Configure your Application Source by selecting the third-party identity provider. After the Application Source is set up, you can then create the associated applications and entitle the users.

  1. Navigate to Apps & Books > Applications > Web > SaaS and select Settings.
  2. Select Application Sources.
  3. Select the third-party identity provider. The third-party identity provider's Application Source wizard is displayed.
  4. Enter a descriptive name for the application source and click Next.

  5. Authentication Type is defaulted to SAML 2.0 and is read-only.
  6. Modify the application source Configuration.

    Setting Description
    Configuration
    • URL/XML is the default option for SaaS applications that are not yet part of the Workspace ONE catalog.
    • Manual is the default option for SaaS applications added from the catalog.
    URL/XML
    URL/XML

    Enter the URL if the XML metadata is accessible on the Internet.

    Paste the XML in the text box if the XML metadata is not accessible on the Internet, but you have it.

    Use manual configuration if you do not have the XML metadata.

    Relay State URL

    Enter a URL where you want SaaS application users to land after a single sign-on procedure in an identity provider-initiated (IDP) scenario.

    Manual

    Single Sign-On URL

    Enter the Assertion Consumer Service (ACS) URL.

    Workspace ONE sends this URL to your service provider for single sign-on.

    Recipient URL

    Enter the URL with the specific value required by your service provider that states the domain in the SAML assertion subject.

    If your service provider does not require a specific value for this URL, enter the same URL as the Single Sign-On URL.

    Application ID

    Enter the ID that identifies your service provider tenant to Workspace ONE. Workspace ONE sends the SAML assertion to the ID.

    Some service providers use the Single Sign-On URL.

    Username Format Select the format required by the service providers for SAML subject format.
    Username Value

    Enter the Name ID Value that Workspace ONE sends in the SAML assertion's subject statement.

    This value is a default profile field value for a username at the application service provider.

    Relay State URL

    Enter a URL where you want SaaS application users to land after a single sign-on procedure in an identity provider-initiated (IDP) scenario.

  7. Modify the Advanced Properties.

    Setting Description
    Sign Response Enter the URL to direct users to the SaaS application on the Internet.
    Sign Assertion

    Enter the Assertion Consumer Service (ACS) URL.

    Workspace ONE sends this URL to your service provider for single sign-on.

    Encrypt Assertion

    Enter the URL with the specific value required by your service provider that states the domain in the SAML assertion subject.

    If your service provider does not require a specific value for this URL, enter the same URL as the Single Sign-On URL.

    Include Assertion Signature

    Enter the ID that identifies your service provider tenant to Workspace ONE. Workspace ONE sends the SAML assertion to the ID.

    Some service providers use the Single Sign-On URL.

    Signature Algorithm Select SHA256 with RSA as the secure encrypted hash algorithm.
    Digest Algorithm Select SHA256.
    Assertion Time Enter the SAML assertion time in seconds.
    Request Signature If you want the service provider to sign the request it sends to Workspace ONE, enter the public signing certificate.
    Encryption Certificate Enter the public encryption certificate if you want the SAML request from the application service provider to Workspace ONE to be signed.
    Application Login URL Enter the URL for your service provider's login page. This option triggers the service provider to initiate a login to Workspace ONE. Some service providers require authentication to start from their login page.
    Proxy Count Enter the allowable proxy layers between the service provider and an authenticating identity provider.
    API Access Allow API access to this application.
  8. Configure Custom Attribute Mapping.If your service provider allows custom attributes other than ones for single sign-on, add them.
  9. Select Open in VMware Browserif you want to open the application in the VMware Browser. However, it requires Workspace ONE to open the application in the VMware Browser. If you use VMware Browser, opening SaaS applications within it adds extra security. This action keeps access within internal resources.
  10. Click Next.
  11. To secure signing in to application resources, select the Access policies. Click Next to view the Summary page.

  12. Click Save.

    Note:

    If you select Save and Assign while configuring the application source, you set the entitlements for the application source to All Users. However, you can change the default settings and manage the user entitlements and add users or user groups. For more information, see Adding users to the Application Source.