VMware Workspace ONE is one of the markets most advanced portals. I’m working on some large implementations and I thought it might be handy to post things I ran into.
VMware offers a good overview how to integrate several services with Workspace One. Find the link to the page right here – Reference guide – Integration. In this blog I will show the integration with Amazon Web Services.
Integrate with Amazon Web Services
I was working with the integration reference of Amazon, found on the site. While going through the document I noticed that procedures has changed. So let’s go over setting up integration of Amazon Web services in VMware workspace ONE. Result after this will be that you can single sign on to the Amazon Web Services console using an external user database (VMware Workspace ONE / Identity manager).
There are a few steps to follow to setup single sign on to Amazon Web services from Workspace ONE / Identity Manager. Let me show you, first a high level overview.
- Provide metadata xml from VMware Workspace ONE to Amazon Web Services
- Create an identity Provider in Amazon Web Services.
- Create a Role in Amazon Web Services
- Note your account number
- Setup Amazon Web Services application in VMware Workspace ONE
- Fill in the dots
- Setup access rights and we’re off.
Metadata (Workspace ONE)
First step is to get the metadata you will need to configure the identity provider at Amazon Web Services. Logon to the Workspace ONE console and go to Catalog and Settings (seeing now that my language was in Dutch, well you will learn a bit of Dutch today).
Most details are already filled in but there are some things we need to setup to make sure both systems trust each other. if the app is not in the catalog this might be a little journey as well to figure out.
When you are in that screen you will see SAML-metadata in the menu. If you’re not there click on it. On the right side you will see a link for Metadata for identity providers. Click on the link to have the XML opening up in a browser.
Right click in the screen and save the file as idp.xml, Save this file somewhere safe as you will need it soon. This is what we need to do at the Workspace ONE console for now. Keep it open as we will return soon for more.
The next step is to configure the identity provider in Amazon Web services, with this step you allow an external identity provider to be used to access Amazon services. Open the Amazon admin console and browse to IAM (Identity Access Management) and select Identity Provider.
First step is to configure a provider, so click on “Add provider” and select SAML from the drop down list. From that the screen will open up a bit more.
Click in choose file to upload the metadata XML file you just saved from Workspace ONE. Once you’re done there you click on Next and the identity provider is ready from an Amazon perspective.
So if once you’re finished with the provider and you open it again you can change the metadata file. This could happen is your Workspace ONE environment would change somehow.. One thing to remember, this is very important, make sure you remember the name of the provider exactly as you wrote it. So CaPiTaLIzAtIon is important.
Now that the provider is setup we can create a role, we need a role as we need to assign what the external users are allowed to do over here. So in the same screen where IAM was you see Roles as well. Click on Roles and Create a Role. The first question you get is what kind of role you want to create, there are several but the one that we want for this is the SAML one.
Once you click the SAML one you are asked which provider it should use. This is important as that is where your external users are from. Selecting the wrong one could allow the wrong users access. The VMware documents show a different setup here, their document is from 2016 when this was different. I select allow programmatic and AWS Management console access.
Click next to select the permissions for this role you are creating. Again something very different to what VMware is writing. the old WebSSO permission is gone.
I selected AdministratorAccess here as the websso permission is gone. I want to give access to the Administration console so this one will do, you of course can select exact what you are looking for and edit it later if you need more. With that we come to the last part of the role. Again not documented like this in the documents, they start with this step.
So give the role a name and again mind the CaPs. If you are an Enterprise give it a nice description and you’re done. We need to do one more thing in this console, we need our Account number before we head back to Workspace ONE.
The account number is found in the support center. Click on Support in the right top corner and go for support center. In the top of the screen you will see the account number like you see here below. I did a little edit to hide most of it…
And with that we are done in this console, back to Workspace ONE.
Configuration Workspace ONE Amazon Web Services
Head back to the catalog and dive into the Amazon Web services app you added to the catalog. Click on configuration and browse all the way down to parameters. Here you will fill in the details you just gathered and created at the other console. Mind the CaPs as it won’t work if you don’t write it correctly. Once you filled in the details click on save and if you assigned users things will work instantly.
so if we not log on to the portal we see this. First we log on with a demo user who is not in Amazon. In Amazon is nothing as for this I used my free one year subscription so it’s as empty as can be.
When we are logged on we will see all the apps that are provisioned in the catalog and available for me to use. So There is my Amazon Web services website that I can open right now.
It will bring me to the console and as you can see on the right side the user is coming from Workspace ONE, it’s a breeze.
Hope this will help some of you, more to come when we progress in the project…
Have a good weekend.