You can add SaaS applications in the Workspace ONE UEM console. Browse applications already added to your Workspace ONE catalog or add new ones.

For information about access policies that secure SaaS applications, see Use Access Policies with SaaS Applications.

For information about the Approvals feature that activates licenses for use, see Configure Approvals.

  1. Navigate to Apps & Books > Applications > Web > SaaS and select New.
  2. Complete the options on the Definition tab.

    Setting Description
    Search

    You can create an application by copying it from global catalog. Enter the name of the SaaS application and search for the application in the global catalog.

    You can also browse the application from the global catalog.

    Name Enter a name for the SaaS application.
    Description (Optional) Provide a description of the application.
    Icon

    (Optional) Click Browse and upload an icon for the application.

    SaaS applications use icons in PNG, JPG, and ICON file formats.

    The application icons that you upload must be a minimum of 180 x 180 pixels.

    If the icon is too small, the icon does not display. In this instance, the system displays the default icon.

    Category

    Assign categories to help users sort and filter the application in the Workspace ONE catalog.

    Configure categories in VMware Identity Manager so that they display in the category list.

  3. Complete the options on the Configuration tab.

    1. Authentication Type - Select the authentication type for the SaaS application.

      Available options vary depending on the type you select. The authentication type determines the available settings on the user interface. There are several permutations.

      • SAML 2.0 - Select this option to provide single sign-on for applications that use the SAML 2.0 authentication.
      • SAML 1.1 - The SAML 1.1 is an older SAML authentication profile. For better security, implement SAML 2.0.
      • WSFed 1.2 - Select this option to provide single sign-on to applications that use WS-Federation authentication.
      • Web Application Link - If the application does not use a federation protocol, select this option. Enter the target URL of the application.
      • OpenID Connect - Select this option to provide single sign-on to applications that use the OAuth 2.0 protocol.

      Go to the authentication type for your SaaS application for available configurations.

      • SAML 2.0

        Setting Description
        Configuration
        • URL/XML is the default option for SaaS applications that are not yet part of the Workspace ONE catalog.
        • Manual is the default option for SaaS applications added from the catalog.
        URL/XML
        URL/XML

        Enter the URL if the XML metadata is accessible on the Internet.

        Paste the XML in the text box if the XML metadata is not accessible on the Internet, but you have it.

        Use manual configuration if you do not have the XML metadata. T

        Relay State URL

        Enter a URL where you want SaaS application users to land after a single sign-on procedure in an identity provider-initiated (IDP) scenario.

        Manual

        Single Sign-On URL

        Enter the Assertion Consumer Service (ACS) URL.

        Workspace ONE sends this URL to your service provider for single sign-on.

        Recipient URL

        Enter the URL with the specific value required by your service provider that states the domain in the SAML assertion subject.

        If your service provider does not require a specific value for this URL, enter the same URL as the Single Sign-On URL.

        Application ID

        Enter the ID that identifies your service provider tenant to Workspace ONE. Workspace ONE sends the SAML assertion to the ID.

        Some service providers use the Single Sign-On URL.

        Username Format Select the format required by the service providers for the SAML subject format.
        Username Value

        Enter the Name ID Value that Workspace ONE sends in the SAML assertion's subject statement.

        This value is a default profile text box value for a username at the application service provider.

        Relay State URL

        Enter a URL where you want SaaS application users to land after a single sign-on procedure in an identity provider-initiated (IDP) scenario.

      • SAML 1.1

        Setting Description
        Target URL Enter the URL to direct users to the SaaS application on the Internet.
        Single Sign-On URL

        Enter the Assertion Consumer Service (ACS) URL.

        Workspace ONE sends this URL to your service provider for single sign-on.

        Recipient URL

        Enter the URL with the specific value required by your service provider that states the domain in the SAML assertion subject.

        If your service provider does not require a specific value for this URL, enter the same URL as the Single Sign-On URL.

        Application ID

        Enter the ID that identifies your service provider tenant to Workspace ONE. Workspace ONE sends the SAML assertion to the ID.

        Some service providers use the Single Sign-On URL.

      • WSFed 1.2

        Setting Description
        Target URL Enter the URL to direct users to the SaaS application on the Internet.
        Single Sign-On URL

        Enter the Assertion Consumer Service (ACS) URL.

        Workspace ONE sends this URL to your service provider for single sign-on.

        Application ID

        Enter the ID that identifies your service provider tenant to Workspace ONE. Workspace ONE sends the SAML assertion to the ID.

        Some service providers use the Single Sign-On URL.

        Username Format

        Select the format required by the service providers for the SAML subject format.

        Username Value

        Enter the Name ID Value that Workspace ONE sends in the SAML assertion's subject statement.

        This value is a default profile text box value for a username at the application service provider.

