Workspace ONE Access Integration with Ping – Logical Workflow

Posted byNavjyot Singh ChaneyPosted inWorkspace ONE AccessTags:, , , , , , , ,

1. Introduction

This blog talks about the logical workflow between Workspace ONE Access and Ping (or any Service Provider). You can follow the official VMware documentation that describes the actual Integration process.

I’ve noticed that a lot of my customers don’t have a clear understanding on how the federation works. They basically end up loosing a lot of time trying to fix the issue by troubleshooting the wrong endpoint. If the understanding is clear, it becomes easy to identify the nature of the integration process and possibly bifurcate it into authentication or an authorisation issue bucket.

Assumption: The readers have a fair idea of SAML, Identity Provider, Service Provider and Single Sign ON concepts

Let’s talk about a hypothetical scenario which will probably clear things up.

A. Background & Requirements

  • PING is the primary Identity Provider
  • Apps federated with PING
  • Need to bring in Workspace ONE Access and integrate it with PING
  • Requirement of MFA and SSO

2. Workflow

In this integration, Workspace ONE Access is the Identity Provider (IDP) and PING is the Service Provider (SP). Given that background, for all the federated apps, PING still remains the primary source of truth and for PING, Access becomes the authentication provider. See the flow below –

Now let’s further break it down into 2 steps; Enrollment and Application Authentication. Please do follow the numbering to be able to align it with the steps mentioned below

Enrollment Process

  • Hub does an Autodiscovery enrollment
  • UEM is integrated with Access
  • Workspace ONE Access authenticates the devices
  • Device is enrolled and can view the Workspace ONE app catalog

Application Authentication Process

  • Post enrollment, the device owner opens an app on the device
  • App redirects to PING. This is because the apps have PING as the primary source of truth
  • Ping further redirects to Access to complete the authentication
  • Post Authentication, device sends the token back to PING and you are authenticated into the application.

3. Conclusion

You can get the integration done between any IDP and SP but it is of utmost importance to understand the flow to be able to correctly identify any integration issues that may occur.

The images above are just to clarify the understanding. These do not represent the low level integration. Always follow official VMware documentation (docs.vmware.com) for latest updates.

Leave a comment