VMWare Workspace ONE SAML application setup
Introduction
This manual shows you how to set up HelloID as IDP for VMWare Workspace ONE, using the SAML protocol. The configuration takes place in HelloID and in the VMWare Workspace ONE admin center.
Requirements:
HelloID environment
VMWare Workspace ONE
Create or Import a Certificate
If there is no certificate yet, a certificate must be imported or created. This can be done in the HelloID Administrator Portal under Settings > Certificates. For this tutorial, we will use a self-signed certificate. Learn more about certificates here.
HelloID Application Setup
Add the VMWare Workspace ONE Application to HelloID
Create a new application in HelloID by navigating to Applications > Applications. Open the Application Catalog and search for "VMWare Workspace ONE". Find the SAML template, and click Add. Learn more about managing applications here.
General tab
On the General tab, fill the default login URL with the VMWare Workspace ONE URL.
Optionally, you may also add a description. Click Next.
Single Sign-on tab
On the Single Sign-On tab, perform the following steps:
The Name ID format should be emailaddress, but can be changed. When you change this, you need to change it also in VMWare Workspace ONE.
The Endpoint URL is the endpoint provided by Workspace ONE. This will be the AssertionService URL of the specific Workspace ONE instance.
The SP-initiated URL is the same as the Endpoint URL
Keep the Sign Assertion option selected.
In the X509 Certificate dropdown, select the certificate that you created or imported previously.
The Custom Digest method can be the default.
The Custom signature methos can be the default.
Click Next.
Self service tab
On the Self Service tab, choose whether to automatically create a Self Service product, which makes the application requestable. This is optional. Click Next.
Finish tab
On the Finish tab, click Save to add the application to HelloID.
Application metadata
After saving the VMWare Workspace ONE application, click its Edit link on the applications overview. This will bring you to its properties page.
You now have two options to obtain the application metadata.
Static metadata (download)
You can simply click Download metadata at the right top of the screen and save the file to your local computer for later use in VMWare Workspace ONE.
Dynamic Metadata (URL)
You can copy the link address (something along the lines of https://enyoi.helloid.com/metadata/download?ApplicationGUID=e6e741f5-a469-4849-93f7-fe2e259a339f) and replace 'download' with 'index' to view the metadata.
Hiding the application
On the Edit page of the VMWare Workspace ONE application select Hide application.
VMWare Workspace ONE Configuration
Configuring VMWare Workspace ONE
After the Identity Provider has been configured, you can continue configuring VMWare Workspace ONE. To do so, follow the steps below:
Edit the general system settings
Sign in to VMWare Workspace ONE using an account with admin rights
Go to the Directory Services settings
On the Server tab, import the metadata XML file that you downloaded in the previous step. The setting will be configured automatically in VMWare Workspace ONE.
1) Change the Request binding type to POST
2) Change the NameID format to "Email Address"
3) Change the Authentication Response Security to "Validate Assertion Signatures"
4) Click Save 
On the User tab make sure that the User Search Filter is:
(&(objectCategory=person)(emailaddress={EnrollmentUser})
This will be necessary for internally enrollment of the user to VMWare Workspace ONE.
Fill the Attributes with the following values:
Object identifier | NameID |
Display Name | displayname |
First Name | givenname |
Last Name | surname |
Email address | emailaddress |
Please leave the other attributes on their default value.
Click Save
You have now successfully configured SSO for VMWare Workspace ONE in HelloID.