VMware Workspace ONE SAML Setup

Create a new SAML configuration in Kasm

  1. Log into the Kasm UI as an administrator.

  2. Select Access Management -> Authentication -> SAML -> Add Configuration

  3. The SAML 2.0 Configuration page will auto-generate the Entity ID, Single Sign On Service, Single Logout Server, and Relay State values.

  4. Check Enable and enter a Display Name. e.g (Workspace One)

  5. Update the following Settings

Setting

Value

Group Member Attribute

groupNames

NameID Attribute

emailAddress

Want Attribute Statement

Unchecked

Want Message Signed

Checked

Want Name ID

Checked

  1. Leave this page open and continue to the next steps.

Add a new SaaS Application

  1. Open the Workspace One Access Admin Console and select the Catalog tab, then select New.

../../_images/access1.png

Workspace One Access Portal

  1. In the New SaaS Application dialogue, enter a Name (e.g Kasm) and optionally a Description and Icon. Select Next.

../../_images/definition.png

New SaaS Application Definition

  1. Select SAML 2.0 as the Authentication Type and select Manual for the Configuration.

../../_images/auth_type.png

Authentication Type

  1. Copy the following values from the Kasm SAML Configurations started in the previous section into the New SaaS Application form.

Workspace One Property Name

Kasm Property Name

Single Sign-On URL

Single Sign On Service

Recipient URL

Single Sign On Service

Application ID

Entity ID

Relay State URL

Relay State

../../_images/saml_urls.png

SAML URL Configuration

  1. Select Email Address as the Username Format.

../../_images/username_format.png

Username Format

  1. Click Advanced Properties. Scroll down to the Custom Attribute Mapping section. Add an entry with the following information then click Next

Attribute

Value

Name

groupNames

Format

Basic

Namespace

<blank>

Value

${groupNames}

../../_images/group_names.png

Group Names

  1. Select a desired Access Policy. In this example we will use the default_access_policy_set. Select Next.

../../_images/access_policy.png

Access Policies

  1. Review the configuration then select Save & Assign.

../../_images/review1.png

Review Configuration

  1. In the Assign dialogue, type in the desired user or group. In this example the ALL USERS group is used. Select Save

../../_images/assign.png

Assign Users/Groups

  1. From the Catalog tab of the Workspace ONE Access panel, select Settings.

../../_images/settings.png

Settings

  1. Select SAML Metadata. Copy the contents of the Signing Certificate into X509 Certificate field under Identity Provider in the Kasm SAML Configurations started in the prior section.

../../_images/signing_cert.png

Signing Certificate

../../_images/x509.png

Configuring Signing Certificate

  1. Back in the Settings dialogue, click Identity Provider (IdP) metatdata.

../../_images/signing_cert.png

Certificate

  1. An XML metatdata file will be shown. Copy the highlighted sections into Identity Provider fields in the Kasm SAML Configurations started in the prior section. Once complete click Submit

Workspace One Property Name

Kasm Property Name

entityID

Entity ID

SingleSignOnService

Single Sign On Service/SAML 2.0 Endpoint

SingleLogoutService

Single Logout Service/SLO Endpoint

../../_images/metadata1.png

Metadata

../../_images/identity_provider1.webp

SAML Configuration

Testing Access

  1. Log out of the Kasm UI if already logged in.

  2. Navigate to the Kasm UI login page.

../../_images/kasm_login5.webp

Kasm Login

  1. Click Workspace One to initiate the SAML SSO process.

../../_images/vmware_login.png

VMware Login

  1. After logging in, you should be redirected to the Kasm UI Dashboard

  2. From another browser, login to Workspace ONE Access. Kasm should be displayed as an App. You may click the link to automatically open and log in to Kasm

../../_images/workspace_one_access.png

Workspace One Access

Group Mappings

In the prior steps, Workspace One was configured to pass along the group names the user is a member of in the SAML assertion. This can be used to automatically map users into Groups within the Kasm application.

The following assumes a group is created in Workspace named Accounting

  1. Log into the Kasm UI as an administrator.

  2. Select Access Management -> Groups, the select Create New Group

  3. Give the Group a Name (Does not need to match the Workspace ONE Group Name) and Priority

  4. Click Save to create the new group.

../../_images/create_group1.webp

Create Group

  1. Select Access Management -> Groups, then using the arrrow menu click Edit next to the group just created.

  2. Navigate to the SSO Group Mapppings tab and select Add SSO Mapping.

  3. Select the SAML IDP that was created above e.g. “SAML - Workspace One” for the SSO Provider.

  4. Enter the Workspace ONE Group Name in the Group Attributes field. Click Submit

../../_images/saml_groups.webp

Add SSO Group Mapping

The next time a user of the Accounting group logs in they will automatically become a member of this Kasm Group.