Skip to content

PingFederate Integration with Workspace ONE Access Part 1

Use case description

Introduction

A few weeks back, I was contacted by one of our customers that manages a healthy number of Android devices using Check-In / Check-out. They asked if I could have a look at the user experience, and more specifically try to reduce the number of authentications the users have to execute after checking out a device at the start of their day.

This customer has integrated all of their SaaS apps with PingFederate for SSO, but they didn’t make use of Workspace ONE Access and it’s mobile SSO capabilities. I knew an integration between Ping and Workspace ONE Access is possible, so I had the idea of quickly building the integration in my home lab and do a demo for them on how they could streamline the log on process on their UEM-managed devices.

This quick demo turned out to be a bit more challenging than i anticipated. Most of that is due to my lack of knowledge of the PingFederate platform. So for anyone with that same brilliant idea: I decided to document this whole process in a detailed way so that if I ever have to do this again, I can follow my own blog and save myself a huge amount of time. This tutorial was written for people like me that are completely new to PingFederate.

Most of the Workspace ONE documentation on PingFederate I could find starts with the assumption that you already have an existing PingFederate setup integrated with certain SaaS apps. In this tutorial I’ll include that configuration as well so if you need to start from scratch, you can simply follow along and save yourself a lot of time. If you already have aa working PingFederate environment, simply start at the last chapter!

Given the sheer length of the entire configuration process, I’ve made this a blog series rather than just one single post:

Part 1: use case description

Part 2: PingFederate setup

Part 3: ServiceNow integration with PingFederate

Part 4: Office 365 integration with PingFederate

Part 5: PingFederate integration with Workspace ONE Access

The use case

As mentioned earlier, the customer I’m working with manages a large fleet of Android devices with Workspace ONE UEM, using Launcher and Check-in / check-out (CICO). For those that don’t know CICO, you can find more information here: https://techzone.omnissa.com/resource/empower-frontline-workers-solution-manage#cico-check-incheck-out.

The CICO use case means that if they stop using a device (check-in), all their authentication tokens (and other data) are wiped from the device. The next day when they pick up a device again (check-out), they will have to authenticate on all their apps again, which is far from a good user experience and just costs time and money. The main goal is to simplify this logon process following such a check-out of a device.

This customer is not managing their other devices with Workspace ONE (yet 😉 ), so we don’t want to modify the logon experience for these platforms if possible. the second goal is to only adjust the authentication flows for Android devices so they can perform mobile SSO authentication to Workspace ONE Access. Other platforms and Android devices NOT managed by Workspace ONE should (and will) still authenticate to PingFederate as they do today.

The setup

If you’re trying to set this up as well, here’s a list of ingredients we’ll be using throughout this blog series:

  • Workspace ONE UEM and Access
  • Domain + DNS (this is the only item that will cost you a couple of dollars)
  • Connector server
  • PingFederate server
  • AD server
  • ServiceNow developer tenant
  • Office 365 trial tenant

Assumptions

Although I aim to be very thorough and start from basically nothing, this blog series assumes you know how to and already have integrated Workspace ONE UEM and Access with Active Directory.

I also assume you know how to configure Android management with Workspace ONE UEM and know how Mobile SSO authentication in Workspace ONE Access works.

You’ll need a public domain name, have the option to create public DNS names and have the knowledge to create a public SSL certificate, for example using CertifyTheWeb.

Lastly, you’ll need the means to spin up some servers for Active Directory, different AD connectors and a server running the PingFederate platform.

User Experience

After completing all the steps outlined in this tutorial, you should get the following logon experiences:

Non-Android devices:

Unmanaged Android devices:

Managed Android device (in this video with CICO and launcher enabled):

Resources

YouTube video on the integration of PingFederate with Workspace ONE Access: VMware Workspace ONE Access: Integration with PingFederate – Feature Walk-through this tutorial got pulled from YouTube while I was writing this tutorial. Thank god I started before that or I would have never got this working.

PingFederate integration with Active Directory: How to integrate PingFederate with Active Directory for Authentication and Attribute lookup

Workspace ONE trial: https://techzone.omnissa.com/resource/evaluation-guide-setting-workspace-one-cloud#acquiring-a-cloud-based-workspace-one-environment

PingFederate trial: https://www.pingidentity.com/en/try-ping.html

ServiceNow developer tenant: https://developer.servicenow.com/dev.do#!/home

Office 365 trial tenant: https://www.microsoft.com/en-us/microsoft-365/try

Conclusion

That’s all for now. See you in the next chapter, PingFederate setup!

Leave a Reply

Your email address will not be published. Required fields are marked *