When Workspace ONE Access system domain admin users cannot log in to the console from the Workspace ONE Access login page, use the break-glass URL endpoint /SAAS/login/0 hosted by the Workspace ONE Access appliance to log in and resolve the issue.
When the default access policy configuration locks out administrators, system domain admin users can use the break-glass URL endpoint, /SAAS/login/0, to access the Workspace ONE Access console. The /SAAS/login/0 URL authenticates system directory admins with a user name and password.
This login URL is deactivated in Workspace ONE Access service by default. You see an error message instead of the login page when you try to use https://{yourFQDN}/SAAS/login/0. All attempts to reach /SAAS/login/0 are logged to /opt/vmware/horizon/workspace/logs with the following message.
com.vmware.horizon.service.controller.auth.LoginController - "Break-glass" login end-point called, access is disabled.
Enable /SAAS/login/0
Enable /SAAS/login/0 so that system domain admin users can log in to the Workspace ONE Access console.
Procedure
- SSH into the Workspace ONE Access appliance as the root user.
- Enter hznAdminTool configureBreakGlassLogin -enable -loginZero.
- Restart the service on the appliance. Enter service horizon-workspace restart.
Repeat this process for all appliances in your environment.
Now Workspace ONE Access system domain admin users can log in using the following login URL.
https://{yourFQDN}/SAAS/login/0Deactivate /SAAS/login/0
After you resolve the default access policy configuration issues, deactivate /SAAS/login/0 as a login option.
Procedure
- SSH into the Workspace ONE Access appliance as the root user.
- Enter hznAdminTool configureBreakGlassLogin -disable -loginZero.
- Restart the service on the appliance. Enter service horizon-workspace restart.
Repeat this process for all appliances in your environment.
