SaaS applications are called Web applications in Workspace ONE Access. You can add, edit, and delete these applications in one management console. They consist of a URL address to the landing page of the resource. They also include an application record. You can add SaaS applications to the Workspace ONE UEM console from your web applications in the Workspace ONE catalog. When you use access policies with SaaS applications, you can control access to the application at the point of authentication.

Control Access at the Time of Authentication

SaaS applications and access policies offer control of resources at the time of authentication. The table explains the various Access control options:

Component Description
Authentication method Require the use of federation protocols when accessing the SaaS application.

Federation protocols use tokens to allow access and to establish trust between the resource and the user.
Identity and Service Providers To configure trust between your providers, SaaS applications, and users in your network, use the identity provider and the service provider metadata from the Workspace ONE system in Workspace ONE UEM.
Certificates To control trust between users in your Workspace ONE system and the SaaS or enter one from your certificate authority.
Users and User Groups Configure users and user groups in Workspace ONE Access and then assign them to SaaS applications in the Workspace ONE UEM console.
Secured Connection Enable trusted connections with the VMware Enterprise System between the Workspace ONE system, SaaS applications, and users.
Session Access & Length Configure access policies and mobile SSO to control the allowable time to access SaaS applications before users must reauthenticate with Workspace ONE.

SaaS App Functionality for SAML Admins

SaaS applications, as well as other Workspace ONE Access policies and functions, are unavailable to you if you are a SAML administrator who authenticates using Workspace ONE Access. You will see the following error message when you navigate to the SaaS Apps page.

Check that your administrator account exists in both UEM and IDM systems and that the domain in Workspace ONE UEM exactly matches the same account’s domain in VMware Identity Manager.

To restore SaaS app accessibility, you must log into Workspace ONE UEM using basic authentication and you must also enable Workspace ONE Access at your organization group.

Supported Applications

You can deploy SaaS applications to these platforms:

  • Android
  • Apple iOS
  • Apple macOS
  • Windows Desktop (Windows 10)

SaaS Application Requirements

To access your SaaS applications managed in Workspace ONE Access in Workspace ONE UEM console, you can set up peripheral systems to communicate between the systems.

Configure or integrate the listed systems so that you can access the SaaS applications page.

  • Active Directory - This component integrates Workspace ONE UEM and Workspace ONE Access to sync users and groups from Active Directory (AD) to the service. You assign SaaS applications to the users and groups synced from Active Directory.

    Note: With setup of the connector, AD users and groups are in sync between Workspace ONE UEM and Workspace ONE Access.

  • Workspace ONE Access - This component serves many functions including managing your users and groups and managing authentication to resources.

  • Mobile SSO -This component manages single sign-on (SSO) capabilities in the Workspace ONE portal for Workspace ONE UEM-managed Android and iOS devices. For Android devices, mobile SSO uses certificate authentication. For iOS devices, it uses the identity provider in the Workspace ONE Access

    Note: Mobile SSO is different from the SSO feature for applications that use the Workspace ONE SDK.

  • Access Policies - This component provides secure access to the Workspace ONE apps portal to start Web applications. Access policies include rules that specify criteria that must be met to sign in to the apps portal and to use resources.

    A default policy is available that controls access as a whole. This policy is set up to allow access to all network ranges, from all device types, for all users. You can create stricter access policies that restrict users access to applications based on access rules you define.

Deploy SaaS Applications to Users and Groups

You can deploy SaaS applications to users and groups configured from your Active Directory system. The system identifies users and groups by a name and a domain. Users and groups are not the same as Workspace ONE UEM console smart groups and you configure them in Workspace ONE Access.

  1. Navigate to Resources > Apps > SaaS.
  2. Select the SaaS application and then choose Assign.
  3. Complete the assignment options and save the assignment settings.

    Setting Description
    Users / User Groups Enter users and user groups that receive the application assignment.
    Users and user groups are enabled to sign in to Workspace ONE.
    Deployment Type User-Activated - Requires users to select applications in the Workspace ONE Catalog and to add them to the Launcher to activate them.

    Automatic - Displays applications in the Launcher of Workspace ONE the next time users log in to the Workspace ONE portal.
check-circle-line exclamation-circle-line close-line
Scroll to top icon