Add Office 365 applications to the AirWatch Console so that you can control access with client access policies.

  1. Navigate to Apps & Books > Applications > Web > SaaS and select New.
  2. Complete the options on the Definition tab.

    Setting Description
    Search Enter Office 365 to see a list of available applications.
    Name Enter or view a name for the SaaS application.
    Description (Optional) Provide a description of the application. Often, this field pre-populates.

    (Optional) Select an icon if one does not pre-populate.


    (Optional) Assign categories to help users sort and filter the application in the Workspace ONE catalog.

    Configure categories in VMware Identity Manager so that they display in the category list.

  3. Complete the options on the Configuration tab.

    1. Authentication Type - Office 365 applications use WSFed 1.2 for authentication type to provide single sign-on.

      Setting Description
      Target URL Enter the URL to direct users to the SaaS application on the Internet.
      Single Sign-On URL

      Enter the Assertion Consumer Service (ACS) URL.

      Workspace ONE sends this URL to your service provider for single sign-on.

      Application ID

      Enter the ID that identifies your service provider tenant to Workspace ONE. Workspace ONE sends the SAML assertion to the ID.

      Some service providers use the Single Sign-On URL.

      Username Format

      Select the format required by the service providers for SAML subject format.

      Username Value

      Enter the Name ID Value that Workspace ONE sends in the SAML assertion's subject statement.

      This value is a default profile field value for a username at the application service provider.

    2. Application Parameters - Add values for advanced parameters to allow the application to launch.
    3. Advanced Properties - If you want greater control of messaging in single sign-on processes with Workspace ONE, add optional parameters.

      Setting Description
      WSFed 1.2
      Credential Verification Select the method for credential verification.
      Signature Algorithm

      Select the signature algorithm that matches the digest algorithm.

      If your service provider supports SHA256, select this algorithm.

      Digest Algorithm

      Select the digest algorithm that matches the signature algorithm.

      If your service provider supports SHA256, select this algorithm.

      Assertion Time Enter the seconds that the assertion Workspace ONE sends to the service provider for authentication is valid.
      Custom Attribute Mapping If your service provider allows custom attributes other than ones for single sign-on, add them.
    4. Access Policies - Assign policies to secure signing in to application resources.

      Setting Description
      Access Policy

      Select a policy for Workspace ONE to use to control user authentication and access.

      The default access policy is available if you do not have custom access policies.

      You can configure these policies in the AirWatch Console.

      Open in VMware Browser

      Require Workspace ONE to open the application in the VMware Browser.

      If you use VMware Browser, opening SaaS applications within it adds extra security. This action keeps access within internal resources.

      License Approval Required

      Require approvals before the application installs and activates a license.

      • License Pricing - Select the pricing model to buy licenses for the SaaS application.
      • License Type - Select the user model for the licenses, named or concurrent users.
      • Cost Per License - Enter the price per license.
      • Number of Licenses - Enter the number of licenses bought for the SaaS application.

      Configure the corresponding Approvals in the Settings section of SaaS applications.

  4. Add Client Access Policies for Office 365 clients. A client access policy allows VMware Identity Manager to manage the Office 365 client UI credentials collected for authentication. Some client examples include VMware Boxer and Microsoft Outlook.

    Select Add Policy Rule and complete the settings.

    Setting Description
    If the user's client is Select an available Office 365 client.
    And a user's network range is Select a network range previously configured in the network ranges process.
    And the user's device type is Select the allowed device platform for access.
    and user belongs to group(s)

    Select user groups allowed to access content according to the criteria in this policy.

    If you select no groups, the policy applies to all users.

    And the client's email protocol is Select the allowable protocol for the Office 365 client.
    Then perform this action Allow or deny access to Office 365 applications.
  5. View the Summary for the SaaS application and move to the assignment process.

Assign SaaS Applications

Assign SaaS applications to users and groups configured in VMware Identity Manager. See Assign SaaS Applications.