Use Case
Customer requires the ability to trigger a Workspace ONE Access AD sync via API in order to enable a bypass mechanism for VMware Verify Users.
If a user loses their mobile where Verify is installed, how do they access their Workspace ONE Access resources? Removing the user from the MFA AD group and syncing into Access has enabled the customer to implement a bypass solutions, should they need it. Why not just sync through the console you ask? Unfortunately the Access connector can only be set to sync ‘Once per week’, ‘Once per day’, ‘Hourly’ or ‘Manually’. This could potentially mean a user is without access for an hour.
Implementation
First things first, get postman: https://www.postman.com/
Step 1 – Create a remote app access client
In order to force the sync we need to get the directory that we want to sync.
- Log into the Workspace ONE Access console.
- Click the arrow on the Catalog tab and select Settings.
- Click Remote App Access in the left pane.
- Click Create Client.
- For Access Type, select Service Client Token.
- For Client ID, enter an ID, for example, APIAccess.
- Expand the Advanced section.
- Click Generate Shared Secret.
Step 2 – Generate OAuth Bearer Token
- Open a new tab in the Postman app.
- For the HTTP method, select POST.
- For the URL, enter: https://tenanturl/SAAS/jersey/manager/api/connectormanagement/directoryconfigsReplace ‘tenanturl’ with your Workspace ONE Access URL, for example: https://example.vmwareidentity.com/SAAS/jersey/manager/api/connectormanagement/directoryconfigs
- Click the Authorization tab and select OAuth 2.0 as the type.
- Click Get New Access Token.
- For Token Name, enter a name, such as APIAccess.
- For Grant Type, select Client Credentials.
- For Access Token URL, enter https://tenantURL/SAAS/auth/oauthtoken, where tenantURL is your Workspace ONE Access tenant URL.For example: https://example.vmwareidentity.com/SAAS/auth/oauthtoken
9. For Client ID, enter the Client ID that you set in Create Remote App Access Client.
10. For Client Secret, enter the secret that you set in Create Remote App Access Client.
11. For Scope, enter admin.
12. Click Request Token.A token is generated and displayed.
13. To verify that the bearer token was added, click the Headers tab and click hidden headers.
Step 3 – Get the Directory ID
Now that you’re authorised against your Access tenant, in order to force the sync, we need to obtain the directory ID. This can be done by hitting the following Access URL: https://TenantURL/SAAS/jersey/manager/api/connectormanagement/direcctoryconfigs
With the following content-type:
Content-Type: application/vnd.vmware.horizon.manager.connector.management.directory.sync.profile.sync+json
You should receive the following information:
Step 4 – Force a manual sync of AD
Now that we’ve got the directory ID, we need to send a POST to the Access URL and ID with a command to ignore safeguards to force the sync:
POST: https://TenantURL.vmwareidentity.com/SAAS/jersey/manager/api/connectormanagement/direcctoryconfigs/{directoryID}/syncprofile/sync
Content-Type: application/vnd.vmware.horizon.manager.connector.management.directory.sync.profile.sync+json
Body:
{
“ignoreSafeguards”:”true”
}
You should end up with this:
Sending this will force the specified domain to be synced. You can check this by navigating to the directories section within Workspace ONE Access, you will see that a sync is in progress:
Here it is in action:
Sales Engineer specialising in Unified Endpoint Management (UEM) and Identity Management.
Technical Expertise:
o Okta – Identity Management – Providing single sign on services to applications
o VMware Workspace ONE – Configuring and managing AirWatch components across all device types.
o Digital Transformation – Helping organisations implement and deploy a modern strategy for UEM
o Networking – VPN, DNS, DHCP
o Device Management – macOS, iOS, Android, Windows and Rugged Devices
o Cloud Solutions – Azure, Office 365, Identity Providers, VMware AirWatch
o Server – Windows Server, Active Directory, Exchange
Mo
February 4, 2021Hey Charlie, I followed your instructions to get the access token but when I tried to request, I get “Authentication failed. Couldn’t complete authentication. Check the Postman Console for more details.” I double-checked my vIDM and what I’m placing into the Postman fields and it looks right. Any suggestions on where to look to fix this would be appreciated. Thanks.