This article will help you configure VMWare Workspace ONE as your HelloID SAML Identity Provider. This is useful if your organization uses VMWare Workspace ONE as a primary method of authenticating access to online services.

Get the VMWare Workspace ONE Metadata

1. Log in to your VMWare Workspace ONE admin console and select Catalog > Web Apps.
   
2. Select Settings and go to SaaS Apps > SAML Metadata.
3. Select the Copy URL link for the Identity Provider (IdP) metadata. The URL resembles https://{customer}.vmwareidentity.co.uk/SAAS/API/1.0/GET/metadata/idp.xml.
   
   
4. Open the URL in your browser, and copy the certificate string inside the <ds:X509Certificate> element. Leave this tab open in your browser, as you will return to it later.
   

Configure the HelloID Identity Provider

1. Sign in into the HelloID Administrator Dashboard.
2. Import a new certificate for the connection with VMWare Workspace ONE. Use the previously copied string. Learn how to import a certificate.
3. Go to Security > Authentication > Identity Providers and select the Create Provider button.
   
4. Find the SAML - Generic IdP and select the Add button.
   
5. Enter a Name and turn on the Use Response Certificate toggle. Copy the Consumer URL to a notepad app on your computer, as you will need it shortly. View a complete configuration reference here.
   
6. Select the Configuration tab. Enter the following required information. You may configure other optional settings as desired.
   
   • Login URL: Enter the SingleSignOnService URL from the metadata file you left open in your browser. This URL is found in the line with the HTTP-POST binding. For example: <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://{customer}.vmwareidentity.co.uk/SAAS/auth/federation/sso"/>
   • Binding: Set to urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
   • Request Certificate: Select the certificate you previously created.
   • Response Certificate: Select the certificate you previously created.
     
     
7. Select the Save button to confirm the IdP configuration.

Configure the VMWare Workspace ONE SaaS App

1. In the VMWare Workspace ONE console, select the New button to create a new SaaS application.
2. Enter a name for the new SaaS app and select the Next button.
   
3. Enter the following information:
   
   • Authentication Type
     SAML 2.0
   • Configuration
     Manual
   • Single Sign-On URL
     The Consumer URL you previously copied.
   • Recipient URL
     The Consumer URL you previously copied.
   • Application ID
     The last part of the Consumer URL, after the final /.
   • Signed Response
     Enable
   • Name ID Format
     Email
     
4. Scroll down and select the Advanced Properties link.
   
   
5. Enter the following information:
   
   • Signature Algorithm
     SHA256 with RSA
   • Digest Algorithm
     SHA256
   • Assertion Time
     200
   • Request Signature
     Paste the same certificate string you previously used to create the certificate.
     
6. Select the Next button.
7. Select your preferred Access Policy. Select the Next button.
   
8. In the configuration overview, select the Save (or Save & Assign) button.
   
9. Users can now log in to HelloID via the new SAML connection, after being authenticated in VMWare Workspace ONE.