You can add SaaS applications in the Workspace ONE UEM console. Browse applications already added to your Workspace ONE catalog or add new ones. You can als create copies or export SaaS applications in your Workspace ONE environment.

Procedure

  1. Navigate to Resources > Apps > SaaS and select New.
  2. Complete the options on the Definition tab.
    Setting Description
    Search You can create an application by copying it from global catalog. Enter the name of the SaaS application and search for the application in the global catalog.

    You can also browse the application from the global catalog.

    Name Enter a name for the SaaS application.
    Description (Optional) Provide a description of the application.
    Icon (Optional) Click Browse and upload an icon for the application.

    SaaS applications use icons in PNG, JPG, and ICON file formats.

    The application icons that you upload must be a minimum of 180 x 180 pixels.

    If the icon is too small, the icon does not display. In this instance, the system displays the default icon.

    Category Assign categories to help users sort and filter the application in the Workspace ONE catalog.

    Configure categories in Workspace ONE Access so that they display in the category list.

  3. Complete the options on the Configuration tab.
    1. Select the Authentication Type for the SaaS application. Available options vary depending on the type you select. The authentication type determines the available settings on the user interface. There are several permutations.
      • SAML 2.0 - Select this option to provide single sign-on for applications that use the SAML 2.0 authentication.
        Table 1. Authentication Settings for SAML 2.0 - URL/XML
        Setting Description
        Configuration URL/XML is the default option for SaaS applications that are not yet part of the Workspace ONE catalog.
        URL/XML Enter the URL if the XML metadata is accessible on the Internet.

        Paste the XML in the text box if the XML metadata is not accessible on the Internet, but you have it.

        Use manual configuration if you do not have the XML metadata. T

        Relay State URL Enter a URL where you want SaaS application users to land after a single sign-on procedure in an identity provider-initiated (IDP) scenario.
        Table 2. Authentication Settings for SAML 2.0 - Manual
        Setting Description
        Configuration Manual is the default option for SaaS applications added from the catalog.
        Single Sign-On URL Enter the Assertion Consumer Service (ACS) URL.

        Workspace ONE sends this URL to your service provider for single sign-on.

        Recipient URL Enter the URL with the specific value required by your service provider that states the domain in the SAML assertion subject.

        If your service provider does not require a specific value for this URL, enter the same URL as the Single Sign-On URL.

        Application ID Enter the ID that identifies your service provider tenant to Workspace ONE. Workspace ONE sends the SAML assertion to the ID.

        Some service providers use the Single Sign-On URL.

        Username Format Select the format required by the service providers for the SAML subject format.
        Username Value Enter the Name ID Value that Workspace ONE sends in the SAML assertion's subject statement.

        This value is a default profile text box value for a username at the application service provider.

        Relay State URL Enter a URL where you want SaaS application users to land after a single sign-on procedure in an identity provider-initiated (IDP) scenario.
      • SAML 1.1 - The SAML 1.1 is an older SAML authentication profile. For better security, implement SAML 2.0.
        Setting Description
        Target URL Enter the URL to direct users to the SaaS application on the Internet.
        Single Sign-On URL Enter the Assertion Consumer Service (ACS) URL.

        Workspace ONE sends this URL to your service provider for single sign-on.

        Recipient URL Enter the URL with the specific value required by your service provider that states the domain in the SAML assertion subject. If your service provider does not require a specific value for this URL, enter the same URL as the Single Sign-On URL.
        Application ID Enter the ID that identifies your service provider tenant to Workspace ONE. Workspace ONE sends the SAML assertion to the ID.

        Some service providers use the Single Sign-On URL.

      • WSFed 1.2 - Select this option to provide single sign-on to applications that use WS-Federation authentication
        Setting Description
        Target URL Enter the URL to direct users to the SaaS application on the Internet.
        Single Sign-On URL Enter the Assertion Consumer Service (ACS) URL.

        Workspace ONE sends this URL to your service provider for single sign-on.

        Application ID Enter the ID that identifies your service provider tenant to Workspace ONE. Workspace ONE sends the SAML assertion to the ID.

        Some service providers use the Single Sign-On URL.

        Username Format Select the format required by the service providers for the SAML subject format.
        Username Value Enter the Name ID Value that Workspace ONE sends in the SAML assertion's subject statement.

        This value is a default profile text box value for a username at the application service provider.

