SSO/SAML Setup: VMWare Workspace One as IDP

Note: DataGrail only supports connections with SAML v2.0.

Steps to set up VMWare Workspace One Access as an Identity Provider

A VMWare Admin account must be used in order to complete the following steps.

These steps can be found in the VMWare Workspace One Access docs:

• Prerequisites
• Adding a Web Application to Your Workspace ONE Access Catalog

The User setting up this account needs to have one of the following roles:

• Super User
• Custom administrator role that has the following configuration:

• Service: Catalog
• Actions: Manage Web Applications, Manage App Sources, Manage Third-Party Apps, as applicable
• Resources: All resources or specific resources as applicable

To assign applications to users and groups, the role must include the Manage Entitlements action.

If all criteria are met, the User should be able to navigate to the Administration Console from in their User dropdown

They should be able to view Catalog > Web Apps

Prerequisites

• Obtain the configuration information for the application.

• Fields will be provided in the steps

• Create an access policy if you do not want to use the default access policy. You can create access policies from the Identity & Access Management > Manage > Policies page.

• Create categories if you want to group applications into categories. A predefined Recommended category is available. You can create categories from the Catalog > Web Apps page by clicking Categories and typing the category name in the text box.

• Create user groups, if required. You can create groups from the Users & Groups > Groups tab.

Setting up the Connected Application

From the /SAAS/admin/app/, navigate to the Catalog > Web Apps and click on New

1. Definition

• Name → Enter a unique name for the application, like DataGrail.
• Description → (Optional) Enter a description of the application, like “Privacy request management platform.”.
• Icon → (Optional) Upload an icon for the application. Icons in PNG, JPG, and ICON file formats, up to 4MB, are supported. The icon must be a minimum of 180 x 180 pixels. If the icon is too small, it does not display. In that case, the Workspace ONE icon is displayed.
• Category → (Optional) To add the application to a category, select it from the drop-down menu. Categories must already be created. A predefined Recommended category is available. Select this category if you want the application to appear in the Recommended list of apps in the Workspace ONE Intelligent Hub app and portal.

2.Configuration (Single Sign On)

• Authentication Type: SAML 2.0
• Configuration: Manual
• Single Sign-On URL (ACS URL): https://[yourdomainhere].datagrail.io/saml/auth
  • Example: if DataGrail was installing this saml solution to host our own platform login, the above url would be https://datagraildemo.datagrail.io/saml/auth
• Recipient URL: https://[yourdomainhere].datagrail.io/saml/auth
  • Example: if DataGrail was installing this saml solution to host our own platform login, the above url would be https://datagraildemo.datagrail.io/saml/auth
• Application ID (Entity ID): https://[yourdomainhere].datagrail.io/saml/metadata
  • Example: if DataGrail was installing this saml solution to host our own platform login, the above url would be https://datagraildemo.datagrail.io/saml/metadata
• Username Format: Email Address
• Username Value (Name ID Value): ${user.email}
  • If the userName is an email address, this value can also be mapped to ${user.userName}

Scroll and click Advanced Properties

• Sign Response: true

• Sign Assertion: true

• Encrypt Assertion: false

• Include Assertion Signature: false

• Device SSO Response: false

• Enable Force Authn Request: true

• Signature Algorithm: SHA256

• Digest Algorithm: SHA256

• Assertion Time: 200

• Application Login URL: https://[yourdomainhere].datagrail.io/saml/login

Custom Attribute Mapping: Name | Format | Namespace | Value

• first_name | Unspecified | | ${user.firstName}
• last_name | Unspecified | | ${user.lastName}
• email | Unspecified | | ${user.email}

Open in Workspace One: ‘Yes’ if desired

Show in User Portal: Yes

3.Access Policies

Select the appropriate policy in order for the application to be accessible to users

4.Summary

Review that all the fields are correctly assigned then click Save & Assign

5.Assign Users and Groups

Assign the appropriate users and or groups to the new DataGrail Application. Assigning these users will make the application accessible in the User Portal. Click Save when done.

Create Groups here: https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/1909/UEM_ConsoleBasics/GUID-AWT-USERGROUPSOVERVIEW.html

Information to Provide to DataGrail

DataGrail requires the IdP Metadata URL in order to complete the SAML configuration. This information is provided under the Settings tab on Catalog > WebApps

On the left navigation panel, go to SaaS > SAML Metadata, find Identity Provider (idp) Metadata and click Copy URL

An example should look like this: https://m377081178.workspaceoneaccess.com/SAAS/API/1.0/GET/metadata/idp.xml

Please copy this endpoint and send it to DataGrail support, support@datagrail.io

Email Domains

DataGrail checks that the user’s email address is consistent with the customer’s domain name in DataGrail, if there are additional domains that are used, please inform your DataGrail contact.

Disclaimer: The information contained in this message does not constitute as legal advice. We would advise seeking professional counsel before acting on or interpreting any material.