Add the third-party identity provider XML-based metadata document to establish trust with the identity provider.

1. Enter the SAML metadata URL or the xml content into the text box. Click Process IdP Metadata.
2. Select how the user is identified. The identifier sent in an inbound SAML Assertion can be either sent in the Subject or in the Attribute element.
   • NameID Element. User identifier is retrieved from the NameID element of the Subject element.
   • SAML Attribute. User identifier is retrieved from a specific Attribute or AttributeStatement element.
3. If you select NameID Element, the NameID formats supported by the identity provider are extracted from the metadata and added to the Name ID Format table that is displayed.
   • In the Name ID value column, select the user attributes that are configured in the Workspace ONE Access service to map to the NameID formats that are displayed. You can add custom third-party name ID formats and map them to the user attribute values in the Workspace ONE Access service.
   • Select the Name ID Policy in SAML Request response identifier string format to use. This format must match the specific Name ID Policy format configuration of the third-party IDP used to establish trust with the Workspace ONE Access service.
   • (Cloud only) Select the option Send Subject in SAML Request (when available) as a login hint or as a hint for authentication such as MFA. When you enable this option, you can also enable Send Subject value based on NameID format mapping to map the login hint provided by the third-party app to the NameID value.
     Note: When Send Subject value based on NameID format mapping is enabled, the Workspace ONE Access service is vulnerable to a security risk known as user enumeration. Enable this option with caution.

     Example of a configuration where Send Subject value based on NameID format mapping option is enabled

     Third-Party Identity Provider Configuration

     • App ‘X’ is federated with Workspace ONE Access.
     • The third-party identity provider mapped the NameID value to userPrincipleName.

       In this configuration the end user's email is not mapped to the third-party IDPs userPrincipleName.

     • The App X access policy has a rule that the third-party identity provider is used to authenticate the user.

     End User Authentication Flow

     • End user selects App ‘X’.
     • App ‘X’ presents a login page to the end user to enter their email address.
     • App ‘X’ sends the email as a login hint back to Workspace ONE Access.
     • Because Send Subject value based on NameID format mapping is enabled, Workspace ONE Access accepts the email and finds the UserPrincipleName for that user.
     • Workspace ONE Access sends the SAML request with the corresponding UserPrincipleName that was mapped to the third-party IDP responsible for authenticating the end user.
4. If you select SAML Attribute, include the Attribute Format and Attribute Name. Select the user attribute in the Workspace ONE Access service to map to the SAML Attribute.

Select the network ranges for the users based on their IP addresses, that you want to direct to this identity provider instance for authentication.

Enter the authentication method name to associate with this third-party identity provider. You can enter multiple authentication methods to associate with the third-party identity provider. Give each authentication method a friendly name that identifies the auth method. You select the authentication method name in the access policy to configure the rules for the third party IDP authentication method.

Map the authentication method name with the SAML authentication context that is sent by the third-party identity provider in the SAML response. In the drop-down menu, select a SAML authentication context class string from the list of commonly used strings, or you can enter a custom string.

When users sign in to Workspace ONE from a third-party identity provider (IDP), two sessions are opened, one on the third-party identity provider, and the second on the identity manager service provider for Workspace ONE. The lifetime of those sessions is managed independently. When users sign out of Workspace ONE, the Workspace ONE session is closed, but the third-party IDP session might still be open. Based on your security requirements, you can enable single sign-out and configure single sign-out to sign out of both sessions, or you might keep the third-party IDP session intact.

Configuration Option 1

• You can enable single sign-out when you configure the third-party identity provider. If the third-party identity provider supports SAML-based single logout protocol (SLO), users are logged out of both sessions when they sign out of the Workspace ONE portal. The Redirect URL text box is not configured.
• If the third-party IDP does not support SAML-based single logout, you enable single sign-out, and in the Redirect URL text box designate an IDP single logout endpoint URL. You can also add a redirect parameter to append to the URL that sends users to a specific endpoint. Users are redirected to this URL when they sign out of the Workspace ONE portal and are signed out from the IDP as well.

Configuration Option 2

• Another single sign-out option is to log users out of their Workspace ONE portal and redirect them to a customized endpoint URL. You enable single sign-out, designate the URL in the Redirect URL text box, and the redirect parameter of the customized endpoint. When users sign out of the Workspace ONE portal, they are directed to this page, which can display a customized message. The third-party IDP session might still be open. The URL is entered as https://<vidm-access-url>/SAAS/auth/federation/slo.

If Enable Single Sign-out is not enabled, the default configuration in the Workspace ONE Access service is to directed users back to the Workspace ONE portal sign-in page when they sign out. The third-party IDP session might still be open.