Manual Chapter : Using APM as a Proxy with Workspace One

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 17.0.0, 16.1.0, 16.0.1, 16.0.0, 15.1.0
Manual Chapter

Using APM as a Proxy with Workspace One

Overview: Using APM as a proxy with Workspace One

This implementation describes how to set up Workspace One Cloud as an Identity Provider (IDP) in front of F5 Access Policy Manager (APM) as a Service Provider (SP) using APM as a gateway for VMware Horizon. The configuration creates the
single pane of glass
that Workspace One/Identity Manager provides with the DMZ security and scalability that F5 PCoIP/Blast Proxy brings with VMware Horizon.

About Workspace One Cloud

Workspace One and VMware Identity Manager combine applications and desktops into a single, aggregated workspace. Employees can then access the desktops and applications regardless of where they are based.
Workspace One Cloud deployment
Instead of being deployed on-premise within a datacenter, Workspace One Cloud is deployed in the cloud. Organizations can centralize assets, devices, and applications, and manage users and data securely. The system also gains access to upgrades in real-time preventing maintenance outages during upgrades.
Workspace One Cloud workflow
Together, VMware and F5 integrate additional layers of security and provide gateway access using Workspace One Cloud and Identity Manager.

About VMware Identity Manager on-premise

VMware Identity Manager combines applications and desktops in a single, aggregated workspace. Employees can then access the desktops and applications regardless of where they are based. With fewer management points and flexible access, Identity Manager reduces the complexity of IT administration.
VMware Identity Manager deployment
Identity Manager is delivered as a virtual appliance that is easy to deploy onsite and integrate with existing enterprise services or can be deployed on a Windows platform. Organizations can centralize assets, devices, and applications and manage users and data securely behind the firewall. Users can share and collaborate with external partners and customers securely when policy allows.
VMware Identity Manager workflow
F5 and VMware have developed an integration to add additional layers of security and provide gateway access with VMware Identity Manager.

Prerequisites for using Workspace One with APM

The following prerequisites must be completed before proceeding with the APM and Workspace One configuration. For additional information on BIG-IP system tasks, refer to the BIG-IP documentation on
support.f5.com
.
  • Create and import an SSL certificate that contains the load-balanced FQDN to use for Identity Manager Portal. (VIDM deployments only)
  • Upload the following to the BIG-IP system: (VIDM deployments only).
    • SSL certificate
    • Private Key for the load-balanced FQDN certificate
    • Primary CA or Root CA for the SSL certificate you uploaded to the BIG-IP system
      The Primary or Root CA for the FQDN certificate is also uploaded to the BIG-IP system and must be loaded onto each Identity Manager appliance.
  • Deploy and configure Workspace One and VMware Identity Manager.
    • For VMware Identity Manager, configure a (3-Node) behind a LTM FQDN VIP on the BIG-IP system and set up VIDM in the domain and Horizon environment.
    • For Workspace One Cloud, set up the environment with connectors to the domain and Horizon environment.
  • Set up and configure VMware Horizon behind an APM VIP on the BIG-IP system (the VIP can be deployed using the iAPP).
VMware recommends using certificates that support Subject Alternate Names (SANs) defining each of the node FQDNs (public or internal) within the load-balanced VIP FQDN.
Although you can use wildcard certificates, due to wildcard certificate formats, SAN support is not typically available with wildcards from public CAs; public CAs may complain about supplying an internal FQDN as a SAN value even if they do support SAN values. Additionally, some VMware Identity Manager features may not be available with wildcard certificates when SAN support is not defined.
For additional details on VIDM LTM configuration, refer to the F5 integration guide
Load Balancing VMware Identity Manager
located at https://f5.com/Portals/1/PDF/Partners/f5-big-ip-vmware-workspaceone-integration-guide.pdf.
For additional details on Horizon APM configuration, refer to the F5 Deployment guide
Deploying F5 with VMware View and Horizon View
located at https://www.f5.com/pdf/deployment-guides/vmware-horizon-view-dg.pdf.

vIDM LTM configuration

Refer to the screen shots to confirm that the prerequisites for vIDM LTM configuration have been completed.
Virtual server list
Virtual server configuration
Virtual server resources
For additional details on vIDM LTM configuration, refer to the F5 integration guide
Load Balancing VMware Identity Manager
located at https://f5.com/Portals/1/PDF/Partners/f5-big-ip-vmware-workspaceone-integration-guide.pdf.

