Archive | September, 2021

SAML Authentication Flow – Azure Active Directory and VMware Workspace ONE Access

28 Sep

Many blogs discuss and show in detail how to integrate the Azure Active Directory (AAD) with VMware Workspace ONE Access (WoA) as a 3rd party IDP, and the following are my top post on that topic:

However, in this blog post, I would like to shed more light on the SAML Authentication Flow between the Azure Active Directory (Identity Provider) and VMware Workspace ONE Access (Service Provider). When designing the WoA and AAD integration, the below flow helped me understand what is happening behind the scenes, and I thought of sharing my knowledge with you all.

  • SAML Authentication Flow
  • AuthnRequest
  • Issuer
  • NameIDPolicy
  • RequestAuthnContext
  • SAML Response that AAD sends to WoA

#ProTip – I use a Chrome/Edge extension called SAML-tracer to inspect the SAML responses back and forth within the browser.

SAML Authentication Flow

The diagram below describes the single sign-on sequence. The VMware Workspace ONE Access (the service provider) uses an HTTP Redirect binding to pass an AuthnRequest (authentication request) element to Azure AD (the 3rd party identity provider in case of WoA). Azure AD then uses an HTTP post binding to post a Response element to the cloud service.

SAML Authentication Flow – AAD and WoA
S. No.Description Flow
1.End-user tries to access the VMware Workspace ONE Access portal
2.VMware Workspace ONE Access finds the identity provider to authenticate the user
3.VMware Workspace ONE Access generates a SAML 2.0 AuthnRequest and redirects the user’s browser to the Azure AD SAML single sign-on URL
4.If the end-user is not signed in, Azure AD authenticates the user using multi-factor authentication & generates a SAML token
5.Azure AD posts the SAML response to the WoA application via the user’s browser
6.VMware Workspace ONE Access verifies the SAML Response
7.VMware Workspace ONE Access completes the end-user sign-in and presents the desktop/app entitlements

Note – I have randomly created the GUID within the XML response just for demonstration purposes.

AuthnRequest

To request a end-user authentication, from WoA portal send an AuthnRequest element to Azure AD.  Following is the SAML SAML 2.0 AuthnRequest from WoA portal:

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                    AssertionConsumerServiceURL="https://askaresh.com/SAAS/auth/saml/response"
                    Destination="https://login.microsoftonline.com/adsadas-2312asdasd-asdasda-2312asdda/saml2"
                    ForceAuthn="false"
                    ID="_sdasdwqezxdasdasd2313asdas"
                    IssueInstant="2021-08-04T00:24:08.092Z"
                    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                    ProviderName="askaresh.com"
                    Version="2.0"
                    >
 
</samlp:AuthnRequest>

Issuer

The Issuer element in an AuthnRequest must exactly match one of the ServicePrincipalNames in the cloud service in Azure AD. Typically, this is set to the App ID URI that is specified during application registration. (When the Enterprise Application is created under AAD portal)

<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://askaresh.com/SAAS/API/1.0/GET/metadata/sp.xml</saml:Issuer>

NameIDPolicy

This element requests a particular name ID format in the response and is optional in AuthnRequest elements sent to Azure AD. A NameIdPolicy element looks like the following from WoA portal:

<samlp:NameIDPolicy AllowCreate="false"
                        Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"/>

RequestAuthnContext

The RequestedAuthnContext element specifies the desired authentication methods. It is optional in AuthnRequest elements sent to Azure AD. Azure AD supports AuthnContextClassRef values snippet from WoA portal:

<samlp:RequestedAuthnContext>
    <saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>

SAML Response AAD sends to WoA portal (Step 5-6)

The SAML Repsonse that AAD sends back to WoA portal:

