Here are the two blog posts you can follow to setup Access + O365 testing environment.
1. This blog show you the steps to get a Office 365 domain federated to a WSO Access tenant. You will also find the steps to set up Office365 authentication on WSO Access.
https://theidentityguy.ca/2021/02/23/integrating-workspace-one-access-with-microsoft-office-365/amp/
2. Mobile SSO is a conditional access enforced by WSO UEM and Access. Only authenticated user with a compliant device is allowed to access authorized app.
**Please note that ImmutableID management is not covered in the above blogs. The ImmutableID management varies in different environment. Usually, ImmutableID is created during first user account synchronization.
As I don’t have Azure AD connector, I manually created my own ImmutableID. My testing account was created on UEM and synchronized to Access. I use Employee ID to store an ImmutableID.
This is user editor on UEM console.
Account synchronization from UEM to Access is enabled on UEM console
When integrating Office 365, ImmutableID is mapped to Employee ID.
ImmutableID is an unique identifier of an Office 365 user account. When a user is validated successfully by Access, Access will send a SAML message to Office 365 with an ImmutableID of the authenticated user account.
Here are two sample SAML message sent from Access to Office 365 after successful user account authentication on Access side. One with an ImmutableID and one without an ImmutableID.
Office 365 will throw an error if a SAML message does not come with an ImmutableID. In this case, you will need to find out the reason and fix it.
In short, we can get a O365 domain federated to WSO Access to allow Access to take care of all the user login and conditional access. In this setup, Access is an IdP and O365 is a SP.
Pros:
WSO Access to cover conditional access.
Zero Trust security model. User + Device + App authentication/authorization.
More user friendly with certificate based authentication and no password is required.
It is a native cloud solution.
Conditional access applies to both browser (e.g. Safari) and mobile app (e.g. Outlook)
This is a profile to enable Mobile SSO.
Demo video of a non-managed iOS is blocked from accessing outlook and office portal.
Demo video of a managed iOS can access outlook and office portal with Mobile SSO.
Optionally, you can have HUB service and Unified app catalog turned on to enable users to see apps from both Access (Web, Virtual) and UEM (Web, Native) from WSO Intelligent HUB.
This allow users to get access to all enterprise assigned apps in a single place with the best user experience.
iOS Intelligent HUB look
Windows Intelligent HUB look
To get unified app catalog, make sure the two settings
1. Source of authentication for Intelligent HUB
2. Use HUB services in Intelligent HUB
are enabled:
Or you can find the configurations there:
Make Workspace ONE Access the source of authentication for Intelligent HUB.
Enable “Use HUB services in Intelligent HUB”
In addition to unified app catalog, there are other great features from HUB services. Please refer to this for more details:
Comments