This article describes how to set up a Workspace One connector between the VMWare Workspace One ecosystem and Identity Manager Operator. Workspace One is a Mobile Device Management (MDM) solution. The connector forwards notifications from the Workspace One application and exports certificates to the VMWare Escrow Gateway.
<SMARTIDHOME>
In this article, <SMARTIDHOME> refers to /home/nexus, but this can be different depending on the setup.
Prerequisites
- The Smart ID version must include SCIM export (applicable for versions from 22.04.x and later).
Step-by-step instruction
Subscribe to Workspace One admin events
- Read the official documentation.
- Target URL: Enter /api/events.
- Username and Password: This part is optional. The credentials can be verified by Identity Manager Operator if the idm-operator.test-connection.enabled flag is defined as true in the config/idm-operator.yaml file.
- Format: Make sure to select JSON.
- Select the events you want to subscribe to.
Security
The endpoint /api/events on the Workspace One connector must be secured from the outside when mutual TLS is configured between the connector and Identity Manager Operator.
Event Routing configuration
The Workspace One connector is a Spring Boot application that uses the .yaml format within its configuration files.
The "idm-operator.payload.routing" section defines how to route an event from the Workspace One to the Identity Manager Operator API endpoint URL. This URL consists of parameters that need to be adapted according to your configuration (for example, the process definition key, task ID, tenant ID, etc.)
Configure the routing in the config/idm-operator.yaml file.
Export certificates to the VMWare Escrow Gateway
The actual export and provisioning of certificates to the VMWare Escrow Gateway is configured via SCIM export in Smart ID Identity Manager. The SCIM export definition will be used to send the certificates to the Workspace One connector, which will forward them to the Escrow Gateway.
Configure the "escrow-gateway" section in config/escrow-gateway.yaml in the Workspace One connector.
- Log in to Identity Manager Admin and open Export Definitions. You can create a new pre-defined export definition for Workspace One if it is not configured already. For more information, see Set up data export to external data source from Identity Manager.
- Make sure that the SCIM export definition includes these properties:
- the Connection string must end with "/api/scim/v2"
- the Resource must be "/Certificates"
- Configure the Certificates section to set up the mutual TLS between the connector and Identity Manager Operator.
Set up the field mappings of the SCIM export.
Example:
Internal field | External field |
---|---|
${deviceUuid} | device_uuid |
${userUuid} | user_uuid |
${signingCertData} | smime_certificates.signing[0].pkcs12 |
${signingCertPassword} | smime_certificates.signing[0].password |
${encryptionCertData} | smime_certificates.encryption[0].pkcs12 |
${encryptionCertPassword} | smime_certificates.encryption[0].password |
This is an example of the result after field mapping:
{ "device_uuid": "cbe7ecc8-45c5-4156-b212-c563209c2839", "user_uuid": "3780e878-6955-4d2b-af96-c60837d7cb77", "smime_certificates": { "signing": [ { "pkcs12": "p12 encoded in base64", "password": "w9TDX3WE" } ], "encryption": [ { "pkcs12": "p12 encoded in base64", "password": "79iUnpCK" } ], "archived": [ { "pkcs12": "p12 encoded in base64", "password": "kwGcDX0K" } ] } }
Set up Workspace One
Docker
Open the environment file <SMARTIDHOME>/compose/smartid.env for editing.
Set the properties for the following three variables to fit your deployment:
PRIME_CONNECTORS_VERSION=2303.0.0 # -- Workspace One connector properties WORKSPACE_ONE_CONNECTOR_PORT=7076 WORKSPACE_ONE_CONNECTOR_CERT_RESOLVER=le WORKSPACE_ONE_CONNECTOR_PREFIX=workspace-one-connector
- Update the docker/compose/identitymanager/workspace-one-connector/docker-compose.yml
Tomcat (stand-alone)
- Adapt the config files in the WEB-INF/classes/config folder.