The Security Assertion Markup Language (SAML) 2.0 Authentication offers single sign-on support and federated authentication. Workspace ONE UEM never receives any corporate credentials.

If an organization has a SAML Identity Provider server, use SAML 2.0 integration. Ensure that the Identity Provider returns the objectGUID attribute as part of the SAML response.

Pros

  • Offers single sign-on capabilities.
  • Authentication with existing corporate credentials.
  • Workspace ONE UEM never receives corporate credentials in plain-text.
  • Can be used for Workspace ONE Direct Enrollment when paired with a SAML Directory User.
  • Multi-domain environments are supported for Administrators only.

Cons

  • Requires corporate SAML Identity Provider infrastructure.
  • Cannot be used for Workspace ONE Direct Enrollment when paired with a SAML Basic User.
  • SaaS apps are not available to SAML administrators who authenticate using Workspace ONE Access. See below for details.

This diagram shows the Workspace ONE SaaS server receiving input from a device via the internet and accessing the SAML identity provider via a firewall.

  1. Device connects to Workspace ONE UEM for enrollment. The UEM server then redirects the device to the client specified identity provider.
  2. Device securely connects through HTTPS to client provided identity provider and user enters credentials.
    • Credentials are encrypted during transport directly between the device and SAML endpoint.
  3. Credentials are validated against directory services.
  4. The identity provider returns a signed SAML response with the authenticated user name.
  5. The device responds back to the Workspace ONE UEM server and presents the signed SAML message. The user is authenticated.

    For more information, see the VMware AirWatch SAML Integration Guide.

SaaS App Functionality for SAML Admins

SaaS applications, as well as other Workspace ONE Access policies and functions, are unavailable to you if you are a SAML administrator who authenticates using Workspace ONE Access. You will see the following error message when you navigate to the SaaS Apps page.

Check that your administrator account exists in both UEM and IDM systems and that the domain in Workspace ONE UEM exactly matches the same account’s domain in VMware Identity Manager.

To restore SaaS app accessibility, you must log into Workspace ONE UEM using basic authentication and you must also enable Workspace ONE Access at your organization group.