Horizon APM configuration

Refer to the screen shots to confirm that the prerequisites for Horizon APM configuration have been completed.
Application Service list
Virtual server list for Horizon
For additional details on Horizon APM configuration, refer to the F5 Deployment guide
Deploying F5 with VMware View and Horizon View
located at https://www.f5.com/pdf/deployment-guides/vmware-horizon-view-dg.pdf.

vIDM/WS1 configuration: Enabling JWT

You need to be sure that either the Workspace One Cloud is deployed and set up with connectors, and that VMware Horizon and/or the VIDM environment is set up behind the load balancer and configured for VMware Horizon.
You start by configuring the vIDM/WS1 environment to work with Access Policy Manager (APM).
  1. In a browser, log in as an Admin to the VIDM/WS1 FQDN (in this example,
    https://myws1-onprem.bd.f5.com
    ).
  2. From the Catalog menu, select
    Virtual Apps Collection
    .
  3. Click
    Virtual App Configuration
    .
  4. Check that a Horizon environment is set up and configured for the integration.
  5. From the Catalog menu, select
    Virtual Apps Collection
    .
  6. Click
    Virtual App Settings
    .
  7. Click the Network Settings tab, and select
    All Ranges
    .
  8. In the
    All Ranges
    Network Setting:
    1. Select
      Wrap Artifact in JWT
      on the Horizon Environment that was previously configured.
    2. Click the + under
      Audience in JWT
      next to the checkbox and type a unique name (for example,
      f5cpa
      ).
      Save this name. You will need it when creating OAUTH resources.
    3. Click
      Save
      .
When completed, vIDM/WS1 is set up.
Next, you can configure the required Access Policy Manager settings.

Disable strict updates on APM

On the BIG-IP system, you need to disable strict updates in the Horizon APM iApp.
  1. Log on to the BIG-IP system.
  2. On the Main tab, click
    iApps
    Application Service
    .
    The Application Service List opens.
  3. Select the iApp deployed for the Horizon APM configuration.
    The iApp opens showing the properties.
  4. On the Properties tab, by Application Service, select
    Advanced
    .
  5. Clear the
    Strict Updates
    check box.
  6. Click
    Update
    .
The Horizon APM configuration iApp is updated.

Create OAuth Resources

On the BIG-IP system, you need to create OAUTH resources.
  1. On the Main tab, click
    Access
    Federation
    OAuth Client / Resource Server
    Provider
    The Provider list screen opens.
  2. Click
    Create
    .
    A new provider is created.
  3. For
    Name
    , type a unique name.
  4. For
    Type
    , select
    Custom
    .
  5. In the
    OpenID URI
    field, type the following (replacing
    <MyVIDMFQDN>
    with the name you used).
    https://<MyVIDMFQDN>/SAAS/auth/.well-known/openid-configuration
  6. Click
    Discover
    .
    During the discovery process, an
    In Progress...
    message displays. If the discovery is successful, some of the previously empty areas are populated with data, and additional boxes appear.
  7. Click
    Save
    to complete the Provider configuration.
  8. On the Main tab, click
    Access
    Federation
    JSON Web Token
    Token Configuration
    .
    You see the token that was automatically created during the discovery process. Make sure that it contains the correct vIDM FQDN in the Issuer column.
  9. Click the name of the automatically created token.
  10. Add the audience to the token:
    1. In the
      Audience
      field, type the name of the audience (created previously in the
      vIDM/WS1 configuration: Enabling JWT
      section), and click
      Add
      .
    2. Click
      Save
      .
  11. On the Main tab, click
    Access
    Federation
    JSON Web Token
    Provider List
    .
    The Provider List opens.
  12. Click
    Create
    .
    A new JSON Web Token Provider is created.
  13. For
    Name
    , type a unique name.
  14. From
    Provider
    , select the OAUTH Client / Resource Server Provider previously created, and click
    Add
    .

