Setting up Single Sign-On (SSO) to Workspace ONE UEM Self Service Portal (SSP) and Admin Console

Workspace ONE Access is an integral part of the Workspace ONE platform and supports Workspace ONE Intelligent Hub, Workspace ONE Unified Endpoint Management (UEM) and VMware Horizon.

Many administrators like the ability to then provide a Single Sign-On (SSO) capability into the Workspace ONE UEM console for both admin (console) access and the user self service portal (SSP).

The purpose of this guide is to step you through the configuration to enable this capability.

Self Service Portal

This section details the integration between Workspace ONE Access and UEM for the Self Service Portal (or SSP)

  1. Open the Workspace ONE Access admin console Download Identity provider metadata from Workspace ONE Access
  2. Click on Catalog > Web Apps > Settings
  3. Click on SAML Metadata from the left panel. 
  4. Click on Identity Provider (IdP) metadata link. 

5. Right-click on the page and save the idp.xml to the preferred location

6. Login to the Workspace One UEM, navigate to Group and Settings > All Settings > Expand System > Enterprise Integration > Directory Services

7. Below are the Advanced Settings to enable:

  • Use SAML for Authentication: Enabled
  • Enable SAML Authentication for: Admin and Self-Service Portal as shown:
  • Import Identity Provider Settings: Upload the idp.xml file downloaded from Workspace ONE Access. 
  • Click Save <- This is an important step to then view the imported information
  • Change Request and Response Binding Type to POST
  • The imported information in my lab is shown below:

  • Click Save

  1. To add the application please log into the Access console as an administrator who has rights to add the application. Navigate to Catalog > Web Apps
  2. Click on New
  3. Click on browse from Catalog
  4. Navigate to the app you want to add. Here we are adding the AirWatch application. There is a plus sign click on that.
  5. The application will be selected as shown:

6. Personal preference, replace the default icon with this new one and change the wording of the application as follows:

7. Click Next

8. All the details will be pre-filled and it does not need any modification. Details that need to be added are under Configuration > Application Parameters

  • AWServerName: <ds URL without https> ie.  ds500.awmdm.com
  • ac: This is the group id of the OG where the SAML would be set up in AirWatch Side> For my lab it’s eucau
  • audience: This is the Service Provider (AIrWatch ID), this needs to be exactly same from AirWatch console, this is found under Directory settings when you enable SAML. Let’s use AirWatch

    Note: Please try to keep capitalisation as it is in AirWatch, it should not matter however it is nice to be consistent throughout.

Important Note: AWServerName should be the WS1 Device Services server name.

Here are the application parameters from my lab environment:

9. Click Next

10. Select the default access policy and click Next

11. Click Save and Assign

12. Enter All Users and then click Save

Now login to Workspace ONE Access with a test user and you should be then displayed the new SSP icon as follows:

Click on this application and after a few moments you should be then SSO’ed into the user Self Service Portal for that user as shown:

Workspace ONE UEM Admin Portal

This section details the integration between Workspace ONE Access and the UEM Admin portal.

  1. Create an administrator in Workspace ONE UEM (basic) with the same userid as the account in Workspace ONE UEM. For example:
  1. To add the application please log into the Access console as an administrator who has rights to add the application. Navigate to Catalog > Web Apps
  2. Click on New
  3. Click on browse from Catalog
  4. Navigate to the app you want to add. Here we are adding the AirWatch Admin application. There is a plus sign click on that.
  5. The application will be selected as shown:

7. Personal preference, replace the default icon with this new one and change the wording of the application as follows:

8. Click Next

9. All the details will be pre-filled and it does not need any modification. Details that need to be added are under Configuration > Application Parameters

  • AWServerName: <ds URL without https> ie.  cn500.awmdm.com
  • ac: This is the group id of the OG where the SAML would be set up in AirWatch Side> For my lab it’s eucau
  • audience: This is the Service Provider (AIrWatch ID), this needs to be exactly same from AirWatch console, this is found under Directory settings when you enable SAML. Let’s use AirWatch

    Note: Please try to keep capitalisation as it is in AirWatch, it should not matter however it is nice to be consistent throughout.

Important Note: AWServerName should be the WS1 Console Server server name.

Here are the application parameters from my lab environment:

10. Click on Advanced Properties and create a new attribute called ObjectGUID with a value of ${user.Externalld}

11. Click Next

12. Select the default access policy and click Next

13. Click Save and Assign

14. Enter an appropriate admin group and then click Save

15. Now login to Workspace ONE Access with an admin account and you should be then displayed the new UEM console icon as follows:

16. Click on this application and after a few moments you should be then SSO’ed into the Workspace ONE UEM Admin console as shown:

That’s it! You’ve now enabled SSO from Access for both SSP and the UEM Admin Console.

Two Factor Authentication

If you wish to enable two factor authentication (2FA) to access the administration console, you can leverage the integrated Intelligent Hub Verify application.

To set this up, check out Steve D’Sa’s excellent article Bringing MFA into the Intelligent Hub. I then created a new access policy called MFA and included the Workspace ONE UEM Console application and a policy for Web Browser device type:

When you then click on the pace ONE UEM Console application you’ll see a message that you need to approve the login on your mobile device as shown:

1 Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s