Settings include features that apply to all SaaS applications in your Workspace ONE environment. Control access with configurations for SAML authentication and with required approvals.


Configure SaaS applications to require approval before users can access them. Use this feature when you have SaaS applications that use licenses for access to help manage license activations. When you enable approvals, configure the corresponding, License Approval Required, in the applicable SaaS application record.

Approval Workflow

Users view the application in their Workspace ONE catalog and request use of the application. VMware Identity Manager sends the approval request message to the organization's configured approval REST endpoint URL. The system reviews the request and sends back an approved or denied message to VMware Identity Manager. When an application is approved, the application status turns from Pending to Added and the application displays in the user's Workspace ONE launcher page.

Approval Engines

The system offers two approval engines.

  • REST API - The REST API approval engine uses an external approval tool that routes through your Webserver REST API to perform the request and approval responses. You enter your REST API URL in the VMware Identity Manager service and configure your REST APIs with the VMware Identity Manager OAuth client credential values and the callout request and response action.
  • REST API via Connector - The REST API via the Connector approval engine routes the callback calls through the connector using the Websocket-based communication channel. You configure your REST API endpoint with the callout request and response action.

For information on approvals, see Configure Approvals.

SAML Metadata

You can use the SAML certificates from the Settings page for authentication systems like mobile single sign-on.

Self-Signed Certificates or Certificates from CAs

The VMware Identity Manager service automatically creates a self-signed certificate for SAML signing. However, some organizations require certificates from certificate authorities (CAs). To request a certificate from your CA, generate a certificate signing request (CSR) in Settings. You can use either certificate to authenticate users to SaaS applications.

Send the certificate to relying applications to configure authentication between the application and the Workspace ONE system.

For information on retrieving SAML metadata and certificates from the Settings page, see SAML Metadata for Single Sign-On with SaaS Applications.

Application Sources

You can add third-party identity providers to authenticate users in VMware Identity Manager. To configure the provider instance, use the identity provider and service provider metadata you copied from the Settings section in the AirWatch Console. For detailed information on how to configure third-party providers, see Configure a Third-Party Identity Provider Instance to Authenticate Users, in VMware Identity Manager Documentation.


You can configure your Application Source by selecting the corresponding third-party Identity provider. After the Application source is set up, you can then create the associated applications. For more information, see Configuring third-party identity providers as an Application Source.