The Security Assertion Markup Language (SAML) 2.0 Authentication offers single sign-on support and federated authentication. Workspace ONE ™ UEM never receives any corporate credentials. If an organization has a SAML Identity Provider server, use SAML 2.0 integration.


  • Offers single sign-on capabilities.
  • Authentication with existing corporate credentials.
  • Workspace ONE UEM never receives corporate credentials in plain-text.
  • Can be used for Workspace ONE Direct Enrollment when paired with a SAML Directory User.


  • Requires corporate SAML Identity Provider infrastructure.
  • Cannot be used for Workspace ONE Direct Enrollment when paired with a SAML Basic User.


  1. Device connects to Workspace ONE UEM for enrollment. The UEM server then redirects the device to the client specified identity provider.
  2. Device securely connects through HTTPS to client provided identity provider and user enters credentials.
    • Credentials are encrypted during transport directly between the device and SAML endpoint.
  3. Credentials are validated against directory services.
  4. The identity provider returns a signed SAML response with the authenticated user name.
  5. The device responds back to the Workspace ONE UEM server and presents the signed SAML message. The user is authenticated.

For more information, see the VMware AirWatch SAML Integration Guide .

For more information, see Workspace ONE Direct Enrollment.