SAML Authentication Enforcement During Workspace ONE UEM Console Login


Up until Workspace ONE UEM Console 1810, the SAML authentication login flow was being executed only on entering the Organization Group ID (GID) as a parameter in the console login URL. If the GID is not provided, the Administrator is asked to enter a password, even if SAML is configured for authentication, thus bypassing the entire SAML flow and not adhering to standards of Identity Federation.

In the Workspace ONE UEM Console 1811 release, the Console login page has been modified to accept only the Administrator username that will be used to identify the Organization Group (OG) that the admin has been created at. The OG will then be checked to determine if SAML is enabled and configured. If enabled, the SAML authentication flow will be enforced. 

If SAML is not enabled at the OG or if the username is invalid, then the Administrator will be presented with the password field to facilitate the normal login flow. 

Please note that SAML authentication applies only to a single domain. Workspace ONE UEM does not yet support multi-domain. If your environment has multiple domains and you had previously configured SAML for authentication, the Administrator login flow wasn’t enforcing SAML but, instead, was falling back to authentication against the admin’s Directory credentials. The new flow will no longer allow this as it is against the standards of Identity Federation. In such a scenario, SAML authentication should be disabled for that environment.


Customer Impact

The changes offer a major improvement to the user experience for Customers and their Administrators that use SAML as their preferred mode of authenticating admins into the UEM Console. These changes also enhance the Single-Sign-On (SSO) experience during subsequent logins.

Please note that a known issue prevents SAML Admins from accessing the SaaS apps and access policies pages from within the UEM Console. The recommended workaround for SAML admins is to access SaaS apps and access policies from the VMware Identity Manager (vIDM) Console that has been integrated with the UEM Console.

The vIDM Console URL can be viewed at Groups & Settings > All Settings > System > Enterprise Integration > VMware Identity Manager > Configuration in the UEM Console.


Support Contact Information

To receive support, either submit a ticket via the My Workspace ONE portal or call your local support line.


Best Regards,

The VMware Workspace ONE Team

Other Languages: 日本語

Have more questions? Submit a request


Article is closed for comments.