Horizon NSX-T

SAML Authentication with Workspace ONE Access: Part 2 Primary Node Deployment and Config

SAML Authentication with Workspace ONE Access Series

So, I was originally going to go over setting up the Load Balancer in NSX-T, but I’m having issues getting it configured. So I decided to keep the content flowing by sharing the deployment of the primary node as the next part in this series. It doesn’t matter which order you do these two steps in at this point. However, it finally locks down the next blog article to come. 😉 So on to the content…

As with much of this series, I am following several of the VMware guides that are published for Workspace ONE Access 20.10 and NSX-T 3.1. In this article, we will walk through the deployment of the Workspace ONE Access OVA file to your environment. I am going to assume you know how to deploy an OVA in your vCenter and I’ll just post my screenshots of my deployment here. There is nothing unusual about the deployment until the end, which (I think) is something on the VMware vApp packaging side.

In my case, I have a VM Folder for DMZ virtual machines. This helps keep my mind around where the “sensitive” VMs are that I need to watch over.

I am going to be installing each of these nodes on a different host, but the first will be on my primary server.

I’m going to choose the “Extra Small” size since this is a HomeLab environment. The sizing guidelines can be found here.

This is an Overlay segment in my NSX-T environment.

This is where you will configure the settings specific to the first node. Ensure at this point, you use the actual hostname, not the Load Balanced one. You will change this in the application configuration later.

The confirmation page is where things got a little squirly. I tried this numerous times. I even went back and re-downloaded the appliance OVA to be sure mine wasn’t corrupted. #VMware, you have some issues with the vApp confirmation page!

Once you click “Finish”, it’s off to the races. This didn’t take too long to deploy the OVA.

Once it’s deployed, go ahead and turn it on. The first boot takes a while to complete. You will know when it’s done and ready to move on when you see the screen below.

At this point, you’re ready to configure the appliance for your environment. When you see the above screen, open a web browser and navigate to https://<your appliance fqdn>. You will need to accept the certificate error as a self-signed certificate is generated on install. You will fix this in the next guide. If all goes well, you should see the following web page:

Click “Continue” to move on to the next step and set your appliance passwords.

You cannot change the usernames at this point, so you will want to choose strong passwords and save them in a safe place. I have a password manager that I really like that generates 30-character random passwords for me. I have different passwords for every site and only really change when I read in the news that site was compromised.

This step is where you configure the database connection. In my case, I am using the IP address of the Load Balanced IP for the “mssql-wso-service” service created in Kubernetes in the last step. I could have loaded a dns entry for this ip address, but since it’s a homelab, I decided not to today. The connection string for an External Microsoft SQL Server using a local SQL server account is (reference):


Test the connection and if all goes well, you should have a successful connection. If not, go through the database settings and permissions (including having a schema named “saas”) again. Click “Continue” when you have a good connection.

This is where you wait…and wait…and wait. On my server, this took about 15-20 minutes or so. When everything was done and it was configured properly, you should see the following page:

You will want to save both of those web address links. If you forget, navigate to the following page which will show you both of the links again:


That’s it for the installation and initial configuration. I would recommend going into the “Appliance Configurator” first to fine tune any settings for the appliance that are appropriate for your environment. When the appliance is tuned properly (ssl certs, time zone, passwords, etc.), you will spend a majority of your time in the Admin Console. This is where you setup and manage your user directories and access control configuration.

Hopefully this was a helpful walkthrough this phase. In the next article, we will walk through setting up a Load Balancer in NSX-T and deploy 2 additional nodes to complete our cluster. Happy HomeLabbing!

2 replies on “SAML Authentication with Workspace ONE Access: Part 2 Primary Node Deployment and Config”

Leave a Reply