---
myst:
  html_meta:
    "description lang=en": "VMware Workspace ONE SAML setup guide for Workspaces authentication."
    "keywords": "Kasm, Google, Workspace, SAML"
    "property=og:locale": "en_US"
---
```{title} VMware Workspace ONE SAML Setup
```

## VMware Workspace ONE SAML Setup

### Create a new SAML configuration in Kasm

1. Log into the Kasm UI as an administrator.
2. Select **Authentication** -> **SAML** -> **Create New Configuration**
3. The **SAML 2.0 Configuration** page will auto-generate the **Entity ID**, **Single Sign On Service**, **Single Logout Server**, and **Relay State** values.
4. Check **Enable** and enter a **Display Name**. e.g (Workspace One)
5. Update the following Settings

```{eval-rst}
.. table::
    :align: center

    +-----------------------------+--------------------------------------------+
    | **Setting**                 | **Value**                                  |
    +-----------------------------+--------------------------------------------+
    | Group Member Attribute      | groupNames                                 |
    +-----------------------------+--------------------------------------------+
    | NameID Attribute            | emailAddress                               |
    +-----------------------------+--------------------------------------------+
    | Want Attribute Statement    | Unchecked                                  |
    +-----------------------------+--------------------------------------------+
    | Want Message Signed         | Checked                                    |
    +-----------------------------+--------------------------------------------+
    | Want Name ID                | Checked                                    |
    +-----------------------------+--------------------------------------------+
```

6. Leave this page open and continue to the next steps.

### Add a new SaaS Application

1. Open the **Workspace One Access** Admin Console and select the **Catalog** tab, then select **New**.

```{figure} /images/saml/workspaceone/access.png
:align: center
:width: 70%

**Workspace One Access Portal**
```

2. In the **New SaaS Application** dialogue, enter a **Name** (e.g Kasm) and optionally a **Description** and **Icon**. Select **Next**.

```{figure} /images/saml/workspaceone/definition.png
:align: center
:width: 90%

**New SaaS Application Definition**
```

3. Select **SAML 2.0** as the **Authentication Type** and select **Manual** for the **Configuration**.

```{figure} /images/saml/workspaceone/auth_type.png
:align: center
:width: 30%

**Authentication Type**
```

4. Copy the following values from the Kasm SAML Configurations started in the previous section into the **New SaaS Application form**.

```{eval-rst}
.. table::
    :align: center

    +----------------------------------+------------------------------------+
    | **Workspace One Property Name**  | **Kasm Property Name**             |
    +----------------------------------+------------------------------------+
    | Single Sign-On URL               | Single Sign On Service             |
    +----------------------------------+------------------------------------+
    | Recipient URL                    | Single Sign On Service             |
    +----------------------------------+------------------------------------+
    | Application ID                   | Entity ID                          |
    +----------------------------------+------------------------------------+
    | Relay State URL                  | Relay State                        |
    +----------------------------------+------------------------------------+

```

```{figure} /images/saml/workspaceone/saml_urls.png
:align: center
:width: 70%

**SAML URL Configuration**
```

5. Select **Email Address** as the **Username Format**.

```{figure} /images/saml/workspaceone/username_format.png
:align: center
:width: 70%

**Username Format**
```

6. Click **Advanced Properties**. Scroll down to the **Custom Attribute Mapping** section. Add an entry with the following information then click **Next**

```{eval-rst}
.. table::
    :align: center

    +----------------------------------+------------------------------------+
    | **Attribute**                    | **Value**                          |
    +----------------------------------+------------------------------------+
    | Name                             | groupNames                         |
    +----------------------------------+------------------------------------+
    | Format                           | Basic                              |
    +----------------------------------+------------------------------------+
    | Namespace                        | <blank>                            |
    +----------------------------------+------------------------------------+
    | Value                            | ${groupNames}                      |
    +----------------------------------+------------------------------------+
```

```{figure} /images/saml/workspaceone/group_names.png
:align: center
:width: 70%

**Group Names**
```

7. Select a desired **Access Policy**. In this example we will use the **default_access_policy_set**. Select **Next**.

```{figure} /images/saml/workspaceone/access_policy.png
:align: center
:width: 70%

**Access Policies**
```

