The Garrison Isolation Platform provides a new level of cyber security by separating untrusted networks (for example, the Internet) from the corporate environment. It enables users to freely browse potentially dangerous websites with no risk of compromise of their client device or the rest of the network.
The system is comprised of several components which require administration. Currently, these components do not support integration with Active Directory or LDAP to authenticate administrators as well as usage of multifactor authentication. However, all the components support SAML integration with identity providers in the latest releases. Without this integration we have to create local administrators on each component separately. Below we will focus on integration of Garrison components with VMware Workspace ONE Access (formerly vIDM).
This integration has been verified with the following versions:
- Garrison 2.3.1
- Workspace ONE Access 20.01
Pre-requisites
- VMware Workspace ONE Access is deployed and operating
- Download Workspace ONE Access metadata
Go to Administration Console – Catalog – Web Apps – Settings – SAML Metadata – Identity Provider (IdP) metadata:
3. Garrison components are deployed and operating
The following components support SAML integration for authentication:
- Garrison Isolation Appliance –provides functionality of virtual browsing through mobile browser instances.
- Garrison Transfer Appliance –provides functionality of copying text and images from secure web browsing sessions to user’s local workstation.
- Garrison Profile Store – provides functionality of storing users’ profiles (bookmarks, browsing history, files, etc.).
- Garrison Connection Broker – provides ability to use multiple GIAs for high availability and load sharing.
- Garrison System Manager – provides ability to centrally manage GIAs and GTAs.
4. Garrison components must have valid SSL certificate for web interface with hostname in Subject Alternative Name field
Action
Garrison Components
SAML configuration for Garrison components (System Manager, Connection Broker, Profile Store setup and client management interfaces, Isolation Appliance and Transfer Appliance) is the same. The only difference is Service Provider Metadata locations which will be covered below.
- Login to Garrison component web interface with administrative privileges
- Go to Accounts – Settings – SAML Configuration
- Set SAML Authentication to Enabled
- Set SAML Service Provider Hostname to a hostname of the component
- Upload Workspace ONE Access metadata
- Set Automatic Approval to Enabled
- Set Automatic User Roles to Enabled
- Set Mapping rules for different roles as needed. For example, to allow members of Garrison Admins group of example.local domain to login with Admin permissions, set Admin mapping to Garrison Admins@example.local
The field must match a CN of the group including special characters following by @DomainName
- Leave other settings as defaults
- Click Save
Garrison components Service Provider Metadata locations
After configuring the SAML Service Provider Hostname and uploading Workspace ONE Access Metadata the Service Provider metadata can be downloaded from the following paths:
| Garrison Component | Path |
| System Manager | https://hostname/management/accounts/sso/metadata |
| Connection Broker | https://hostname/management/accounts/sso/metadata |
| Profile Store setup interface | https://hostname/setup/accounts/sso/metadata |
| Profile Store cluster management interface | https://hostname/management/accounts/sso/metadata |
| Isolation Appliance | https://hostname/configuration/accounts/sso/metadata |
| Transfer Appliance | https://hostname/configuration/accounts/sso/metadata |
Where hostname is a hostname of a Garrison component for which you want to download the metadata.
VMware Workspace ONE Access
A new application must be created for each Garrison component. Application configuration is the same. The only difference is Garrison component metadata used to configure new application on VMware Workspace ONE Access.
- Login to VMware Workspace ONE Access Administration console
- Go to Catalog – New
- Set the Name of the new application, click Next
- Select Authentication type to SAML 2.0
- Paste Garrison component Service Provider Metadata to URL/XML field, click Next
- Specify Access Policy or leave default, click Next
- Click Save & Assign and select Active Directory group which require access to this application (i.e. Garrison Admins@example.local)
- Select newly added application and click Edit
- Go to Configuration and change Username Value field to ${user.userPrincipalName}
- Go to Advanced Properties – Custom Attribute Mapping and select the following:
| Name | Format | Namespace | Value |
| http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname | Basic | [xmlns:md=”urn:oasis:names:tc:SAML:2.0:metadata”] | ${user.firstName} |
| http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname | Basic | [xmlns:md=”urn:oasis:names:tc:SAML:2.0:metadata”] | ${user.lastName} |
| http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname | Basic | [xmlns:md=”urn:oasis:names:tc:SAML:2.0:metadata”] | ${groupNames} |
- Save the configuration
As a result, members of Garrison Admins Active Directory group will be able to login either by going to Workspace ONE Access portal and selecting an application needed or by going to Garrison component web interface and selecting Sign In with SAML, which will redirect to Workspace ONE Access portal for authentication.