Configure Workspace ONE Access for Omni

How to configure VMware Workspace ONE Access for Omni using SAML.

Workspace ONE Access

This section describes how to create a Web App inside Workspace ONE Acces (WSOA).

First, login to the WSOA user interface and browse to Resources -> Web Apps -> New

Next, enter values for the following options before clicking on Next.

OptionValueDescription
NameOmniA descriptive name for the Web App
DescriptionSidero OmniA description for the Web App
IconImageAn icon to be displayed on the dashboard

On the Single Sign-On page, enter the following values:

OptionValueDescription
Authentication TypeSAML 2.0The Authentication type. Options are SAML or OIDC
ConfigurationManualWe will use manual to specify the fields
Single Sign-On URLhttps://{omni-host}/saml/acsThe SSO URL for Omni
Recipient URLhttps://{omni-host}/saml/acsThe Recipient URL for Omni
Application IDhttps://{omni-host}/saml/metadataThe Omni metadata URL
Username formatUnspecifiedThe username format is unspecified
Username value${user.userName}The username sent in the SAML assertion
Relay State URLBlankLeave this empty

Still on the Single Sign-On page, in the Advanced Properties section, set the following toggle buttons;

OptionValueDescription
Sign ResponseFalseSign the SAML response.
Sign AssertionTrueSign the SAML assertion.
Encrypt AssertionFalseEncrypt the SAML assertion.
Include Assertion SignatureFalseInclude the assertion signature.
Device SSO ResponseFalseEnable Device SSO response.
Enable Force Authn RequestFalseEnable Force Authn Request.
Signature AlgorithmSHA-256 with RSAThe signature algorithm.
Digest AlgorithmSHA-256The digest algorithm.
Assertion Lifetime200The assertion lifetime.

At the bottom of the Single Sign-On page, in the Custom Attribute Mapping section, add the following attributes:

NameFormatNamespaceValueDescription
emailUnspecified${user.email}The user’s email address
firstNameUnspecified${user.firstName}The user’s first name
lastNameUnspecified${user.lastName}The user’s last name
groupsUnspecified${groupNames}The user’s groups

Click Next to continue and select the access policy as required by your organization.

Now it’s time to click the Save & Assign button and permit the Users and Groups allowed to login to Omni.

On the Assign screen, enter the following:

  • Select the permitted group from your backing Active Directory or LDAP server.
  • Set the Deployment Type to Automatic.

Finally, obtain the IdP Metadata URL by clicking on Settings and then the Copy URL link.

Omni

Provide the following flags to the Omni container on launch.

FlagDescription
--auth-saml-enabledEnable SAML authentication.
--auth-saml-urlThe URL to the IdP metadata file.
--auth-saml-label-rules='{"groups": "groups"}'This extracts the groups attribute from the SAML assertion into the label saml.omni.sidero.dev/groups/<value>

For example;

--auth-saml-enabled=true
--auth-saml-url=https://{workspace-one-host}/SAAS/API/1.0/GET/metadata/idp.xml
--auth-saml-label-rules='{"groups": "groups"}'

Now that you have started Omni with the correct flags, refer to the Auto-assign roles to SAML users guide for information on how to automatically assign roles to users based on their SAML attributes.

Note that when using groups, the group name is prefixed with saml.omni.sidero.dev/groups/ instead of role. For example;

metadata:
  namespace: default
  type: SAMLLabelRules.omni.sidero.dev
  id: assign-admin-to-platform-admins-label
spec:
  assignroleonregistration: Operator
  matchlabels:
    - saml.omni.sidero.dev/groups/omni-platform-administrators