Use Case

Customer requires the ability to trigger a Workspace ONE Access AD sync via API in order to enable a bypass mechanism for VMware Verify Users.

If a user loses their mobile where Verify is installed, how do they access their Workspace ONE Access resources? Removing the user from the MFA AD group and syncing into Access has enabled the customer to implement a bypass solutions, should they need it. Why not just sync through the console you ask? Unfortunately the Access connector can only be set to sync ‘Once per week’, ‘Once per day’, ‘Hourly’ or ‘Manually’. This could potentially mean a user is without access for an hour.

Implementation

First things first, get postman: https://www.postman.com/

Step 1 – Create a remote app access client

In order to force the sync we need to get the directory that we want to sync.

  1. Log into the Workspace ONE Access console.
  2. Click the arrow on the Catalog tab and select Settings.
  3. Click Remote App Access in the left pane.
  4. Click Create Client.
  5. For Access Type, select Service Client Token.
  6. For Client ID, enter an ID, for example, APIAccess.
  7. Expand the Advanced section.
  8. Click Generate Shared Secret.

Step 2 – Generate OAuth Bearer Token

  1. Open a new tab in the Postman app.
  2. For the HTTP method, select POST.
  3. For the URL, enter: https://tenanturl/SAAS/jersey/manager/api/connectormanagement/directoryconfigsReplace ‘tenanturl’ with your Workspace ONE Access URL, for example: https://example.vmwareidentity.com/SAAS/jersey/manager/api/connectormanagement/directoryconfigs
  4. Click the Authorization tab and select OAuth 2.0 as the type.
  5. Click Get New Access Token.
  6. For Token Name, enter a name, such as APIAccess.
  7. For Grant Type, select Client Credentials.
  8. For Access Token URL, enter https://tenantURL/SAAS/auth/oauthtoken, where tenantURL is your Workspace ONE Access tenant URL.For example: https://example.vmwareidentity.com/SAAS/auth/oauthtoken

9. For Client ID, enter the Client ID that you set in Create Remote App Access Client.

10. For Client Secret, enter the secret that you set in Create Remote App Access Client.

11. For Scope, enter admin.

12. Click Request Token.A token is generated and displayed.

13. To verify that the bearer token was added, click the Headers tab and click hidden headers.

Step 3 – Get the Directory ID

Now that you’re authorised against your Access tenant, in order to force the sync, we need to obtain the directory ID. This can be done by hitting the following Access URL: https://TenantURL/SAAS/jersey/manager/api/connectormanagement/direcctoryconfigs

With the following content-type:

Content-Type: application/vnd.vmware.horizon.manager.connector.management.directory.sync.profile.sync+json

You should receive the following information:

Step 4 – Force a manual sync of AD

Now that we’ve got the directory ID, we need to send a POST to the Access URL and ID with a command to ignore safeguards to force the sync:

POST: https://TenantURL.vmwareidentity.com/SAAS/jersey/manager/api/connectormanagement/direcctoryconfigs/{directoryID}/syncprofile/sync

Content-Type: application/vnd.vmware.horizon.manager.connector.management.directory.sync.profile.sync+json

Body:

{
    “ignoreSafeguards”:”true”
}

You should end up with this:

Sending this will force the specified domain to be synced. You can check this by navigating to the directories section within Workspace ONE Access, you will see that a sync is in progress:

Here it is in action:

Spread the love