Modify the Horizon access policy

You need to have previously created a Horizon access policy as part of the prerequisites.
  1. On the Main tab, click
    Access
    Profiles / Polices
    Access Profiles (Per Session Policies)
    .
  2. In the Horizon APM access policy (previously created), click
    Edit
    in the Per-Session Policy column.
    The access policy opens in the Visual Policy Editor. It shows a typical Horizon iApp deployment.
  3. Remove all of the policy items except Client Type, View Client Resource Assign, and Browser Assign.
    1. To delete the other items, click the X within the box (usually top right corner).
      A confirmation dialog appears.
    2. Keep the default option
      Connect previous node to fallback branch
      selected.
    3. Click
      Delete
      .
    The resulting access policy should look like this.
  4. Click the + between the VMware View
    Client Type
    and
    View Client Resource Assign
    to create an item between the two.
  5. On the Authentication tab, select
    OAUTH Scope
    , and click
    Add Item
    .
  6. Define the OAUTH Scope:
    1. Type a unique name (because the
      View Client Path
      specifies
      View Client OAuth Scope
      ).
    2. From the
      Token Validation Mode
      list, select
      Internal
      .
    3. From the
      JWT Provider List
      , select the JWT Provider previously created.
    4. Click
      Save
      .
    The updated access policy should look like this.
  7. Click the + next to Successful between
    View Client OAuth Scope
    and
    View Client Resource Assign
    to create an item between the two.
  8. On the Assignment tab, select
    Variable Assign
    , and click
    Add Item
    .
  9. Define the Variable Assign:
    1. Type a unique name (because the
      View Client Path
      specifies
      View Client Variable
      ).
    2. Click
      Add new entry
      .
    3. Click the
      change
      link on line 1.
    4. On the left, type
      session.logon.last.username
      .
    5. On the right, type
      session.oauth.scope.last.jwt.upn
      .
    6. Click
      Finished
      .
  10. Click
    Save
    .
    The updated access policy should look like this.
  11. Between
    Client Type
    and
    Browser Resource Assign
    , click the + next to Full or Mobile Browser to create an item.
  12. On the Authentication tab, select
    OAUTH Scope
    , and click
    Add Item
    .
  13. Define the OAUTH Scope:
    1. Type a unique name (because the
      View Client Path
      specifies
      View Client OAuth Scope
      ).
    2. From the
      Token Validation Mode
      list, select
      Internal
      .
    3. From the
      JWT Provider List
      , select the JWT Provider previously created.
    4. Click
      Save
      .
    The updated access policy should look like this.
  14. Click the + between
    Browser OAuth Scope
    and
    Browser Resource Assign
    in the Successful line to create an object between the two.
  15. Select
    Variable Assign
    from the Assignment tab, and click
    Add Item
    .
  16. Define the Variable Assign:
    1. Type a unique name (because the
      Browser Path
      specifies
      Browser Variable Assign
      ).
    2. Click
      Add new entry
      .
    3. Click the
      change
      link on line 1.
    4. On the left, type
      session.logon.last.username
      .
    5. On the right, type
      session.oauth.scope.last.jwt.upn
      .
    6. Click
      Finished
      .
  17. Click
    Save
    .
    The updated access policy should look like this.
  18. In the top left of the screen, click
    Apply Access Policy
    to save all changes and apply them.

vIDM/WS1 configuration: Verifying JWT tokens

It is a good idea to validate that a JWT token is being created and sent to the appropriate site. You perform the validation using the Google Chrome web browser.
  1. From the vIDM/WS1 portal (opened using Chrome), log in as a user with access to the Horizon resources.
  2. In the upper-right of the browser, click the three dots then
    More Tools
    Developer Tools
    .
    The Developer Tools Console opens.
  3. In the Developer Console, select
    Network
    .
  4. In the catalog section of the Workspace One Portal, select an application or desktop and click
    Open
    for the application or desktop that triggers the event to launch either the HTML5 or Native Client.
    In the Developer Console, an item typically named Workspace-****** appears.
  5. Select the object you just created (Workspace-***<GUID>***).
    The URL/URI string includes the FQDN of the Horizon environment.
    1. In the Preview tab of the Developer Console, expand
      Response:
      .
    2. Expand
      launchURLs:
      .
    3. Expand both the
      0:
      and
      1:
      sections to reveal the launch URLs.
  6. Review the launch URL strings field called
    SAMLart=
    .
    • If the line specifies
      SAMLart=JWT:
      , then VMware Identity Manger is wrapping the JWT token within the SAML artifact field for F5 to decrypt.
    • If the
      SAMLart=
      field does not contain
      JWT:
      , then the Horizon Environment that you are trying to access is not configured for JWT wrapping.

Troubleshooting Workspace One integration

If you see the following error or a similar one, check the DNS settings on your vIDM servers. Make sure they point to the LTM VIP not the APM VIP or you may receive an error.