Configure Workspace ONE Access for Omni
How to configure VMware Workspace ONE Access for Omni using SAML.
Last updated
How to configure VMware Workspace ONE Access for Omni using SAML.
Last updated
Workspace ONE Access
This section describes how to create a Web App inside Workspace ONE Acces (WSOA).
First, login to the WSOA user interface and browse to Resources -> Web Apps -> New
Next, enter values for the following options before clicking on Next.
| Option | Value | Description |
|---|---|---|
Name | Omni | A descriptive name for the Web App |
Description | Sidero Omni | A description for the Web App |
Icon | Image | An icon to be displayed on the dashboard |
On the Single Sign-On page, enter the following values:
| Option | Value | Description |
|---|---|---|
Authentication Type | SAML 2.0 | The Authentication type. Options are SAML or OIDC |
Configuration | Manual | We will use manual to specify the fields |
Single Sign-On URL |
| The SSO URL for Omni |
Recipient URL |
| The Recipient URL for Omni |
Application ID |
| The Omni metadata URL |
Username format | Unspecified | The username format is unspecified |
Username value |
| The username sent in the SAML assertion |
Relay State URL | Blank | Leave this empty |
Still on the Single Sign-On page, in the Advanced Properties section, set the following toggle buttons;
| Option | Value | Description |
|---|---|---|
Sign Response | False | Sign the SAML response. |
Sign Assertion | True | Sign the SAML assertion. |
Encrypt Assertion | False | Encrypt the SAML assertion. |
Include Assertion Signature | False | Include the assertion signature. |
Device SSO Response | False | Enable Device SSO response. |
Enable Force Authn Request | False | Enable Force Authn Request. |
Signature Algorithm | SHA-256 with RSA | The signature algorithm. |
Digest Algorithm | SHA-256 | The digest algorithm. |
Assertion Lifetime | 200 | The assertion lifetime. |
At the bottom of the Single Sign-On page, in the Custom Attribute Mapping section, add the following attributes:
| Name | Format | Namespace | Value | Description |
|---|---|---|---|---|
Unspecified |
| The user’s email address | ||
firstName | Unspecified |
| The user’s first name | |
lastName | Unspecified |
| The user’s last name | |
groups | Unspecified |
| The user’s groups |
Click Next to continue and select the access policy as required by your organization.
Now it’s time to click the Save & Assign button and permit the Users and Groups allowed to login to Omni.
On the Assign screen, enter the following:
Select the permitted group from your backing Active Directory or LDAP server.
Set the Deployment Type to Automatic.
Finally, obtain the IdP Metadata URL by clicking on Settings and then the Copy URL link.
This is the URL that will be used by Omni in the command line arguments in the next section.
Provide the following flags to the Omni container on launch.
| Flag | Description |
|---|---|
| Enable SAML authentication. |
| The URL to the IdP metadata file. |
| This extracts the |
For example;
Copy
Now that you have started Omni with the correct flags, refer to the Auto-assign roles to SAML users guide for information on how to automatically assign roles to users based on their SAML attributes.
Note that when using groups, the group name is prefixed with saml.omni.sidero.dev/groups/ instead of role. For example;
Copy