8. Review the configuration then select **Save & Assign**.

```{figure} /images/saml/workspaceone/review.png
:align: center
:width: 70%

**Review Configuration**
```

9. In the **Assign** dialogue, type in the desired user or group. In this example the **ALL USERS** group is used. Select **Save**

```{figure} /images/saml/workspaceone/assign.png
:align: center
:width: 70%

**Assign Users/Groups**
```

10. From the **Catalog** tab of the **Workspace ONE Access** panel, select **Settings**.

```{figure} /images/saml/workspaceone/settings.png
:align: center
:width: 70%

**Settings**
```

11. Select **SAML Metadata**. Copy the contents of the **Signing Certificate** into **X509 Certificate** field under **Identity Provider** in the Kasm SAML Configurations started in the prior section.

```{figure} /images/saml/workspaceone/signing_cert.png
:align: center
:width: 70%

**Signing Certificate**
```

```{figure} /images/saml/workspaceone/x509.png
:align: center
:width: 70%

**Configuring Signing Certificate**
```

12. Back in the **Settings** dialogue, click **Identity Provider (IdP) metatdata**.

```{figure} /images/saml/workspaceone/signing_cert.png
:align: center
:width: 70%
```

13. An XML metatdata file will be shown. Copy the highlighted sections into **Identity Provider** fields in the Kasm SAML Configurations started in the prior section. Once complete click **Submit**

```{eval-rst}
.. table::
    :align: center

    +----------------------------------+--------------------------------------------+
    | **Workspace One Property Name**  | **Kasm Property Name**                     |
    +----------------------------------+--------------------------------------------+
    | entityID                         | Entity ID                                  |
    +----------------------------------+--------------------------------------------+
    | SingleSignOnService              | Single Sign On Service/SAML 2.0 Endpoint   |
    +----------------------------------+--------------------------------------------+
    | SingleLogoutService              | Single Logout Service/SLO Endpoint         |
    +----------------------------------+--------------------------------------------+

```

```{figure} /images/saml/workspaceone/metadata.png
:align: center
:width: 70%
```

```{figure} /images/saml/workspaceone/identity_provider.png
:align: center
:width: 70%
```

## Testing Access

1. Log out of the Kasm UI if already logged in.
2. Navigate to the Kasm UI login page.

```{figure} /images/saml/workspaceone/kasm_login.png
:align: center
:width: 70%

**Kasm Login**
```

3. Click **Workspace One** to initiate the SAML SSO process.

```{figure} /images/saml/workspaceone/vmware_login.png
:align: center
:width: 70%

**VMware Login**
```

4. After logging in, you should be redirected to the Kasm UI Dashboard
5. From another browser, login to Workspace ONE Access. **Kasm** should be displayed as an App. You may click the link to automatically open and log in to Kasm

```{figure} /images/saml/workspaceone/workspace_one_access.png
:align: center
:width: 50%
```

### Group Mappings

In the prior steps, Workspace One was configured to pass along the group names the user is a member of in the SAML assertion.
This can be used to automatically map users into Groups within the Kasm application.

The following assumes a group is created in Workspace named **Accounting**

1. Log into the Kasm UI as an administrator.
2. Select **Groups**, the select **Create New Group**
3. Give the Group a **Name** (Does not need to match the Workspace ONE Group Name) and **Priority**
4. Click **Submit** to create the new group.

> ```{figure} /images/saml/workspaceone/create_group.png
> :align: center
> :width: 50%
>
> **Create Group**
> ```

5. Select **Groups**, then using the three dot menu click **View** next to the group just created.
6. Scroll to the bottom of the screen and select **Add SSO Mapping**.
7. Select the SAML IDP that was created above e.g. "SAML - Workspace One" for the **SSO Provider**.
8. Enter the Workspace ONE Group Name in the **Group Attributes** field. Click **Add**

> ```{figure} /images/saml/workspaceone/saml_groups.png
> :align: center
> :width: 50%
>
> **Add SSO Group Mapping**
> ```

The next time a user of the **Accounting** group logs in they will automatically become a member of this Kasm Group.