You can add SaaS applications in the AirWatch Console. Browse applications already added to your Workspace ONE catalog or add new ones.

For information about access policies that secure SaaS applications, see Use Access Policies with SaaS Applications.

  1. Navigate to Apps & Books > Applications > Web > SaaS and select New.
  2. Complete the options on the Definition tab.

    Setting Description
    Search Enter the name of the SaaS application and search for it in your catalog. You can also, browse the applications in your catalog.
    Name Enter a name for the SaaS application.
    Description (Optional) Provide a description of the application.
    Icon

    (Optional) Click Browse and upload an icon for the application.

    SaaS applications use icons in PNG, JPG, and ICON file formats.

    The application icons that you upload must be a minimum of 180 x 180 pixels.

    If the icon is too small, the icon does not display. In this instance, the system displays the Workspace ONE icon.

    Category

    Assign categories to help users sort and filter the application in the Workspace ONE catalog.

    Configure categories in VMware Identity Manager so that they display in the category list.

  3. Complete the options on the Configuration tab.

    1. Authentication Type - Select the authentication type for the SaaS application.

      Available options vary depending on the type you select. The authentication type determines the available settings on the user interface. There are several permutations.

      • SAML 2.0 - The SAML 2.0 authentication profile enables single sign-on from VMware Identity Manager to the Web application.
      • SAML 1.1 - The SAML 1.1 is an older SAML authentication profile. For better security, implement SAML 2.0.
      • WSFed 1.2 - When the SaaS application supports WS-Federation authentication, select this authentication type to provide single sign-on to those applications.

      Go to the authentication type for your SaaS application for available configurations.

      • SAML 2.0

        Setting Description
        Configuration
        • URL/XML is the default option for SaaS applications that are not yet part of the Workspace ONE catalog.
        • Manual is the default option for SaaS applications added from the catalog.
        URL/XML
        URL/XML

        Enter the URL if the XML metadata is accessible on the Internet.

        Paste the XML in the text box if the XML metadata is not accessible on the Internet, but you have it.

        Use manual configuration if you do not have the XML metadata. T

        Relay State URL

        Enter a URL where you want SaaS application users to land after a single sign-on procedure in an identity provider-initiated (IDP) scenario.

        Manual

        Single Sign-On URL

        Enter the Assertion Consumer Service (ACS) URL.

        Workspace ONE sends this URL to your service provider for single sign-on.

        Recipient URL

        Enter the URL with the specific value required by your service provider that states the domain in the SAML assertion subject.

        If your service provider does not require a specific value for this URL, enter the same URL as the Single Sign-On URL.

        Application ID

        Enter the ID that identifies your service provider tenant to Workspace ONE. Workspace ONE sends the SAML assertion to the ID.

        Some service providers use the Single Sign-On URL.

        Username Format Select the format required by the service providers for SAML subject format.
        Username Value

        Enter the Name ID Value that Workspace ONE sends in the SAML assertion's subject statement.

        This value is a default profile field value for a username at the application service provider.

        Relay State URL

        Enter a URL where you want SaaS application users to land after a single sign-on procedure in an identity provider-initiated (IDP) scenario.

      • SAML 1.1

        Setting Description
        Target URL Enter the URL to direct users to the SaaS application on the Internet.
        Single Sign-On URL

        Enter the Assertion Consumer Service (ACS) URL.

        Workspace ONE sends this URL to your service provider for single sign-on.

        Recipient URL

        Enter the URL with the specific value required by your service provider that states the domain in the SAML assertion subject.

        If your service provider does not require a specific value for this URL, enter the same URL as the Single Sign-On URL.

        Application ID

        Enter the ID that identifies your service provider tenant to Workspace ONE. Workspace ONE sends the SAML assertion to the ID.

        Some service providers use the Single Sign-On URL.

      • WSFed 1.2

        Setting Description
        Target URL Enter the URL to direct users to the SaaS application on the Internet.
        Single Sign-On URL

        Enter the Assertion Consumer Service (ACS) URL.

        Workspace ONE sends this URL to your service provider for single sign-on.

        Application ID

        Enter the ID that identifies your service provider tenant to Workspace ONE. Workspace ONE sends the SAML assertion to the ID.