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                ID="_2132sdasdasdas-asdasd-aeeqwq-adsa"
                Version="2.0"
                IssueInstant="2021-08-04T02:39:06.365Z"
                Destination="https://askaresh.com/SAAS/auth/saml/response"
                InResponseTo="_ad123123213qws12312asa1"
                >
    <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://sts.windows.net/se13edsadsadasdasdasd2342342dasdas/</Issuer>
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
    </samlp:Status>
    <Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
               ID="_324sadasdsa-adsa-asd1312-adsasdas"
               IssueInstant="2021-08-04T02:39:06.365Z"
               Version="2.0"
               >
        <Issuer>https://sts.windows.net/123asdasdas-adsa-asdsad-asdsad-4523213432asd/</Issuer>
        <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
            <SignedInfo>
                <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
                <Reference URI="#_54fb024a-f2f0-4495-99c7-f47e3fd37701">
                    <Transforms>
                        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </Transforms>
                    <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                    <DigestValue>3213asdasdase3432sdsadasd2342432423675=</DigestValue>
                </Reference>
            </SignedInfo>
            <SignatureValue>SIGNATUREDATA==</SignatureValue>
            <KeyInfo>
                <X509Data>
                    <X509Certificate>CERTDATA==</X509Certificate>
                </X509Data>
            </KeyInfo>
        </Signature>
        <Subject>
            <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">aresh@askaresh.com</NameID>
            <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <SubjectConfirmationData InResponseTo="_aasdwqewqsadsadasdsa-asdasd-asdasd"
                                         NotOnOrAfter="2021-08-04T03:39:04.318Z"
                                         Recipient="https://askaresh.com/SAAS/auth/saml/response"
                                         />
            </SubjectConfirmation>
        </Subject>
        <Conditions NotBefore="2021-08-04T02:34:04.318Z"
                    NotOnOrAfter="2021-08-04T03:39:04.318Z"
                    >
            <AudienceRestriction>
                <Audience>https://askaresh.com/SAAS/API/1.0/GET/metadata/sp.xml</Audience>
            </AudienceRestriction>
        </Conditions>
        <AttributeStatement>
            <Attribute Name="http://schemas.microsoft.com/identity/claims/tenantid">
                <AttributeValue>adsad1-adsasdsa-adasdasd-adasdsa-12321321</AttributeValue>
            </Attribute>
            <Attribute Name="http://schemas.microsoft.com/identity/claims/objectidentifier">
                <AttributeValue>123dsfssdfw12312asdasdadasdxsas21s</AttributeValue>
            </Attribute>
            <Attribute Name="http://schemas.microsoft.com/identity/claims/identityprovider">
                <AttributeValue>https://sts.windows.net/131sdfsdfsdfsdcs13123123dsfsdfsdfxcr21e23rwadsadsa/</AttributeValue>
            </Attribute>
            <Attribute Name="http://schemas.microsoft.com/claims/authnmethodsreferences">
                <AttributeValue>http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password</AttributeValue>
            </Attribute>
            <Attribute Name="email">
                <AttributeValue>aresh@askaresh.com</AttributeValue>
            </Attribute>
            <Attribute Name="ExternalID">
                <AttributeValue>8711aaae-b7b3-4202-8faf-f2408ffd7cf9</AttributeValue>
            </Attribute>
            <Attribute Name="userName">
                <AttributeValue>aresh@askaresh.com</AttributeValue>
            </Attribute>
            <Attribute Name="userPrincipalName">
                <AttributeValue>aresh@askaresh.com</AttributeValue>
            </Attribute>
        </AttributeStatement>
        <AuthnStatement AuthnInstant="2021-08-04T02:38:59.239Z"
                        SessionIndex="_123123-adsasdsa-ad213123dsaasdsa"
                        >
            <AuthnContext>
                <AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef>
            </AuthnContext>
        </AuthnStatement>
    </Assertion>
</samlp:Response>

Reference Link

The above flow I learnt from an excellent Microsoft page – Azure Single Sign On SAML Protocol – Microsoft identity platform | Microsoft Docs. Without this article, it wouldn’t have been possible to understand this under the hood.

I hope you will find the above information helpful in your journey with AAD/WoA. A small request if you see any scope of improvisation or refinements. I hope you can share it back with me?

Thanks,
Aresh Sarkari

VMware EUC stack upgrade – Legacy? or Modernizing? or Middleground?

14 Sep

It was that time of the year to perform a VMware End-User Computing (EUC) stack upgrade on the environment, and I thought of sharing the overall thought process and decisions made along the way. It will be interesting to share with others who might be in a similar situation or process of developing their upgrade/migration strategies. In this post, we shall take a look into these topics:

  • Current versions of the VMware EUC Stack
  • What version numbers did we upgrade/migrated to?
  • Why did we migrate to these versions?
  • Wishlist (Someone Listening?)
  • Valuable links to reference during upgrade/migration

Current versions of the VMware EUC Stack

  • VMware Horizon 7.11 (Connection Server/Agents)
  • VMware Horizon Client 5.5
  • VMware App Volumes 2.18.1.x Manager/VMware App Volumes 2.18.5 Agent version
  • VMware Workspace ONE Access 20.01/Connector 1903 (Not in scope for the upgrade)
  • VMware Dynamic Environment Manager 9.10
  • VMware Unified Access Gateway 3.10

What versions numbers did we upgrade/migrated to?

