Garrison Integration with Workspace ONE Access

The Garrison Isolation Platform provides a new level of cyber security by separating untrusted networks (for example, the Internet) from the corporate environment. It enables users to freely browse potentially dangerous websites with no risk of compromise of their client device or the rest of the network.

The system is comprised of several components which require administration. Currently, these components do not support integration with Active Directory or LDAP to authenticate administrators as well as usage of multifactor authentication. However, all the components support SAML integration with identity providers in the latest releases. Without this integration we have to create local administrators on each component separately. Below we will focus on integration of Garrison components with VMware Workspace ONE Access (formerly vIDM).

This integration has been verified with the following versions:

  • Garrison 2.3.1
  • Workspace ONE Access 20.01
Garrison plus Workspace ONE Access

Pre-requisites

  1. VMware Workspace ONE Access is deployed and operating
  2. Download Workspace ONE Access metadata

Go to Administration Console – Catalog – Web Apps – Settings – SAML Metadata – Identity Provider (IdP) metadata:

Workspace ONE Access metadata

3. Garrison components are deployed and operating

The following components support SAML integration for authentication:

  • Garrison Isolation Appliance –provides functionality of virtual browsing through mobile browser instances.
  • Garrison Transfer Appliance –provides functionality of copying text and images from secure web browsing sessions to user’s local workstation.
  • Garrison Profile Store – provides functionality of storing users’ profiles (bookmarks, browsing history, files, etc.).
  • Garrison Connection Broker – provides ability to use multiple GIAs for high availability and load sharing.
  • Garrison System Manager – provides ability to centrally manage GIAs and GTAs.

4. Garrison components must have valid SSL certificate for web interface with hostname in Subject Alternative Name field

Action

Garrison Components

SAML configuration for Garrison components (System Manager, Connection Broker, Profile Store setup and client management interfaces, Isolation Appliance and Transfer Appliance) is the same. The only difference is Service Provider Metadata locations which will be covered below.

  1. Login to Garrison component web interface with administrative privileges
  2. Go to Accounts – Settings – SAML Configuration
  3. Set SAML Authentication to Enabled
  4. Set SAML Service Provider Hostname to a hostname of the component
  5. Upload Workspace ONE Access metadata
  6. Set Automatic Approval to Enabled
Garrison account settings
  1. Set Automatic User Roles to Enabled
  2. Set Mapping rules for different roles as needed. For example, to allow members of Garrison Admins group of example.local domain to login with Admin permissions, set Admin mapping to Garrison Admins@example.local

The field must match a CN of the group including special characters following by @DomainName

Garrison Automatic User Roles
  1. Leave other settings as defaults
  2. Click Save

Garrison components Service Provider Metadata locations

After configuring the SAML Service Provider Hostname and uploading Workspace ONE Access Metadata the Service Provider metadata can be downloaded from the following paths:

Garrison ComponentPath
System Managerhttps://hostname/management/accounts/sso/metadata
Connection Brokerhttps://hostname/management/accounts/sso/metadata
Profile Store setup interfacehttps://hostname/setup/accounts/sso/metadata
Profile Store cluster management interfacehttps://hostname/management/accounts/sso/metadata
Isolation Appliancehttps://hostname/configuration/accounts/sso/metadata
Transfer Appliancehttps://hostname/configuration/accounts/sso/metadata

Where hostname is a hostname of a Garrison component for which you want to download the metadata.

VMware Workspace ONE Access

A new application must be created for each Garrison component. Application configuration is the same. The only difference is Garrison component metadata used to configure new application on VMware Workspace ONE Access.

  1. Login to VMware Workspace ONE Access Administration console
  2. Go to Catalog – New
  3. Set the Name of the new application, click Next
Workspace ONE New Application
  1. Select Authentication type to SAML 2.0
  2. Paste Garrison component Service Provider Metadata to URL/XML field, click Next
Garrison component Service Provider Metadata
  1. Specify Access Policy or leave default, click Next
  2. Click Save & Assign and select Active Directory group which require access to this application (i.e. Garrison Admins@example.local)
Save and Assign new application
  1. Select newly added application and click Edit
  2. Go to Configuration and change Username Value field to ${user.userPrincipalName}
Username configuration
  1. Go to Advanced Properties – Custom Attribute Mapping and select the following:
NameFormatNamespaceValue
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givennameBasic[xmlns:md=”urn:oasis:names:tc:SAML:2.0:metadata”]${user.firstName}
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surnameBasic[xmlns:md=”urn:oasis:names:tc:SAML:2.0:metadata”]${user.lastName}
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surnameBasic[xmlns:md=”urn:oasis:names:tc:SAML:2.0:metadata”]${groupNames}
  1. Save the configuration

As a result, members of Garrison Admins Active Directory group will be able to login either by going to Workspace ONE Access portal and selecting an application needed or by going to Garrison component web interface and selecting Sign In with SAML, which will redirect to Workspace ONE Access portal for authentication.

Leave a Reply

%d bloggers like this: