Deploying HYPR with VmWare Workspace ONE Access

Overview

This article describes how to integrate True Passwordless Authentication with Workspace ONE Access. This feature will allow replacing the password on the login flow with passwordless authentication powered by Mobile App Authentication methods such as Face, Fingerprint or PIN and built-in Platform Authenticators such as Touch ID on the macOS and Windows Hello on Windows.

Download Workspace ONE Access Metadata

  1. Log into the Workspace ONE Access Admin Console
  2. Go to Catalog -> Web Apps
  3. Click on the settings button.
  4. Click on the Service Provider (SP) metadata and download a copy to your local file system.

Create a New Client in HYPR

  1. In your HYPR Keycloak Admin Console, go to Clients -> Create
  1. Under import, click select file and choose your Workspace ONE Access Metadata that you previously downloaded.
  2. The Client ID and Protocol should be automatically populated
  1. Click Save
  2. Edit the client you just created.
  3. Ensure that the correct Login Theme is selected
  4. Select RSA_SHA256 for the Signature Algorithm
  1. Ensure that the Name ID format is using the correct attribute to properly map to users in Workspace ONE Access.
  2. Click Save
  1. Download your IdP Metadata by going to https://{hyprserver}/auth/realms/{realm}/protocol/saml/descriptor

Create your 3rd Party IDP in Workspace ONE Access

  1. In the Workspace ONE Access Admin Console, go to Identity & Access Management-> Identity Providers
  2. Click on Add Identity Provider -> Create SAML IDP
  1. Provide a Name for this Identity Provider ie. HYPR
  2. Paste the IdP Metadata that was previously downloaded into the space provided.
  3. Click Process Metadata
  1. Select the Name ID Format “urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified”
  2. Select username for the value. Note: If you are mapping to a different attribute, select the appropriate value per your environment.
  1. Under Users, select the correct directory that will be used to match users from the assertion sent from HYPR:
  1. Select All Ranges
  2. Under Auth Methods, provide a unique name for this Authentication ie. HYRP-Passwordlesss
  3. Select “urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport” as the SAML Context.
  1. Click Add

Set up your Access Policy

In this example, we will use HYPR as a fallback authentication mechanism to Certificate-Based Authentication. All my managed devices will use Certificate-Based Authentication or Mobile SSO with Device Compliance.

For unmanaged devices, We're going to provide a fallback to HYPR for Authentication.

  1. In Identity & Access Management -> Policies
  2. Edit your default policy.
  3. Edit your Windows 10 and/or MacOS Policy
  4. Add HYPR as a Fallback to allow for managed devices
  1. Click Save,
  2. Click Next
  3. Click Save

📘

Note

If you want to use HYPR as a second factor of authentication, you can add it along with Mobile SSO or Certificate Based Authentication

The one thing to be aware of is that HYPR can not currently support accepting usernames in the SAML Authentication request. This provides a less than ideal solution where the user has to enter a username when redirected to HYPR. The user will get an error in Workspace ONE Access if they authenticate with a different username than expected.

Testing the flow

  1. Access your HYPR Device Manager in your browser, click Add Device
  1. Select Smartphone and Scan the provided barcode with your HYPR App
  2. Now Log into Workspace ONE Access
  3. You should be redirected to HYPR
  1. Enter your username and select Smartphone
  2. You should get a notification on your device
  1. Click OK and complete the biometric challenge.
  2. You should now be successfully authenticated into Workspace ONE Access.