  • VMware Horizon 7.13.1 (Connection Server/Agents)
  • VMware Horizon Client 5.5.2
  • VMware App Volumes 2.18.10.10 (Manager/Agents)
  • VMware Dynamic Environment Manager 2103
  • VMware Unified Access Gateway 2103.1

Why did we migrate to these versions?

The obvious question everyone might ask is the latest versions are Horizon 8.x and App Volumes 4.x why are you picking older versions for the upgrade? The short answer is the limitations and trade-off, and the following matrix tries to uncover in more detail.

Note – Not all customers might fall under the limitation category, or the limiting feature/functionality could be different in your case. By no means this should be your defacto reasons. Make sure to evaluate your situation and create a matrix to make a data-driven decision. If the project is greenfield/no-limitations applied, it’s a no-brainer to opt for the latest product releases.

ProductUpgrade DecisionVerison of Choice
VMware Horizon++ We had all the boxes ticked from a feature/functionality standpoint to be able to upgrade/migrate to Horizon 8.x version. (Instant Clones, Printing, UAG etc.). Infact everything worked well in the development environment
++ The latest vROPS Horizon Adapter 1.2/Horizon 8.x version doesn’t include the built-in Horizon reports. We use the reporting feature for all sorts of custom reporting on Horizon PODs. The older version of vROPS Horizon Adapter 6.7.1/Horizon 7.x has all the existing metrics and reporting available but doesn’t include support for Horizon 8.x on the support matrix
++ The no reporting on the Horizon Adapter 1.2 + limited metrics on RDSH limited our ability to move to the latest version of Horizon 8.x. Once the built-in reports\metrics and guidance is made available, we shall jump onto the latest version (n-1)
Horizon 7.13.1
VMware App Volumes++ Lack of Writable Volumes (UIA+Profile and UIA) migrations from 2.18.x to 4.x. Need official guidance or tool/script/guidance to upgrade all the wrtiable of the 2.18.x environment to 4.x. I am sure alot of enterprise customers will have plenty of Writable Volumes to migrate and don’t have the flexibility to start from scratch on a new version
++ VMware AppStack Migration fling is the perfect migration utility to migrate AppStacks 2.18.x to 4.x need something similar for Writable Volumes
App Volumes 2.18.10.10
VMware Dynamic Environment Manager++ This was the only piece of software that didn’t have interoperability or upgrade complexity. The obvious choice was to upgrade to the latest (n-1)DEM 2103
VMware Unified Access Gateway++ The appliance has no interoperability issues with Horizon 7.13.1 or upgrade complexity. The obvious choice was to upgrade to the latest (n-1)UAG 2103.1
Upgrade Decision Matrix

The above stack provides us with the required General Availability support until Q2 FY2022 and beyond.

Wishlist

I am looking forward to vROPS Horizon Adapter XX to include the built-in Horizon Reports/Additional Metrics for RDSH in the new version or provide detailed guidance on creating meaningful reports in future releases. Additionally, the App Volumes team releases tools and advice on migrating 4000’s+ Writable Volumes from 2.18.x to 4.x. Once the above is released, I plan to upgrade to the branch of Horizon 8.x and App Volumes 4.x releases version numbers.

Valuable links to reference during upgrades

Here is the cheat sheet for all the useful links to review and formulate an upgrade plan:

DescriptionLinks
VMware Product Interoperability MatrixProduct Interoperability Matrix (vmware.com)
Product DocumentationVMware Horizon Documentation
VMware App Volumes Documentation
VMware Dynamic Environment Manager (Formerly Known as VMware User Environment Manager) Documentation
Techzone Migrating Legacy Horizon Components to Modern Alternatives

View Composer –> Instant Clones
Security Server –> UAG
Persona –> DEM
Persistent Disk – FSLogix
Modernizing VDI for a New Horizon | VMware
App Volumes Upgrade considerationsVMware App Volumes 4 Installation and Upgrade Considerations | VMware
Fling Migrate App Volumes AppStack from 2.18.x to 4.xApp Volumes Migration Utility | VMware Flings
Supported Windows 10 versions based on Horizon AgentSupported versions of Windows 10 on Horizon Agent Including All VDI Clones (Full Clones, Instant Clones, and Linked Clones on Horizon 7) (2149393) (vmware.com)
VMware EUC Stack Agent OrderAgent installation order for Horizon View, Dynamic Environment Manager, and App Volumes (2118048) (vmware.com)
Supported Windows 10 versions based on App Volumes AgentVMware App Volumes and Microsoft Windows 10 Support
VMware Product Lifecycle – End of LifeProduct Lifecycle Matrix (vmware.com)
Reference Material

I hope you will find the above information useful in your enterprise upgrade/migrate strategy for VMware EUC Stack. I would love to hear your strategy and similar situations limiting your ability to migrate to the latest and greatest versions.

