VMware Workspace ONE Access – Pass on Username from Office 365
This blog post describes the required steps for configuring the option to pass on the username from Office 365 (Azure AD) to Workspace ONE Access. In this scenario, Office 365 (Azure AD) has been federated to Workspace ONE Access, using the instructions from this article.
Introduction
I have been using the option to federate Office 365 to Workspace ONE Access for a while now. It works perfectly. But there is one thing that kept bothering me a little bit, which is the need to enter the username twice in various situations.
To give an example. For enrollment, I am using the Azure AD integration available in Workspace ONE UEM. During the enrollment, I enter my Office 365 (Azure AD) username, and I get redirected to Workspace ONE Access, which asks me to authenticate.
However, I have to re-enter my username. This is something that I believe the user shouldn’t be bothered with for a second time.
But……, there is a solution. 🙂
Solution
VMware offers a feature for Workspace ONE Access that can be enabled by using the REST API that enables re-using the username passed on by Office 365 (Azure AD). This feature is called shouldEnforceStrictHints, and can be enabled using the following PowerShell script.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 |
#--- part 1, get info --- $accesshost = Read-Host "Access Tenant Host Name (i.e. td-zzz-zzz.vidmpreview.com)" $userName = Read-Host "User Name" $password = Read-Host "Password" -AsSecureString $usp = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto([System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($password)) #--- part 2, get token --- $header = @{ "Accept" = "application/json"; "Content-Type" = "application/json" } $body = @{ "username" = $userName; "password" = $usp; "issueToken" = "true" } $result = "" try { $result = Invoke-RestMethod -Uri "https://$accesshost/SAAS/API/1.0/REST/auth/system/login" -Method Post -Headers $header -Body ($body | ConvertTo-Json) -UseBasicParsing } catch { Write-Error "`n($error.Exception.Message)`n" break } $token = $result.sessionToken $userName = "" $password = "" $usp = "" #--- part 3, configure setting --- $header = @{ "Authorization" = "HZN $token"; "Content-Type" = "application/vnd.vmware.horizon.manager.launcher.tenant.config+json"; "Accept" = "application/vnd.vmware.horizon.manager.launcher.tenant.config+json" } $body = @{ "name" = "shouldEnforceStrictHints"; "value" = "true" } $result = "" try { $result = Invoke-RestMethod -Uri "https://$accesshost/launch/configs/config/tenant/shouldEnforceStrictHints" -Method Put -Headers $header -Body ($body | ConvertTo-Json) -UseBasicParsing } catch { Write-Error "`n($error.Exception.Message)`n" break } $result |
After executing this script, you will see that the value for shouldEnforceStrictHints has been changed to true.
This change results in the following.
I don’t have to re-enter the username, since it is passed on from Office 365 (Azure AD) to, and accepted by Workspace ONE Access.
I hope this has been informative. If you have any questions or comments, please reach out on Twitter or LinkedIn.
1 Response
[…] VMware Workspace ONE Access – Pass on Username from Office 365 […]