Workspace ONE Access – Add your first SaaS app

I am continuing with this lovely series about Workspace ONE Access. So far we have been able to install the connector and integrate with the Active Directory. But if you actually log in as a domain user, you might be disappointed, because there is nothing to do with Workspace ONE Access.

There are no applications. Yet. Let’s fix that in this blog post and add a simple SaaS application – Salesforce.

Prerequisites

At this point, I am assuming that you have a Workspace ONE Access environment up and running and configured with connector and Active Directory integration.

Also because our application of choice is Salesforce, you should have a developer account (you can get one here: https://developer.salesforce.com/signup) and you should be able to log in with that account and access the setup page (which is typically located on this URL: https://<YOUR_TENANT>.lightning.force.com/lightning/setup/SetupOneHome/home)

Some knowledge about SAML is also necessary. Check this video from Peter Björk:

Salesforce side configuration

Adding a SAML application is a two-step process, let’s start on the application side.

The first thing you will need to do is navigate to “Single Sign-On Setting” and edit it.

By default SAML is disabled, so go ahead and enable it.

Now we will need to tell Salesforce to trust our identity provider (Workspace ONE Access). We will do that by uploading an XML file. Of course, you can set it up manually or use the URL, but I find the XML upload the fastest and most reliable option.

To get the identity provider XML, we will need to login to Workspace ONE Access as a system administrator and switch to the administration console.

Then navigate to Catalog > Web Apps.

We are interested in “Settings”.

Go to “SAML Metadata” section and download the “Identity Provider (IdP) metadata” file.

Upload the downloaded metadata file to Salesforce.

The next screen should be pre-populated for you, the only thing to change is to disable “Single Logout” and hit “Save”.

We have configured the IdP on the application side, we will have to configure the application on the IdP side. Download the application metadata file.

Workspace ONE configuration

On the same screen (Catalog > Web Apps) click on “New”.

We are lucky because the Salesforce application is in the catalog, so click on “browse from catalog”.

Search for Salesforce and select it.

Click on Next.

Again we don’t want to configure the application manually as we have the XML application metadata. Switch the configuration to URL/XML and paste in the content of the file you downloaded from Salesforce.

For now, let’s stick with default policies.

Save the configuration and assign the application to users.

Assign it to the predefined group “ALL USERS” with the “Automatic” deployment type.

When you switch back from the administration portal to the user portal you should see the application icon there and you can try to launch it.

And yeah, it does not work. 😀 Let’s troubleshoot what went wrong.

Troubleshooting

Salesforce gives you a pretty nice tool to check the SAML communication. Go ahead and launch the “SAML Assertion Validator”.

We see all the checks as green, but then you can see that it was not able to map a subject “michal” (this attribute was sent by Workspace ONE Access) to a user in SFDC.

We haven’t enabled the just-in-time provisioning of users, which means that users must be created in SFDC before the login procedure in order for this to work. A quick check of users shows, that we have a user there, but his username is “michal@minarik.io”, which surely cannot be mapped to “michal” which was sent by our IdP.

The fix, in this case, should be pretty easy. We need to instruct Workspace ONE Access to send the email address (which will correctly map to SFDC username). You can do that by editing the application. In configuration find the “Username Value” field.

And change it from “${user.userName}” to “${user.email}”.

Conclusion

If we test the same thing now, sure enough, we have SSO to Salesforce. This process will be similar to any other SAML application.

In the next post, we will integrate Workspace ONE Access with VMware Horizon, to get virtualized applications into the catalog.