Settings include features that apply to all SaaS applications in your Workspace ONE environment. Control access with configurations for SAML authentication and with required approvals.

Configure SaaS applications to require approval before users can access them. Use this feature when you have SaaS applications that use licenses for access to help manage license activations. When you enable approvals, configure the corresponding, License Approval Required, in the applicable SaaS application record.

  • Approval Workflow - Users view the application in their Workspace ONE catalog and request use of the application. Workspace ONE Access sends the approval request message to the organization's configured approval REST endpoint URL. The system reviews the request and sends back an approved or denied message to Workspace ONE Access. When an application is approved, the application status turns from Pending to Added and the application displays in the user's Workspace ONE launcher page.
  • Approval Engines - The system offers two approval engines.
    • REST API - The REST API approval engine uses an external approval tool that routes through your Webserver REST API to perform the request and approval responses. You enter your REST API URL in the Workspace ONE Access service and configure your REST APIs with the Workspace ONE Access OAuth client credential values and the callout request and response action.
    • REST API via Connector - The REST API via the Connector approval engine routes the callback calls through the connector using the Websocket-based communication channel. You configure your REST API endpoint with the callout request and response action.

SAML Metadata and Self-Signed Certificates or Certificates from CAs

You can use the SAML certificates from the Settings page for authentication systems like mobile single sign-on. The Workspace ONE Access service automatically creates a self-signed certificate for SAML signing. However, some organizations require certificates from certificate authorities (CAs). To request a certificate from your CA, generate a certificate signing request (CSR) in Settings. You can use either certificate to authenticate users to SaaS applications.

Send the certificate to relying applications to configure authentication between the application and the Workspace ONE system.

You can add third-party identity providers to authenticate users in Workspace ONE Access. To configure the provider instance, use the identity provider and service provider metadata you copied from the Settings section in the AirWatch Console. For detailed information on how to configure third-party providers, see Configure a Third-Party Identity Provider Instance to Authenticate Users, in Workspace ONE Access.

You can configure your Application Source by selecting the corresponding third-party Identity provider. After the Application source is set up, you can then create the associated applications.

Configure Approvals for your Saas Applications

Use approvals for SaaS applications that activate licenses for use. When enabled with the corresponding License Approval Required option, users request access to applicable SaaS applications from the Workspace ONE catalog before installation and license activation.

  1. Navigate to Resources > Apps > SaaS and select Settings.
  2. Select Approvals.
  3. Select Yes to enable the feature.
  4. Select an Approval Engine the system uses to request approvals.
  5. Enter the callback URI (Uniform Resource Identifier) of the REST resource that listens for the callout request.
  6. Enter the Username, if the REST API requires credentials to access.
  7. Enter the Password for the user name, if the REST API requires credentials to access.
  8. Enter the SSL certificate in PEM (privacy-enhanced electronic mail) format for the PEM-format SSL Certificate option, if the REST resource runs on a server that has a self-signed certificate or a certificate not trusted by a public certificate authority and uses HTTPS.

Configure SAML Metadata for Single Sign-On Capability

Retrieve SAML metadata and certificates from the Settings page for single sign-on capabilities with SaaS applications.

Important: All single sign-on connections that depend on the existing SAML metadata break when the CSR generation creates the SAML metadata.
Note:
If you replace an existing SSL certificate, this action changes the existing SAML metadata. If you do replace an SSL certificate, you must update SaaS applications that you configure for mobile single sign-on with the latest certificate.
  1. Navigate to Resources > Apps > SaaS and select Settings.
  2. Select SAML Metadata > Download SAML Metadata and complete the tasks.
    Table 1.
    Setting Description
    SAML Metadata Copy and save the Identity Provider metadata and the Service Provider metadata.

    Select the links and open a browser instance with the XML data.

    Configure your third-party identity provider with this information.

    Signing Certificate Copy the signing certificate that includes all the code in the text area.

    You can also download the certificate to save it as a TXT file.

  3. Select Generate CSR and complete the tasks for requesting a digital identity certificate (SSL certificate) from your certificate authority. This request identifies your company, domain name, and public key. The third-party certificate authority uses it for issuing the SSL certificate. To update the metadata, upload the signed certificate.
    Setting - New Certificate Description
    Common Name Enter the fully qualified domain name for the organization's server.
    Organization Enter the name of the company that is legally registered.
    Department Enter the department in your company that the certificate references.
    City Enter the city where the organization is legally located.
    State / Province Enter the state or province where the organization legally resides.
    Country Enter the legal country of residence for the organization.
    Key Generation Algorithm Select an algorithm used to sign the CSR.
    Key Size Select the number of bits used in the key. Select 2048 or larger.

    RSA key sizes smaller than 2048 are considered insecure.

    Setting - Replace a Certificate Setting
    Upload SSL Certificate Upload the SSL certificate received from your third-party certificate authority.
    Certificate Signing Request Download the certificate signing request (CSR). Send the CSR to the third-party certificate authority.

Configure Application Source for the Third-Party Identity Providers

Adding an identity provider as an application source streamlines the process of adding individual applications from that provider to the end-user catalog because you can apply configured settings and policies from the third-party application source to all applications managed by the application source.

