SaaS applications are called Web applications in Workspace ONE Access. You can add, edit, and delete these applications in one management console. They consist of a URL address to the landing page of the resource. They also include an application record. You can add SaaS applications to the Workspace ONE UEM console from your web applications in the Workspace ONE catalog. When you use access policies with SaaS applications, you can control access to the application at the point of authentication.

Control Access at the Time of Authentication

SaaS applications and access policies offer control of resources at the time of authentication.

Table 1. Access Control Options
Component Description
Authentication method Require the use of federation protocols when accessing the SaaS application.

Federation protocols use tokens to allow access and to establish trust between the resource and the user.

Identity and Service Providers To configure trust between your providers, SaaS applications, and users in your network, use the identity provider and the service provider metadata from the Workspace ONE system in Workspace ONE UEM.
Certificates To control trust between users in your Workspace ONE system and the SaaS application, use the self-signed certificate from the Workspace ONE Access service or enter one from your certificate authority.
Users and User Groups Configure users and user groups in Workspace ONE Access and then assign them to SaaS applications in the Workspace ONE UEM console.
Secured Connection Enable trusted connections with the VMware Enterprise System between the Workspace ONE system, SaaS applications, and users.
Session Access & Length Configure access policies and mobile SSO to control the allowable time to access SaaS applications before users must reauthenticate with Workspace ONE.

SaaS App Functionality for SAML Admins

SaaS applications, as well as other Workspace ONE Access policies and functions, are unavailable to you if you are a SAML administrator who authenticates using Workspace ONE Access. You will see the following error message when you navigate to the SaaS Apps page.

Check that your administrator account exists in both UEM and IDM systems and that the domain in Workspace ONE UEM exactly matches the same account’s domain in VMware Identity Manager.

To restore SaaS app accessibility, you must log into Workspace ONE UEM using basic authentication and you must also enable Workspace ONE Access at your organization group.