You add the AirWatch Provisioning app to the catalog in the Workspace ONE Access console and assign users to the app. When users are assigned to the app, they are provisioned in Workspace ONE UEM and can access Workspace ONE.
- Make sure that SAML authentication is enabled in the Workspace ONE UEM console in the Accounts > Administrators > Administrator Settings > Directory Services section.
- An identity provider must be configured as the SAML provider before you configure the AirWatch Provisioning app. If you want to use Workspace ONE Access as the SAML provider, follow the instructions in the Configuring Single Sign-on from the VMware Identity Manager Service to AirWatch Applications guide.
- Configure Workspace ONE UEM authentication information in the AirWatch Provisioning app.
The recommend configuration is to enable Certificate Auth. Certificate Auth settings are configured in the Identity & Access Management > Setup > Workspace ONE UEM page. This option reduces the configuration complexity since the AirWatch Host, Admin Username, Admin Password, and AirWatch API Key fields are automatically populated in the AirWatch Provisioning settings when you select Certificate Auth.
When Certificate Auth is enabled, you avoid situations where a large number of user provisioning events reach Workspace ONE UEM API request limits causing user provisioning events to be suspended.
Also, when you use Certificate Auth, you do not need to update the Workspace ONE UEM admin password in the AirWatch Provisioning app when the password is changed.
- Log in to theWorkspace ONE Access console.
- Select the Catalog > Web Apps tab.
- Click New.
- Enter AirWatch Provisioning in the Search text box or click or browse from catalog, and select AirWatch Provisioning from the results.
- To proceed, click Next.
- On the Single Sign-On page, configure the settings required by your organization.
Some settings are populated with default values relevant to the AirWatch Provisioning app. To learn more about a setting, click the information icon next to the setting.Note: For any setting not listed in the following table, accept the default value.
Setting Description Authentication Type Populated with the SAML profile. Configuration Select Manual. Single Sign-On URL This field is not used for AirWatch provisioning, but cannot be empty. An empty field generates a validation error. You can leave the default address. Recipient URL This field is not used for AirWatch provisioning, but cannot be empty. An empty field generates a validation error. You can leave the default address.
- Click Next. Keep the default_access_policy_set.
- Click Save.
The app is added to the catalog. Now you can enable provisioning.
- Select the AirWatch Provisioning app from the catalog list and click Edit.
- Select Provisioning and enter the following information.
Configure the Workspace ONE UEM admin account that can authenticate against the AirWatch REST API.
- (Recommended) Select Enable Certificate Auth to use the same values you configured in Identity & Access Management > Setup > Workspace ONE UEM to authenticate to Workspace ONE UEM.
- For Workspace ONE UEM Group ID, enter your top-level OG group ID.
- To use a basic Workspace ONE UEM admin account, enter Workspaces ONE UEM Host URL of your Workspace ONE UEM REST API (usually as
- Enter the basic admin account Admin Username and Admin Password.
Note: This role for this Workspace ONE UEM admin account is configured as Console administrator.Important: By default, the password of this administrator is changed every 30 to 90 days from the Workspace ONE UEM console. When this password is changed, you must update the password in the AirWatch Provisioning app settings in the Workspace ONE Access console.
- Enter the Workspace ONE UEM API Key.
Note: If you do not have an API key, in the UEM console, go to Groups & Settings > All Settings > System > Advanced > API > REST API. Click Override and select Add. Provide a service name and the account type of Admin. Copy the API key to enter on this page.
- Enter the Workspace ONE UEM Group ID. Enter your top-level OG group ID.
- Click Test Connection to validate connectivity. Click Next.
- In the User Provisioning page, verify that the attributes with which to provision users in Workspace ONE UEM are listed. Attribute names with an asterisk are required for provisioning. Click Next.
If you are using JIT, make sure that the SAML assertion includes the User Name attribute. Also make sure that the keys in the SAML assertion match the attribute names exactly, including the case.
- In the Group Provisioning page, add the groups that you want to provision in Workspace ONE UEM. These user groups are automatically created in Workspace ONE UEM.
- Click Next and on the Summary page, click Save.