To begin, entitle the ALL_USERS group to the application source and select an access policy to apply.

Web applications that use the SAML 2.0 authentication profile can be added to the catalog. The application configuration is based on the settings configured in the application source. Only the application name and the target URL are required to be configured.

When you add applications, you can entitle specific users and groups and apply an access policy to control user access to the application. Users can access these applications from their desktops and mobile devices.

The configured settings and policies from the third-party application source can be applied to all applications managed by the application source. Sometimes, third-party identity providers send an authentication request without including which application a user is trying to access. If Workspace ONE Access receives an authentication request that does not include the application information, the backup access policy rules configured in the application source are applied.

The following identity providers can be configured as application sources.

  • Okta
  • PingFederated server from Ping Identity
  • Active Directory Federation Services (ADFS)

Configure your Application Source by selecting the third-party identity provider. After the Application Source is set up, you can then create the associated applications and entitle the users.

  1. Navigate to Resources > Apps > SaaS and select Settings.
  2. Select Application Sources.
  3. Select the third-party identity provider. The third-party identity provider's Application Source wizard is displayed.
  4. Enter a descriptive name for the application source and click Next.
  5. Authentication Type is defaulted to SAML 2.0 and is read-only.
  6. Modify the application source Configuration
    Table 2. Configuration Settings - URL/XML
    Setting Description
    Configuration URL/XML is the default option for SaaS applications that are not yet part of the Workspace ONE catalog.
    URL/XML Enter the URL if the XML metadata is accessible on the Internet.

    Paste the XML in the text box if the XML metadata is not accessible on the Internet, but you have it.

    Use manual configuration if you do not have the XML metadata.

    Relay State URL Enter a URL where you want SaaS application users to land after a single sign-on procedure in an identity provider-initiated (IDP) scenario.
    Table 3. Configuration Settings - Manual
    Setting Description
    Configuration Manual is the default option for SaaS applications added from the catalog.
    Single Sign-On URL Enter the Assertion Consumer Service (ACS) URL.

    Workspace ONE sends this URL to your service provider for single sign-on.

    Recipient URL Enter the URL with the specific value required by your service provider that states the domain in the SAML assertion subject.

    If your service provider does not require a specific value for this URL, enter the same URL as the Single Sign-On URL.

    Application ID Enter the ID that identifies your service provider tenant to Workspace ONE. Workspace ONE sends the SAML assertion to the ID.

    Some service providers use the Single Sign-On URL.

    Username Format Select the format required by the service providers for SAML subject format.
    Username Value Enter the Name ID Value that Workspace ONE sends in the SAML assertion's subject statement.

    This value is a default profile field value for a username at the application service provider.

    Relay State URL Enter a URL where you want SaaS application users to land after a single sign-on procedure in an identity provider-initiated (IDP) scenario.
  7. Modify the Advanced Properties.
    Setting Description
    Sign Response Enter the URL to direct users to the SaaS application on the Internet.
    Sign Assertion Enter the Assertion Consumer Service (ACS) URL.

    Workspace ONE sends this URL to your service provider for single sign-on.

    Encrypt Assertion Enter the URL with the specific value required by your service provider that states the domain in the SAML assertion subject.

    If your service provider does not require a specific value for this URL, enter the same URL as the Single Sign-On URL.

    Include Assertion Signature Enter the ID that identifies your service provider tenant to Workspace ONE. Workspace ONE sends the SAML assertion to the ID.

    Some service providers use the Single Sign-On URL.

    Signature Algorithm Select SHA256 with RSA as the secure encrypted hash algorithm.
    Digest Algorithm Select SHA256
    Assertion Time Enter the SAML assertion time in seconds.
    Request Signature If you want the service provider to sign the request it sends to Workspace ONE, enter the public signing certificate.
    Encryption Certificate Enter the public encryption certificate if you want the SAML request from the application service provider to Workspace ONE to be signed.
    Application Login URL Enter the URL for your service provider's login page. This option triggers the service provider to initiate a login to Workspace ONE. Some service providers require authentication to start from their login page.
    Proxy Count Enter the allowable proxy layers between the service provider and an authenticating identity provider.
    API Access Allow API access to this application.
  8. Configure Custom Attribute Mapping.If your service provider allows custom attributes other than ones for single sign-on, add them.
  9. Select Open in VMware Browserif you want to open the application in the VMware Browser. However, it requires Workspace ONE to open the application in the VMware Browser. If you use VMware Browser, opening SaaS applications within it adds extra security. This action keeps access within internal resources.
  10. Click Next.
  11. To secure signing in to application resources, select the Access policies. Click Next to view the Summary page.
  12. Click Save. If you select Save and Assign while configuring the application source, you set the entitlements for the application source to All Users. However, you can change the default settings and manage the user entitlements and add users or user groups.
    1. After the identity provider is configured as an application source, you can create the associated applications for each of the third-party identity providers. Once you complete the options on the Definition tab, you can select OKTA from the Authentication Type drop-down menu in the Configuration tab.
    2. You can set the entitlements for the application source to All Users or add Users / User Groups. By default, if you select Save and Assign while configuring the application source, you set the entitlements for the application source to All Users.