SaaS applications are called Web applications in Workspace ONE Access. You can add, edit, and delete these applications in one management console. They consist of a URL address to the landing page of the resource. They also include an application record. You can add SaaS applications to the Workspace ONE UEM console from your web applications in the Workspace ONE catalog. When you use access policies with SaaS applications, you can control access to the application at the point of authentication.
Control Access at the Time of Authentication
SaaS applications and access policies offer control of resources at the time of authentication. The table explains the various Access control options:
|Authentication method||Require the use of federation protocols when accessing the SaaS application.
Federation protocols use tokens to allow access and to establish trust between the resource and the user.
|Identity and Service Providers||To configure trust between your providers, SaaS applications, and users in your network, use the identity provider and the service provider metadata from the Workspace ONE system in Workspace ONE UEM.|
|Certificates||To control trust between users in your Workspace ONE system and the SaaS or enter one from your certificate authority.|
|Users and User Groups||Configure users and user groups in Workspace ONE Access and then assign them to SaaS applications in the Workspace ONE UEM console.|
|Secured Connection||Enable trusted connections with the VMware Enterprise System between the Workspace ONE system, SaaS applications, and users.|
|Session Access & Length||Configure access policies and mobile SSO to control the allowable time to access SaaS applications before users must reauthenticate with Workspace ONE.|
SaaS App Functionality for SAML Admins
SaaS applications, as well as other Workspace ONE Access policies and functions, are unavailable to you if you are a SAML administrator who authenticates using Workspace ONE Access. You will see the following error message when you navigate to the SaaS Apps page.
Check that your administrator account exists in both UEM and IDM systems and that the domain in Workspace ONE UEM exactly matches the same account’s domain in VMware Identity Manager.
To restore SaaS app accessibility, you must log into Workspace ONE UEM using basic authentication and you must also enable Workspace ONE Access at your organization group.
SaaS Application Requirements
To access your SaaS applications managed in Workspace ONE Access in the Workspace ONE UEM console, you can set up peripheral systems to communicate between the systems.
Configure or integrate the listed systems so that you can access the SaaS applications page.
- Active Directory - This component integrates Workspace ONE UEM and Workspace ONE Access to sync users and groups from Active Directory (AD) to the service. You assign SaaS applications to the users and groups synced from Active Directory.
Note:With setup of the connector, AD users and groups are in sync between Workspace ONE UEM and Workspace ONE Access.
- Workspace ONE Access - This component serves many functions including managing your users and groups and managing authentication to resources.
- Mobile SSO -This component manages single sign-on (SSO) capabilities in the Workspace ONE portal for Workspace ONE UEM-managed Android and iOS devices. For Android devices, mobile SSO uses certificate authentication. For iOS devices, it uses the identity provider in the Workspace ONE Access.
Note:Mobile SSO is different from the SSO feature for applications that use the Workspace ONE SDK.
- Access Policies - This component provides secure access to the Workspace ONE apps portal to start Web applications. Access policies include rules that specify criteria that must be met to sign in to the apps portal and to use resources.
A default policy is available that controls access as a whole. This policy is set up to allow access to all network ranges, from all device types, for all users. You can create stricter access policies that restrict users access to applications based on access rules you define.
You can deploy SaaS applications to these platforms:
- Apple iOS
- Apple macOS
- Windows Desktop (Windows 10)