnUri https://example.workspaceoneaccess.com/SAAS/auth/wsfed/active/logon -LogOffUri https://login.microsoftonline.com/logout.srf -MetadataExchangeUri https://example.workspaceoneaccess.com/SAAS/auth/wsfed/services/mex -SigningCertificate MIIFMTCCAxmgAwIBAgIHA4vUSKCpIjANBgkqhkiG9w0BAQsFADBQMSAwHgYDVQQDDBdWTXdhcmUgSAwfJeeRNT+Yu7g5RUhtT9DM1WDzOIGAG7Y9LrC7xPHLDpn7VJBcFTjHJ5dZ7g/T73173RwtBXzBC+z85t14DJ9l2gy8mRNPT86YsNu1i1FPc1d+kV0/abEDrFqCGjeNnMV6m/tnXNNKT9qzX+4Gb1iiqXEaIBZ+CIATOSVLfUtssF51+57iGPog6vMVjA7RNmqtvvHACmxA==

After you have successfully entered the command, the domain should be federated. You can verify again with:


Add Office 365 application to Workspace ONE Access:

Last step is to add the Office 365 application to Workpace ONE Access:

Before adding the Office365 application, you will need to make sure that the objectGUID attribute is synced from your Active Directory.

Go to the Admin console in Workspace ONE Access and Identity & Acces Management. Click on Setup on the right and go to User Attributes
In this screen you can scroll all the way down and add a custom attribute: 

Type in 'objectGUID' and hit Save

When syncing the Directory make sure the objectGUID attribute is mapped in the Directory Settings. In Identity & Acces Management click on Manage, go to you directory and click on Sync Settings. 

In the Sync Settings click on Mapped Attributes and make sure objectGUID is mapped to the right value:

Hit Save and Sync your directory.

To add the Office365 application in Workspace ONE Access, navigate to Catalog and choose New:

In this screen you can search in the templates to add an application, search for 'Office365' and choose the Office365 with provisioning:

(Provisioning will allow the users to be provisioned from Access to Office365. We are not using that in this configuration, so you can change the name to 'Office365' and leave provisoning)

In the WSFed configuration, scroll down and fill in the values for Application Parameters:

  • Office 365 Domain = your domain like example.nl
  • Office 365 Issuer = your  Access URL like example.workspaceoneaccess.com

After that click on Advanced Properties and make sure that the ImmutableID is mapped to ${user.objectGUID}:

Click on Next and Next again to assign the application to your users. (All Users is the default group for all the users)

After that hit Save and the applications should be available to your (test)users.


Popular posts from this blog

Workspace ONE | Use ADFS as an Identity Provider in Workspace ONE Access with JIT

Configure Shared iPad for Apple Business Manager in Workspace ONE

VMworld Security Recap 2020