Settings include features that apply to all SaaS applications in your Workspace ONE environment. Control access with configurations for SAML authentication and with required approvals.


Configure SaaS applications to require approval before users can access them. Use this feature when you have SaaS applications that use licenses for access to help manage license activations. When you enable approvals, configure the corresponding, License Approval Required, in the applicable SaaS application record.

  • Approval Workflow - Users view the application in their Workspace ONE catalog and request use of the application. Workspace ONE UEMsends the approval request message to the organization's configured approval REST endpoint URL. The system reviews the request and sends back an approved or denied message to Workspace ONE UEM. When an application is approved, the application status turns from Pending to Added and the application displays in the user's Workspace ONE launcher page.
  • Approval Engines - The system offers two approval engines.
    • REST API - The REST API approval engine uses an external approval tool that routes through your Webserver REST API to perform the request and approval responses. You enter your REST API URL in the Workspace ONE UEM service and configure your REST APIs with the Workspace ONE UEMOAuth client credential values and the callout request and response action.
    • REST API via Connector - The REST API via the Connector approval engine routes the callback calls through the connector using the Websocket-based communication channel. You configure your REST API endpoint with the callout request and response action.

    For information on approvals, see Configure Approvals.

SAML Metadata and Self-Signed Certificates or Certificates from CAs

You can use the SAML certificates from the Settings page for authentication systems like mobile single sign-on.

The Workspace ONE UEM service automatically creates a self-signed certificate for SAML signing. However, some organizations require certificates from certificate authorities (CAs). To request a certificate from your CA, generate a certificate signing request (CSR) in Settings. You can use either certificate to authenticate users to SaaS applications.

Send the certificate to relying applications to configure authentication between the application and the Workspace ONE system.

For information on retrieving SAML metadata and certificates from the Settings page, see SAML Metadata for Single Sign-On with SaaS Applications.

Application Sources

You can add third-party identity providers to authenticate users in Workspace ONE UEM . To configure the provider instance, use the identity provider and service provider metadata you copied from the Settings section in the AirWatch Console. For detailed information on how to configure third-party providers, see Configure a Third-Party Identity Provider Instance to Authenticate Users, in Workspace ONE UEMDocumentation.

You can configure your Application Source by selecting the corresponding third-party Identity provider. After the Application source is set up, you can then create the associated applications. For more information, see Configuring third-party identity providers as an Application Source.