My colleague Arno Meijroos wrote a nice blog on “How to integrate Horizon DaaS 9.0 with Workspace ONE Access“. In extent on his blog, I want to explain how to add Vmware Verify for two-factor authentication (2FA).
You can use the Verify app to secure login to VMware Workspace ONE and other apps. The Verify app is available for iOS, Android, and Chrome. It uses modern mobile push tokens, where users get a push notification on their mobile device that they can simply accept or deny. When the user’s device does not have cellular reception, such as in airplane mode when traveling, the user can open the Verify app and use a one-time passcode (aka soft token). Also a one-time passcode via SMS is available.
Enable VMware Verify
In order to use the 2FA with VMware Verify, you need to enable VMware Verify in the build-in Identity provider.
To do so you must log in to the Workspace ONE Access portal and start the Administration Console by selecting the profile icon on the left and clicking on Administration Console.
Please note!: If you don’t see the option Administration Console you are missing Admin permission.
Then click on Identity & Access Management.
Go to Authentication methods and click the configure icon behind VMware Verify.
Select the checkbox behind Enable VMware Verify and click save.
VMware Verify is now enabled in the built-in Identity providers.
Adding Identity Providers
After enabling VMware Verify you need to add an Built-in Identity Provider and associate VMware Verify.
In the Identity & Access Management Console go the Identity Providers.
Click the Add Identity Provider and select Create Built-in IDP.
Fill-in the following options in the New IDP screen.
|Identity Provider Name||Enter a name for the IDP|
|Users||Select which users can authenticate using this IDP.|
|Network||Select which networks this IDP can be accessed from.|
|Authentication Methods||Select VMware Verify|
Click Add. The IDP is now added.
Now we need to configure the default access policy rule to add VMware Verify as one of the authentication methods.
Configure the default access policy
In order to change the authentication method, you need to edit the policy rules. In this example, we will edit the default_access_policy_set and enable verify for the Portal. It is also possible to enable verify on a per apps bases.
In the Identity & Access Management console go to Policies.
Select the default_access_policy_set and click edit.
Go to the configuration step.
Click on the Network Range name, All Ranges.
Add the VMware Verify as an additional authentication method for the users by clicking the + sign.
Select VMware Verify from the dropdown menu.
Click next to see the summary. If everything is ok click Save.
Repeat this for all the other network ranges underneath the default_access_policy_set.
Download VMware Verify
In order to start using VMware Verify the users need to download the VMware Verify app.
The configuration of the VMware Verify app is self explanatory. Just follow the steps on the screen.
If you have any questions or comments just let me know.