This article will help you configure VMWare Workspace ONE as your HelloID SAML Identity Provider. This is useful if your organization uses VMWare Workspace ONE as a primary method of authenticating access to online services.
Get the VMWare Workspace ONE Metadata
- Log in to your VMWare Workspace ONE admin console and select Catalog > Web Apps.
- Select Settings and go to SaaS Apps > SAML Metadata.
- Select the Copy URL link for the Identity Provider (IdP) metadata. The URL resembles
https://{customer}.vmwareidentity.co.uk/SAAS/API/1.0/GET/metadata/idp.xml
. - Open the URL in your browser, and copy the certificate string inside the
<ds:X509Certificate>
element. Leave this tab open in your browser, as you will return to it later.
Configure the HelloID Identity Provider
- Sign in into the HelloID Administrator Dashboard.
- Import a new certificate for the connection with VMWare Workspace ONE. Use the previously copied string. Learn how to import a certificate.
- Go to Security > Authentication > Identity Providers and select the Create Provider button.
- Find the SAML - Generic IdP and select the Add button.
- Enter a Name and turn on the Use Response Certificate toggle. Copy the Consumer URL to a notepad app on your computer, as you will need it shortly. View a complete configuration reference here.
- Select the Configuration tab. Enter the following required information. You may configure other optional settings as desired.
- Login URL: Enter the SingleSignOnService URL from the metadata file you left open in your browser. This URL is found in the line with the HTTP-POST binding. For example:
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://{customer}.vmwareidentity.co.uk/SAAS/auth/federation/sso"/>
- Binding: Set to
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
- Request Certificate: Select the certificate you previously created.
- Response Certificate: Select the certificate you previously created.
- Login URL: Enter the SingleSignOnService URL from the metadata file you left open in your browser. This URL is found in the line with the HTTP-POST binding. For example:
- Select the Save button to confirm the IdP configuration.
Configure the VMWare Workspace ONE SaaS App
- In the VMWare Workspace ONE console, select the New button to create a new SaaS application.
- Enter a name for the new SaaS app and select the Next button.
- Enter the following information:
- Authentication Type
SAML 2.0 - Configuration
Manual - Single Sign-On URL
The Consumer URL you previously copied. - Recipient URL
The Consumer URL you previously copied. - Application ID
The last part of the Consumer URL, after the final/
. - Signed Response
Enable - Name ID Format
Email
- Authentication Type
- Scroll down and select the Advanced Properties link.
- Enter the following information:
- Signature Algorithm
SHA256 with RSA - Digest Algorithm
SHA256 - Assertion Time
200 - Request Signature
Paste the same certificate string you previously used to create the certificate.
- Signature Algorithm
- Select the Next button.
- Select your preferred Access Policy. Select the Next button.
- In the configuration overview, select the Save (or Save & Assign) button.
- Users can now log in to HelloID via the new SAML connection, after being authenticated in VMWare Workspace ONE.