dewyser.net

solutions, scripting and more

Tag: workspace one

Linking ws1 access using SAML, just-in-time provisioning and a custom object for remote access level – part 2 of 2 — 21st Jul 2023

Linking ws1 access using SAML, just-in-time provisioning and a custom object for remote access level – part 2 of 2

/Stefaan/Leave a comment

Now that we are done on our side, the customer side is next. First step is to create a custom attribute that we used in our tenant to hold the static text. Goto settings > user attributes, add a row to the custom attributes and name it ExternalLevel.

Now allow just-in-time user provisioning by creating a new identity provider. Name the IdP and past in SAML metadata URL. Next Process IdP metadata.

Enable just-in-time provisioning and name your new directory.

Next, create two groups and assign the correct roles based on the ExternalLevel attribute.

The final step, often forgotten, is to allow authentication using the new IdP in the necessary policy rules.

Linking ws1 access using SAML, just-in-time provisioning and a custom object for remote access level – part 1 of 2 —

Linking ws1 access using SAML, just-in-time provisioning and a custom object for remote access level – part 1 of 2

/Stefaan/Leave a comment

I recently had a project where I had to link our ws1 access tenant to multiple customer tenants. In its own not noteworthy and easily done with SAML. However, I wanted to set the access level in the customer tenant based on attributes in our own ws1 access tenant. So user 1, Debby would be a console administrator while user 2, Nancy would only have readonly access.

Let’s create a new web application and in the configuration step expand the advanced properties.

Go to custom attribute mapping and add the attributes that you want to pass along to the customer ws1 access. Two things worth mentioning here:

  1. Use a objectGUID as a external Id, this allows for user updates
  2. The ExternalLevel with a static value (full or readonly). This will be used to put the user in the correct group in the customer ws1 access tenant

Now save this web application, make a copy and there change the static text to readonly. Next assign both web applications to the correct user(s) and or groups and you are done with part one.

Workspace One – Zero day onboarding using the magic link (Part 4) — 19th Jan 2023

Workspace One – Zero day onboarding using the magic link (Part 4)

/Stefaan/Leave a comment

The following Powershell returns a magic link that a new hire can use once, to connect to the Self Service Portal allowing him to change his password and enrol devices.

## Setting up some parameters ##

$AccessURL = '<access url>' ## Workspace ONE Access URL 
$ClientId = 'powershell' ## Client ID from Part 1
$ClientSecret = '<Shared Secret>' ## Shared Secret from Part 1

$text = "${ClientId}:${ClientSecret}" ## Combine the Client ID and the Client Secret

$base64 = [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($text))

$headers = @{
    "Authorization"="Basic $base64";
    "Content-Type"="application/x-www-form-urlencoded";
}

## Connecting to the API ##
$results = Invoke-WebRequest -Uri "https://$AccessURL/SAAS/auth/oauthtoken?grant_type=client_credentials" -Method POST -Headers $headers

$accessToken = ($results.Content | ConvertFrom-Json).access_token
$authHeader = @{"Authorization"="Bearer $accessToken";}

$global:workspaceOneAccessConnection = new-object PSObject -Property @{
        'Server' = "https://$AccessURL"
        'headers' = $authHeader
 } 

$global:workspaceOneAccessConnection    

## Creating Magic Token ##

## Setting Magic Token Headers ##
$MLheaders = @{
    "Accept"="application/vnd.vmware.horizon.manager.tokenauth.link.response+json";
    "Content-Type"="application/vnd.vmware.horizon.manager.tokenauth.generation.request+json"
    "Authorization"=$global:workspaceOneAccessConnection.headers.Authorization;
}

## Setting Magic Token Body ##
$MLjson = @{
    domain = "<domain>"
    userName = "<user e-mail>"
}

$MLbody = $MLjson | ConvertTo-Json

## Connecting to the API to get the Magic Link ##
$loginlink = Invoke-RestMethod -Uri "https://$AccessURL/SAAS/jersey/manager/api/token/auth/state" -Method POST -Headers $MLheaders -Body $MLbody

## Output the URL for the user ##
$loginlink.loginlink

The Magic token can only be used once but sometimes you need to remove the current token during tests.

Invoke-RestMethod -Uri "https://$AccessURL/SAAS/jersey/manager/api/token/auth/state/" -Method Delete -Headers $MLheaders
Workspace One – Zero day onboarding using the magic link (Part 3) — 12th Jan 2023
Workspace One – Zero day onboarding using the magic link (Part 2) — 9th Jan 2023

Workspace One – Zero day onboarding using the magic link (Part 2)

/Stefaan/Leave a comment

Part 2: Setting up the HUB SERVICES New Hire Welcome

In Workspace ONE Access go to Integrations > Magic Link. Enable the feature select the Pre-hire AD-Group and set the interval that the link will be active.

Next head over to Integrations > HUB Configuration and select “LAUNCH”.

Configure the New Hire Welcome page to your needs. You should see the AD-Group here you selected in step 1.

In the next part of the series we will create an access policy that allows authentication using the magic link.