      • Web Application Link - If the application does not use a federation protocol, select this option. Enter the target URL of the application.
        Setting Description
        Target URL Enter the URL to direct users to the SaaS application on the Internet.
      • OpenID Connect - Select this option to provide single sign-on to applications that use the OAuth 2.0 protocol.
        Setting Description
        Target URL Enter the URL to direct users to the SaaS application on the Internet.
        Redirect URL Enter the URL of the client that receives the authorization code and access token.
        Client ID Enter the unique string for the client.
        Client Secret Enter the secret used to authorize the client.
    2. Add values for advanced parameters to allow the application to start in Application Parameters. This option is not available for all applications.
    3. If you want greater control of messaging in single sign-on processes with Workspace ONE, add optional parameters in Advanced Properties. The authentication type determines the available settings on the user interface. There are several permutations. Go to the authentication type for your SaaS application.
      Table 3. Advanced Properties - SAML 2.0
      Setting Description
      Sign Response Require Workspace ONE to sign the response message to the service provider. This signature verifies that Workspace ONE created the message.
      Sign Assertion Require Workspace ONE to sign the assertion within the response message sent to the service provider.

      Some service providers require this option.

      Encrypt Assertion Encrypt the SAML assertion the system sends to the application service provider.
      Include Assertion Signature Require Workspace ONE to include its signing certificate within the response message sent to the service provider.

      Some service providers require this option.

      Signature Algorithm Select the signature algorithm that matches the digest algorithm.

      If your service provider supports SHA256, select this algorithm.

      Digest Algorithm Select the digest algorithm that matches the signature algorithm.

      If your service provider supports SHA256, select this algorithm.

      Assertion Time Enter the seconds that the assertion Workspace ONE sends to the service provider for authentication is valid.
      Request Signature If you want the service provider to sign the SAML request it sends to Workspace ONE, enter the public signing certificate.
      Encryption Certificate Enter the public encryption certificate that signs the SAML request from the application service provider to Workspace ONE.
      Application Login URL Enter the URL for your service provider's login page.

      This option triggers the service provider to initiate a login to Workspace ONE. Some service providers require authentication to start from their login page.

      Proxy Count Enter the allowable proxy layers between the service provider and an authenticating identity provider.
      API Access Enable API access to the SaaS application.
      Custom Attribute Mapping If your service provider allows custom attributes other than ones for single sign-on, add them.
      Open in VMware Browser

      Android and iOS

      Require Workspace ONE to open the application in the VMware Browser.

      If you use VMware Browser, opening SaaS applications within it adds extra security. This action keeps access within internal resources.

      Table 4. Advanced Properties - SAML 1.1
      Setting Description
      Signature Algorithm Select the signature algorithm that matches the digest algorithm.

      If your service provider supports SHA256, select this algorithm.

      Digest Algorithm Select the digest algorithm that matches the signature algorithm.

      If your service provider supports SHA256, select this algorithm.

      Assertion Time Enter the seconds that the assertion Workspace ONE sends to the service provider for authentication is valid.
      Custom Attribute Mapping If your service provider allows custom attributes other than ones for single sign-on, add them.
      Open in VMware Browser

      Android and iOS

      Require Workspace ONE to open the application in the VMware Browser.

      If you use VMware Browser, opening SaaS applications within it adds extra security. This action keeps access within internal resources.

      Table 5. Advanced Properties - WSFed 1.2
      Setting Description
      Credential Verification Select the method for credential verification.
      Signature Algorithm Select the signature algorithm that matches the digest algorithm.

      If your service provider supports SHA256, select this algorithm.

      Digest Algorithm Select the digest algorithm that matches the signature algorithm.

      If your service provider supports SHA256, select this algorithm.

      Assertion Time Enter the seconds that the assertion Workspace ONE sends to the service provider for authentication is valid.
      Custom Attribute Mapping If your service provider allows custom attributes other than ones for single sign-on, add them.
      Open in VMware Browser

      Android and iOS

      Require Workspace ONE to open the application in the VMware Browser.

      If you use VMware Browser, opening SaaS applications within it adds extra security. This action keeps access within internal resources.

    4. Assign policies to secure signing in to application resources with Access Policies.
      Setting Description
      Access Policy Select a policy for Workspace ONE to use to control user authentication and access.

      The default access policy is available if you do not have custom access policies.

      You can configure these policies in the UEM console.

      License Approval Required For this option to display, enable the corresponding Approvals in the Settings section of SaaS applications.

      Require approvals before the application installs and activates a license.

      • License Pricing - Select the pricing model to buy licenses for the SaaS application.
      • License Type - Select the user model for the licenses, named or concurrent users.
      • Cost Per License - Enter the price per license.
      • Number of Licenses - Enter the number of licenses bought for the SaaS application.
  4. View the Summary for the SaaS application and move to the assignment process.

What to do next

  1. Create copies of SaaS applications and assign them to different users and groups. Using copies of applications is useful if your deployment has different business units that use the same application. You can select the application and click Copy to create copies of SaaS applications.
  2. Assign SaaS applications to users and groups configured in Workspace ONE UEM. See Assign SaaS Applications.
  3. Export SaaS applications that you want to test in a staging area or that you want to use on a local machine without the Workspace ONE system. You can select the application and click Export to export SaaS applications and the the system saves a ZIP file of the JSON application bundle to the local machine.