Add the third-party identity provider XML-based metadata document to establish trust with the identity provider.

1. Enter the SAML metadata URL or the xml content into the text box. Click Process IdP Metadata.
2. Select how the user is identified. The identifier sent in an inbound SAML Assertion can be either sent in the Subject or in the Attribute element.
   • NameID Element. User identifier is retrieved from the NameID element of the Subject element.
   • SAML Attribute. User identifier is retrieved from a specific Attribute or AttributeStatement element.
3. If you select NameID Element, the NameID formats supported by the identity provider are extracted from the metadata and added to the Name ID Format table that is displayed.
   • In the Name ID value column, select the user attributes that are configured in the Workspace ONE Access service to map to the NameID formats that are displayed. You can add custom third-party name ID formats and map them to the user attribute values in the Workspace ONE Access service.
   • Select the Name ID Policy in SAML Request response identifier string format to use. This format must match the specific Name ID Policy format configuration of the third-party IDP used to establish trust with the Workspace ONE Access service.
   • Select the option to send Subject information in SAML Request when the information is available.
4. If you select SAML Attribute, include the Attribute Format and Attribute Name. Select the user attribute in the Workspace ONE Access service to map to the SAML Attribute.

Select the network ranges for the users based on their IP addresses, that you want to direct to this identity provider instance for authentication.

When users sign in to Workspace ONE from a third-party identity provider (IDP), two sessions are opened, one on the third-party identity provider, and the second on the identity manager service provider for Workspace ONE. The lifetime of those sessions is managed independently. When users sign out of Workspace ONE, the Workspace ONE session is closed, but the third-party IDP session might still be open. Based on your security requirements, you can enable single sign-out and configure single sign-out to sign out of both sessions, or you might keep the third-party IDP session intact.

Configuration Option 1

• You can enable single sign-out when you configure the third-party identity provider. If the third-party identity provider supports SAML-based single logout protocol (SLO), users are logged out of both sessions when they sign out of the Workspace ONE portal. The Redirect URL text box is not configured.
• If the third-party IDP does not support SAML-based single logout, you enable single sign-out, and in the Redirect URL text box designate an IDP single logout endpoint URL. You can also add a redirect parameter to append to the URL that sends users to a specific endpoint. Users are redirected to this URL when they sign out of the Workspace ONE portal and are signed out from the IDP as well.

Configuration Option 2

• Another single sign-out option is to log users out of their Workspace ONE portal and redirect them to a customized endpoint URL. You enable single sign-out, designate the URL in the Redirect URL text box, and the redirect parameter of the customized endpoint. When users sign out of the Workspace ONE portal, they are directed to this page, which can display a customized message. The third-party IDP session might still be open. The URL is entered as https://<vidm-access-url>/SAAS/auth/federation/slo.

If Enable Single Sign-out is not enabled, the default configuration in the Workspace ONE Access service is to directed users back to the Workspace ONE portal sign-in page when they sign out. The third-party IDP session might still be open.