.. title:: VMware Workspace ONE SAML Setup VMware Workspace ONE SAML Setup =============================== Create a new SAML configuration in Kasm --------------------------------------- 1. Log into the Kasm UI as an administrator. 2. Select **Authentication** -> **SAML** -> **Create New Configuration** 3. The **SAML 2.0 Configuration** page will auto-generate the **Entity ID**, **Single Sign On Service**, **Single Logout Server**, and **Relay State** values. 4. Check **Enable** and enter a **Display Name**. e.g (Workspace One) 5. Update the following Settings .. table:: :align: center +-----------------------------+--------------------------------------------+ | **Setting** | **Value** | +-----------------------------+--------------------------------------------+ | Group Member Attribute | groupNames | +-----------------------------+--------------------------------------------+ | NameID Attribute | emailAddress | +-----------------------------+--------------------------------------------+ | Want Attribute Statement | Unchecked | +-----------------------------+--------------------------------------------+ | Want Message Signed | Checked | +-----------------------------+--------------------------------------------+ | Want Name ID | Checked | +-----------------------------+--------------------------------------------+ 6. Leave this page open and continue to the next steps. Add a new SaaS Application -------------------------- 1. Open the **Workspace One Access** Admin Console and select the **Catalog** tab, then select **New**. .. figure:: /images/saml/workspaceone/access.png :width: 70% :align: center **Workspace One Access Portal** 2. In the **New SaaS Application** dialogue, enter a **Name** (e.g Kasm) and optionally a **Description** and **Icon**. Select **Next**. .. figure:: /images/saml/workspaceone/definition.png :width: 90% :align: center **New SaaS Application Definition** 3. Select **SAML 2.0** as the **Authentication Type** and select **Manual** for the **Configuration**. .. figure:: /images/saml/workspaceone/auth_type.png :width: 30% :align: center **Authentication Type** 4. Copy the following values from the Kasm SAML Configurations started in the previous section into the **New SaaS Application form**. .. table:: :align: center +----------------------------------+------------------------------------+ | **Workspace One Property Name** | **Kasm Property Name** | +----------------------------------+------------------------------------+ | Single Sign-On URL | Single Sign On Service | +----------------------------------+------------------------------------+ | Recipient URL | Single Sign On Service | +----------------------------------+------------------------------------+ | Application ID | Entity ID | +----------------------------------+------------------------------------+ | Relay State URL | Relay State | +----------------------------------+------------------------------------+ .. figure:: /images/saml/workspaceone/saml_urls.png :width: 70% :align: center **SAML URL Configuration** 5. Select **Email Address** as the **Username Format**. .. figure:: /images/saml/workspaceone/username_format.png :width: 70% :align: center **Username Format** 6. Click **Advanced Properties**. Scroll down to the **Custom Attribute Mapping** section. Add an entry with the following information then click **Next** .. table:: :align: center +----------------------------------+------------------------------------+ | **Attribute** | **Value** | +----------------------------------+------------------------------------+ | Name | groupNames | +----------------------------------+------------------------------------+ | Format | Basic | +----------------------------------+------------------------------------+ | Namespace | | +----------------------------------+------------------------------------+ | Value | ${groupNames} | +----------------------------------+------------------------------------+ .. figure:: /images/saml/workspaceone/group_names.png :width: 70% :align: center **Group Names** 7. Select a desired **Access Policy**. In this example we will use the **default_access_policy_set**. Select **Next**. .. figure:: /images/saml/workspaceone/access_policy.png :width: 70% :align: center **Access Policies** 8. Review the configuration then select **Save & Assign**. .. figure:: /images/saml/workspaceone/review.png :width: 70% :align: center **Review Configuration** 9. In the **Assign** dialogue, type in the desired user or group. In this example the **ALL USERS** group is used. Select **Save** .. figure:: /images/saml/workspaceone/assign.png :width: 70% :align: center **Assign Users/Groups** 10. From the **Catalog** tab of the **Workspace ONE Access** panel, select **Settings**. .. figure:: /images/saml/workspaceone/settings.png :width: 70% :align: center **Settings** 11. Select **SAML Metadata**. Copy the contents of the **Signing Certificate** into **X509 Certificate** field under **Identity Provider** in the Kasm SAML Configurations started in the prior section. .. figure:: /images/saml/workspaceone/signing_cert.png :width: 70% :align: center **Signing Certificate** .. figure:: /images/saml/workspaceone/x509.png :width: 70% :align: center **Configuring Signing Certificate** 12. Back in the **Settings** dialogue, click **Identity Provider (IdP) metatdata**. .. figure:: /images/saml/workspaceone/signing_cert.png :width: 70% :align: center 13. An XML metatdata file will be shown. Copy the highlighted sections into **Identity Provider** fields in the Kasm SAML Configurations started in the prior section. Once complete click **Submit** .. table:: :align: center +----------------------------------+--------------------------------------------+ | **Workspace One Property Name** | **Kasm Property Name** | +----------------------------------+--------------------------------------------+ | entityID | Entity ID | +----------------------------------+--------------------------------------------+ | SingleSignOnService | Single Sign On Service/SAML 2.0 Endpoint | +----------------------------------+--------------------------------------------+ | SingleLogoutService | Single Logout Service/SLO Endpoint | +----------------------------------+--------------------------------------------+ .. figure:: /images/saml/workspaceone/metadata.png :width: 70% :align: center .. figure:: /images/saml/workspaceone/identity_provider.png :width: 70% :align: center Testing Access -------------- 1. Log out of the Kasm UI if already logged in. 2. Navigate to the Kasm UI login page. .. figure:: /images/saml/workspaceone/kasm_login.png :width: 70% :align: center **Kasm Login** 3. Click **Workspace One** to initiate the SAML SSO process. .. figure:: /images/saml/workspaceone/vmware_login.png :width: 70% :align: center **VMware Login** 4. After logging in, you should be redirected to the Kasm UI Dashboard 5. From another browser, login to Workspace ONE Access. **Kasm** should be displayed as an App. You may click the link to automatically open and log in to Kasm .. figure:: /images/saml/workspaceone/workspace_one_access.png :width: 50% :align: center Group Mappings -------------- In the prior steps, Workspace One was configured to pass along the group names the user is a member of in the SAML assertion. This can be used to automatically map users into Groups within the Kasm application. The following assumes a group is created in Workspace named **Accounting** 1. Log into the Kasm UI as an administrator. 2. Select **Groups**, the select **Create New Group** 3. Give the Group a **Name** (Does not need to match the Workspace ONE Group Name) and **Priority** 4. Click **Submit** to create the new group. .. figure:: /images/saml/workspaceone/create_group.png :width: 50% :align: center **Create Group** 5. Select **Groups**, then using the three dot menu click **View** next to the group just created. 6. Scroll to the bottom of the screen and select **Add SSO Mapping**. 7. Select the SAML IDP that was created above e.g. "SAML - Workspace One" for the **SSO Provider**. 8. Enter the Workspace ONE Group Name in the **Group Attributes** field. Click **Add** .. figure:: /images/saml/workspaceone/saml_groups.png :width: 50% :align: center **Add SSO Group Mapping** The next time a user of the **Accounting** group logs in they will automatically become a member of this Kasm Group.