Thanks,
Aresh Sarkari

VMware App Volumes upgrade from 2.18.1 to 2.18.10 – Startup Failure – Unable to start App Volumes Manager

13 Sep

While upgrading from VMware App Volumes 2.18.1 to 2.18.10.10 version, the upgrade installer completes successfully. However, when you load the App Volumes Manager portal, you get the following error message – Startup Failure – Unable to start App Volumes Manager – Migrations are pending. To resolve this issue, run bin/rails db:migrate RAILS_ENV=production

Startup Failure

Cause

Upon quickly checking the App Volumes computer account (<Domain>\<MachineName>$ within SQL Server was missing the db_onwer permissions. Obviously, that caused the above error post-migration.

Note – This is a very corner case and not expected to see along on most of the App Volumes Migration/Upgrade scenarios. If you did come across one now you know how to remediate.

Resolution

Step 1 – Adding the missing db_owner permission back to the App Volumes Manager computer security account within SQL Server Management Studio

Step 2 – As the db:migration didn’t complete during the upgrade, we need to re-run the following command on the App Volumes Manager server. Open the CMD and change directory to the following path – C:\Program Files (x86)\CloudVolumes\Manager\ruby\bin and run the following command:

bundle exec rake db:migrate RAILS_ENV=production

You should see the following output:

Command Output

Step 3 – Restart the App Volumes Manager service, and now you will see the login page of the App Volumes Manager.

The mystery remains how did that permission go missing as the additional App Volumes Manager account had retained the db_owner role. But none the less the above steps came in handy with help from VMware support – Suman Rout luckily, has seen a similar issue before.

Lesson Learnt

  • Create a pre-upgrade task item on checking to making sure all the App Volumes Manager computer accounts within the SQL Server have the db_owner permissions.

I hope you will find these steps helpful to resolve missing SQL permissions causing upgrade issues during the App Volumes migration from 2.18.x to 2.18.10.10.

Thanks,
Aresh Sarkari

Stop syncing Disabled user accounts into the VMware Workspace ONE Access – Directory Sync

6 Sep

We had many Disabled accounts that were getting synced into the Workspace ONE Access (WoA) from the Directory Sync – Active Directory with IWA operation. The challenge here been no standards to cater for Disable accounts in the Active Directory. I decided to stop syncing the disabled accounts into WoA. Thanks for the exclusion filter feature that came in handy, and the following are the detailed steps.

  • Exclusion filter to stop syncing the Disabled accounts
  • Safeguards adjustment (Optional)
  • Why did we had to stop syncing Disable accounts?

Exclusion filter to stop syncing the Disabled accounts

Login to your WoA portal with administrative privileges and go to the following path – Identity & Access Management –> Directories –> Select the Directory with Active Directory & IWA –> Sync Settings –> Users

Add the filter to exclude the disabled users:

userAccountControl – contains – 514
Note – 514 = Disabled Accounts

userAccountControl – contains – 66050
Note – 66050 = Disabled, Password Doesn’t Expire

Note – I found this helpful blog which described all the UAC attributes/values in detail – UserAccountControl Attribute/Flag Values | Jack Stromberg

WoA – Users

The above will take care of not syncing the Disable user accounts into the WoA directory. However, in our scenario, the number of disable accounts were very high, and the Safeguards kick-in to protect mass deletion.

Safeguards Adjustment (Optional)

This is an optional step depending on your environment. It might need tweaking, and I am highlighting the values that need to be tweaked if it involves mass deletion (Note – these values are for experimental purposes only). Note – Please switch the value back to default after the mass deletion activity is completed. The Safeguards feature a real blessing to control WoA Directory Sync accidents against any human/automation errors.

WoA – Safeguards

Why we had to stop syncing disable accounts?

I ran into an issue where-in users had multiple accounts with 1 active/1 disabled. The email address attributes were the same in both the accounts, which will have a conflict when the end-user tries to login. This becomes evident once we switched our identity to 3rd party IDP – Azure Active Directory, where the primary NAMEID attribute is the email address.

I hope you will find these steps helpful to stop syncing disabled accounts into WoA Access – Directory Sync.

Thanks,
Aresh Sarkari