I started this series about Workspace ONE Access almost a year ago. To be honest, there was not a lot of posts regarding this topic so far… And I finally had time to update the previous article about the Identity Manager Connector installation.

With that said we can now move forward and leverage that connector for Active Directory integration. After that, we will be able to build on top of it and integrate with Horizon, use MFA (VMware Verify) or add 3rd party SaaS applications.

Directory synchronization

Workspace ONE Access needs to have your directory users synchronized into its own database in order to work. Please note that no passwords leave your premises and you are in charge of which attributes will be synced to Workspace ONE Access.

Let’s get started. Login to Access as a system administrator.

Switch from user console to administration console.

Navigate to the “Identity & Access Management” section.

You should end up by default in the directory sub-section.

Click on “Add Directory” and choose “Add Active Directory over LDAP/IWA”.

Fill the details. Please note, that if you installed your connector without running the service as a domain user the IWA will not work.

After validating the credentials, you should be presented with one (or more) domains, which are available for synchronization, so pick the right one.

Here you see which attributes will be synced and how it will be mapped to Workspace ONE Access attributes.

Note: The required flag means, that if the attribute is missing in AD for a given user/group, Access will not synchronize it, which can be a problem.

For the upcoming step, you will need to know the distinguished name of an Organization Unit, where you have your User and Group objects. If you don’t know that from the top of your head, here is a little hint on how to get it.

Open your “Active Directory User and Computers” console and enable the “Advanced Features” in the view menu.

Find the OU you are interested in and go to its properties.

In the “Attribute Editor” tab search for a key called “distinguishedName”. Copy that value to your clipboard.

Now you will need to tell Workspace ONE Access, where to look for your Groups. Click on that “plus” sign.

Paste in your DN. Now hit the “tab” key or click away from the text box. Access will scan the DN and let you know which groups it found. You can pick and choose what you need or select all groups.

Repeat a similar procedure for users.

After all that, Access will summarize for you what will be synchronized. You should see some users and/or groups on this page, if not you did something wrong.

Sync will run for some time, depending on the number of objects.

You should see your Users popping up in the “Users & Groups” sections.

And the same for your Groups.

You can always check the Sync Log, to find out what went wrong.

Identity Provider

Users and groups and synchronized to Workspace ONE Access. Now you need to tell the built-in identity provider to actually use the connector to perform authentication.

Navigate to “Identity Provides” sub-menu and click on “Built-in”.

Select your domain name and for simplicity also tick ALL RANGES. Pick a connector from the dropdown menu and click “Add Connector”.

Tick the “Password (cloud deployment)” box, which appeared and save changes.

You should see your connector name and “Password (cloud deployment)” method next to the built-in connector now.

Access Policies

Depending on your setup, you might need to change the access policies. In most cases the connector in the internal network is not accessible from everywhere, so you will need to switch the policy from “Password” to “Password (cloud deployment)”.

Don’t be mistaken by the “cloud deployment” in the name of the authentication method, it is valid also for on-prem Workspace ONE Access deployments.

So what is the difference:

  • Password = AD authentication is performed directly on the connector, the client is redirected to connector URL. If it’s not accessible users won’t be able to authenticate.
  • Password (Cloud Deployment) = Connector opens a tunnel going outbound from the internal network to Workspace ONE Access (which can be in your DMZ or in the cloud). That’s why this is sometimes referred to as “outbound only mode”. Authentication is performed directly on the Workspace ONE Access appliance and the tunnel is used to communicate with the connector and validate AD credentials. There is no redirection and clients don’t need visibility directly to the internal network/connector.

To change it navigate to “Policies” sub-menu and click on “Edit default policy”.

Click “Next”.

Select the Web Browser item and click on “ALL RANGES”.

Change the primary authentication method from “Password” to “Password (cloud deployment)”.

Select the Workspace ONE App or Hub App item and click on “ALL RANGES”.

Change the primary authentication method from “Password” to “Password (cloud deployment)”.

You should see “Password (cloud deployment)” for both options. Click “Next”.

Save changes and confirm the summary step.

Bonus Tip: If you manage to lock yourself out with wrongly configured access policies, you can always navigate to this URL: https://<workspace-one-access-fqdn>/SAAS/auth/0

This will allow you to login with your System Domain administrator and you will be able to fix your mistakes.


You should be now able to choose domain during the logon and successfully authenticate using your AD credentials.

You can continue by adding your first SaaS application to the catalog.