You can add Web applications to the VMware Identity Manager catalog and assign them to users and groups to provide users access to these applications from the Workspace ONE portal or app. You enable single sign-on (SSO) to the applications by using a federation protocol such as SAML 2.0 to configure the applications.

Access policies can be applied on the applications to control user access based on criteria such as the user's network range or device type. You can create access policies for a single application, a set of applications, or all applications in your catalog. When you add an application to the catalog, you select the access policy to use.

You can also set up an approval flow so that users must request access to an application and the request must be approved before they can use the application.

The following types of Web applications can be added to the catalog:

  • SAML 2.0 applications
  • SAML 1.1 applications

    SAML 1.1 is an older SAML authentication standard. For better security, implement SAML 2.0.

  • WS-Federation 1.2 (supported for Office 365 only)
  • OpenID Connect applications
  • Applications that do not use a federation protocol
  • Applications associated with third-party identity providers such as Okta, Ping, and ADFS.

    To add these applications, you must first configure the third-party identity provider as an application source in VMware Identity Manager. See

    Providing Access to Third-Party Managed Applications in Workspace ONE for information.

Before setting up Web applications in the catalog, take into account the following considerations.

  • If you configure the Web application to use a federation protocol, use a supported protocol. Configuring the Web application to use a federation protocol is not a requirement.
  • The users you plan to entitle to the Web application must be registered users of that application, or you plan to configure the provisioning adapter for the application, if available, to provision VMware Identity Manager users in the application.
  • If the Web application is a multitenant application, the service points to your instance of the application.

Role Requirements for Managing Web Applications

The following roles can manage Web applications:

  • Super Admin
  • Custom administrator role that has the following configuration:

    Service: Catalog

    Actions: Manage Web Applications, Manage App Sources, Manage Third-Party Apps, as applicable

    Resources: All resources or specific resources as applicable

To assign applications to users and groups, the role must include the Manage Entitlements action.

For more information about roles, see "Managing Administrator Roles" in VMware Identity Manager Administration.