VMware Workspace ONE UEM SAML Single Sign-On (SSO) integration

This topic describes how to configure VMware Workspace ONE Unified Endpoint Management (UEM) for Single Sign-On (SSO) in CyberArk Identity using SAML.

Supported features

The VMWare Workspace ONE UEM template supports the following features:

  • SP-initiated SSO

  • Just-in-time (JIT) provisioning

Before you begin

Before you configure the application template for SSO, do the following:

  • Create an account in VMware Workspace ONE UEM with administrator access.

  • Download a metadata file from the VMware Workspace ONE UEM application. You can download the file from https://<domain>.airwatchportals.com/AirWatch/Settings/ExportSettings. You will need to upload this file to the Identity Administration portal later.

Configure the application template in the Identity Administration portal

Step 1: Add the VMware Workspace ONE UEM web application template

  1. In the Identity Administration portal, select Apps & Widgets > Web Apps, then click Add Web Apps.

    Add a web app screen

  2. On the Search page, enter the application name in the Search field and click the search button.

  3. Next to the application name, click Add.

  4. On the Add Web App page, click Yes to confirm.

  5. Click Close to exit the Application Catalog.

    The application opens to the Settings page.

Step 2: Configure Trust settings

  1. Go to the Trust tab.

  1. In the Identity Provider Configuration section, select Metadata, then click Download Metadata File to download the IdP metadata.

    This file is used later when you configure the SAML integration in VMware Workspace ONE UEM.

  2. In the Service Provider Configuration section, select Metadata. Click Choose File and select the metadata file you obtained from the VMware Workspace ONE UEM application. Upload the file.

  3. Click Save.

Step 3: Configure the SAML Response

  1. Verify the following attributes with the VMware Workspace ONE UEM attribute name in the Attribute Name column and the CyberArk attribute in the Attribute Value column.

    Attributes are case-sensitive.

    SAML response attributes
    Attribute Name Attribute Value

    mail

    		LoginUser.Email

    uid

    		LoginUser.Username

  2. Map any other attributes that you want to pass in the SAML response, then click Save.

Step 4: Configure permissions to grant SSO access

Grant SSO access to VMware Workspace ONE UEM users by assigning permissions to users, groups, or roles.

  1. On the Permissions page, click Add.

  2. Select the user(s), group(s), or role(s) that you want to grant permissions to, then click Add.

    The added object appears on the Permissions page with View, Run, and Automatically Deploy permissions selected by default.

  3. Select the permissions you want and click Save.

    Default permissions automatically deploy the application to the User Portal if the Show in user app list option is selected on the Settings page. Do not select this option if you intend to use only SP-initiated SSO.

    Change the permissions if you want to add additional control or if you prefer not to automatically deploy the application.

Step 5: Review and save

Review your settings to confirm your configuration. For example, you might want to verify that you selected the appropriate users, groups, or roles on the Permissions page. Click Save when you are satisfied.

Configure VMware Workspace ONE UEM for SAML SSO

Perform these steps in VMware Workspace ONE UEM to configure the application template for SSO.

  1. Sign in to the VMware Workspace ONE administration console.

  2. Go to Groups & Settings, then to All Settings > System > Enterprise Integration > Directory Services.

  3. Select the following settings:

    Directory services settings
    Field Setting
    Current Setting Override
    Directory Type None
    Use SAML for Authentication Enabled
    Enable SAML Authentication for Select the options you want to use
    Use New SAML Authentication Endpoint Enabled

  1. In Import Identity Provider Settings, upload the IdP metadata file that you downloaded from the Identity Administration portal.

  2. Click Save.

  3. Under the Request section, confirm that the following settings are selected:

    Request settings

    Field

    Setting
    Request Binding-Type POST
    Identity Provider Single Sign-On URL

    Single Sign-On URL from the IdP

    NameID Format Email Address
    Authentication Request Security None

  1. Under the Response section, confirm that the following settings are selected:

    Response settings
    Field Setting
    Response Binding Type POST
    Authentication Response Security None
    Allowed Clock Skew

    Maximum clock skew (in minutes) to account for the time discrepancy or drift that may occur between the IdP and SP clocks, while still allowing authentication to proceed.

  1. Click Save.

  2. Go to Settings at the top and select your organization group name.

  3. Copy and save the group ID. You will need it later.

  4. Copy and save your domain. Your domain is in the Workspace ONE URL.

Test the VMware Workspace ONE UEM SSO configuration

Now that you have finished configuring the application template settings in the Identity Administration portal and VMware Workspace ONE UEM, your users can benefit from SP-initiated SSO.

To test SP-initiated SSO:

  1. Go to the following URL:

    https://<domain>.airwatchportals.com/AirWatch/Login?GID=<Group-ID>

  2. Sign in as your test user.