Versions Compared

Old Version 4

changes.mady.by.user Ylva Andersson

Saved on

compared with

New Version 5

changes.mady.by.user Ylva Andersson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This article describes how to set up a Workspace One connector between the VMWare Workspace One ecosystem and Identity Manager Operator. Workspace One is a Mobile Device Management (MDM) solution. The connector forwards notifications from the Workspace One application and exports certificates to the VMWare Escrow Gateway.

Info
title<SMARTIDHOME>

In this article, <SMARTIDHOME> refers to /home/nexus, but this can be different depending on the setup.


Expand
titlePrerequisites
  • The Smart ID version must include SCIM export (applicable for versions from 22.04.x and later).

Step-by-step

...

instruction

Expand
titleSubscribe to Workspace One admin events
  1. Read the official documentation
  2. Target URL: Enter /api/events.
  3. Username and Password: This part is optional. The credentials can be verified by Identity Manager Operator if the idm-operator.test-connection.enabled flag is defined as true in the config/idm-operator.yaml file. 
  4. Format: Make sure to select JSON.
  5. Select the events you want to subscribe to.
Warning
titleSecurity

The endpoint /api/events on the Workspace One connector must be secured from the outside when mutual TLS is configured between the connector and Identity Manager Operator.


...

Expand
titleEvent Routing configuration

The Workspace One connector is a Spring Boot application that uses the .yaml format within its configuration files.

The "idm-operator.payload.routing" section defines how to route an event from the Workspace One to the Identity Manager Operator API endpoint URL. This URL consists of parameters that need to be adapted according to your configuration (for example, the process definition key, task ID, tenant ID, etc.)

Configure the routing in the config/idm-operator.yaml file.


Expand
titleExport certificates to the VMWare Escrow Gateway

The actual export and provisioning of certificates to the VMWare Escrow Gateway is configured via SCIM export in Smart ID Identity Manager. The SCIM export definition will be used to send the certificates to the Workspace One connector, which will forward them to the Escrow Gateway.

  1. Configure the "escrow-gateway" section in config/escrow-gateway.yamlin the Workspace One connector.

  2. Log in to Identity Manager Admin and open Export Definitions. You can create a new pre-defined export definition for Workspace One if it is not configured already. For more information, see Set up data export to external data source from Identity Manager.
  3. Make sure that the SCIM export definition includes these properties:
    • the Connection string must end with "/api/scim/v2"
    • the Resource must be "/Certificates"
  4. Configure the Certificates section to set up the mutual TLS between the connector and Identity Manager Operator.

  5. Set upthe field mappings of the SCIM export, see this example:

    Internal fieldExternal field
    ${deviceUuid}device_uuid
    ${userUuid}user_uuid
    ${signingCertData}smime_certificates.signing[0].pkcs12
    ${signingCertPassword}smime_certificates.signing[0].password
    ${encryptionCertData}smime_certificates.encryption[0].pkcs12
    ${encryptionCertPassword}smime_certificates.encryption[0].password

This is an example of the result after field mapping:

Code Block
languagejs
titleJSON example
{
  "device_uuid": "cbe7ecc8-45c5-4156-b212-c563209c2839",
  "user_uuid": "3780e878-6955-4d2b-af96-c60837d7cb77",
  "smime_certificates": {
    "signing": [
      {
        "pkcs12": "p12 encoded in base64",
        "password": "w9TDX3WE"
      }
    ],
    "encryption": [
      {
        "pkcs12": "p12 encoded in base64",
        "password": "79iUnpCK"
      }
    ],
    "archived": [
      {
        "pkcs12": "p12 encoded in base64",
        "password": "kwGcDX0K"
      }
    ]
  }
}

...

Expand
titleSet up Workspace One

Docker

  1. Open the environment file <SMARTIDHOME>/compose/smartid.env for editing. 

  2. Set the properties for the following three variables to fit your deployment:

    Code Block
    PRIME_CONNECTORS_VERSION=2303.0.0
# -- Workspace One connector properties
WORKSPACE_ONE_CONNECTOR_PORT=7076
WORKSPACE_ONE_CONNECTOR_CERT_RESOLVER=le
WORKSPACE_ONE_CONNECTOR_PREFIX=workspace-one-connector


  3. Update the docker/compose/identitymanager/workspace-one-connector/docker-compose.yml

Tomcat (stand-alone)

  1. Adapt the config files in the WEB-INF/classes/config folder.