        Some service providers use the Single Sign-On URL.

        Username Format

        Select the format required by the service providers for SAML subject format.

        Username Value

        Enter the Name ID Value that Workspace ONE sends in the SAML assertion's subject statement.

        This value is a default profile field value for a username at the application service provider.

      • None

        Setting Description
        Target URL Enter the URL to direct users to the SaaS application on the Internet.
    2. Application Parameters - Add values for advanced parameters to allow the application to launch. This option is not available for all applications.
    3. Advanced Properties - If you want greater control of messaging in single sign-on processes with Workspace ONE, add optional parameters. The authentication type determines the available settings on the user interface. There are several permutations. Go to the authentication type for your SaaS application.

      Setting Description
      SAML 2.0
      Sign Response

      Require Workspace ONE to sign the response message to the service provider. This signature verifies that Workspace ONE created the message.

      Sign Assertion

      Require Workspace ONE to sign the assertion within the response message sent to the service provider.

      Some service providers require this option.

      Include Assertion Signature

      Require Workspace ONE to include its signing certificate within the response message sent to the service provider.

      Some service providers require this option.

      Signature Algorithm

      Select the signature algorithm that matches the digest algorithm.

      If your service provider supports SHA256, select this algorithm.

      Digest Algorithm

      Select the digest algorithm that matches the signature algorithm.

      If your service provider supports SHA256, select this algorithm.

      Assertion Time Enter the seconds that the assertion Workspace ONE sends to the service provider for authentication is valid.
      Request Signature If you want the service provider to sign the SAML request it sends to Workspace ONE, enter the public signing certificate.
      Application Login URL

      Enter the URL for your service provider's login page.

      This option triggers the service provider to initiate a login to Workspace ONE. Some service providers require authentication to start from their login page.

      Proxy Count Enter the allowable proxy layers between the service provider and an authenticating identity provider.
      API Access Enable API access to the SaaS application.
      Custom Attribute Mapping If your service provider allows custom attributes other than ones for single sign-on, add them.
      SAML 1.1
      Signature Algorithm

      Select the signature algorithm that matches the digest algorithm.

      If your service provider supports SHA256, select this algorithm.

      Digest Algorithm

      Select the digest algorithm that matches the signature algorithm.

      If your service provider supports SHA256, select this algorithm.

      Assertion Time Enter the seconds that the assertion Workspace ONE sends to the service provider for authentication is valid.
      Custom Attribute Mapping If your service provider allows custom attributes other than ones for single sign-on, add them.
      WSFed 1.2
      Credential Verification Select the method for credential verification.
      Signature Algorithm

      Select the signature algorithm that matches the digest algorithm.

      If your service provider supports SHA256, select this algorithm.

      Digest Algorithm

      Select the digest algorithm that matches the signature algorithm.

      If your service provider supports SHA256, select this algorithm.

      Assertion Time Enter the seconds that the assertion Workspace ONE sends to the service provider for authentication is valid.
      Custom Attribute Mapping If your service provider allows custom attributes other than ones for single sign-on, add them.
    4. Access Policies - Assign policies to secure signing in to application resources.

      Setting Description
      Access Policy

      Select a policy for Workspace ONE to use to control user authentication and access.

      The default access policy is available if you do not have custom access policies.

      You can configure these policies in the AirWatch Console.

      Open in VMware Browser

      Android and iOS

      Require Workspace ONE to open the application in the VMware Browser.

      If you use VMware Browser, opening SaaS applications within it adds extra security. This action keeps access within internal resources.

      License Approval Required

      Require approvals before the application installs and activates a license.

      • License Pricing - Select the pricing model to buy licenses for the SaaS application.
      • License Type - Select the user model for the licenses, named or concurrent users.
      • Cost Per License - Enter the price per license.
      • Number of Licenses - Enter the number of licenses bought for the SaaS application.

      Configure the corresponding Approvals in the Settings section of SaaS applications.

  4. View the Summary for the SaaS application and move to the assignment process.

Assign SaaS Applications

Assign SaaS applications to users and groups configured in VMware Identity Manager. See Assign SaaS Applications.