      • Web Application Link

        Setting Description
        Target URL Enter the URL to direct users to the SaaS application on the Internet.
      • OpenID Connect

        Setting Description
        Target URL Enter the URL to direct users to the SaaS application on the Internet.
        Redirect URL

        Enter the URL of the client that receives the authorization code and access token.

        Client ID Enter the unique string for the client.
        Client Secret Enter the secret used to authorize the client.
    2. Application Parameters - Add values for advanced parameters to allow the application to start. This option is not available for all applications.
    3. Advanced Properties - If you want greater control of messaging in single sign-on processes with Workspace ONE, add optional parameters. The authentication type determines the available settings on the user interface. There are several permutations. Go to the authentication type for your SaaS application.

      Setting Description
      SAML 2.0
      Sign Response

      Require Workspace ONE to sign the response message to the service provider. This signature verifies that Workspace ONE created the message.

      Sign Assertion

      Require Workspace ONE to sign the assertion within the response message sent to the service provider.

      Some service providers require this option.

      Encrypt Assertion Encrypt the SAML assertion the system sends to the application service provider.
      Include Assertion Signature

      Require Workspace ONE to include its signing certificate within the response message sent to the service provider.

      Some service providers require this option.

      Signature Algorithm

      Select the signature algorithm that matches the digest algorithm.

      If your service provider supports SHA256, select this algorithm.

      Digest Algorithm

      Select the digest algorithm that matches the signature algorithm.

      If your service provider supports SHA256, select this algorithm.

      Assertion Time Enter the seconds that the assertion Workspace ONE sends to the service provider for authentication is valid.
      Request Signature If you want the service provider to sign the SAML request it sends to Workspace ONE, enter the public signing certificate.
      Encryption Certificate Enter the public encryption certificate that signs the SAML request from the application service provider to Workspace ONE.
      Application Login URL

      Enter the URL for your service provider's login page.

      This option triggers the service provider to initiate a login to Workspace ONE. Some service providers require authentication to start from their login page.

      Proxy Count Enter the allowable proxy layers between the service provider and an authenticating identity provider.
      API Access Enable API access to the SaaS application.
      Custom Attribute Mapping

      If your service provider allows custom attributes other than ones for single sign-on, add them.

      Open in VMware Browser

      Android and iOS

      Require Workspace ONE to open the application in the VMware Browser.

      If you use VMware Browser, opening SaaS applications within it adds extra security. This action keeps access within internal resources.

      SAML 1.1
      Signature Algorithm

      Select the signature algorithm that matches the digest algorithm.

      If your service provider supports SHA256, select this algorithm.

      Digest Algorithm

      Select the digest algorithm that matches the signature algorithm.

      If your service provider supports SHA256, select this algorithm.

      Assertion Time Enter the seconds that the assertion Workspace ONE sends to the service provider for authentication is valid.
      Custom Attribute Mapping If your service provider allows custom attributes other than ones for single sign-on, add them.
      Open in VMware Browser

      Android and iOS

      Require Workspace ONE to open the application in the VMware Browser.

      If you use VMware Browser, opening SaaS applications within it adds extra security. This action keeps access within internal resources.

      WSFed 1.2
      Credential Verification Select the method for credential verification.
      Signature Algorithm

      Select the signature algorithm that matches the digest algorithm.

      If your service provider supports SHA256, select this algorithm.

      Digest Algorithm

      Select the digest algorithm that matches the signature algorithm.

      If your service provider supports SHA256, select this algorithm.

      Assertion Time Enter the seconds that the assertion Workspace ONE sends to the service provider for authentication is valid.
      Custom Attribute Mapping If your service provider allows custom attributes other than ones for single sign-on, add them.
      Open in VMware Browser

      Android and iOS

      Require Workspace ONE to open the application in the VMware Browser.

      If you use VMware Browser, opening SaaS applications within it adds extra security. This action keeps access within internal resources.

    4. Access Policies - Assign policies to secure signing in to application resources.

      Setting Description
      Access Policy

      Select a policy for Workspace ONE to use to control user authentication and access.

      The default access policy is available if you do not have custom access policies.

      You can configure these policies in the UEM console.

      License Approval Required

      For this option to display, enable the corresponding Approvals in the Settings section of SaaS applications.

      Require approvals before the application installs and activates a license.

      • License Pricing - Select the pricing model to buy licenses for the SaaS application.
      • License Type - Select the user model for the licenses, named or concurrent users.
      • Cost Per License - Enter the price per license.
      • Number of Licenses - Enter the number of licenses bought for the SaaS application.
  4. View the Summary for the SaaS application and move to the assignment process.

Assign SaaS Applications

Assign SaaS applications to users and groups configured in VMware Identity Manager. See Assign SaaS Applications.