Integrating Salesforce with VMware Workspace ONE Access: VMware Workspace ONE Operational Tutorial

Overview

Introduction

VMware provides this operational tutorial to help you with your VMware Workspace ONE® environment. In this tutorial, you configure Workspace ONE Access as a third-party identity provider in Salesforce to enable single sign-on (SSO) access to Salesforce. Then, you add Salesforce as a SAML application in Workspace ONE Access to be launched from the Workspace ONE app catalog.

Audience

This operational tutorial is intended for IT professionals and Workspace ONE administrators of existing production environments. Both current and new administrators can benefit from using this tutorial. Familiarity with networking and storage in a virtual environment is assumed, including Active Directory, identity management, and directory services. Knowledge of additional technologies such as VMware Workspace ONE® Access (formerly VMware Identity Manager) and VMware Workspace ONE® UEM is also helpful.

Integrating Salesforce with Workspace ONE Access

Introduction

This tutorial helps you to integrate Salesforce to Workspace ONE Access (formerly VMware Identity Manager) to enable single sign-on access to Salesforce. Procedures include:

  • Creating a Salesforce Developer environment
  • Configuring SAML SSO settings in Salesforce
  • Adding Salesforce to the Workspace ONE app catalog and configuring Salesforce SSO settings in the Workspace ONE Access console
  • Providing users with SSO access to Salesforce

The steps are sequential and build upon one another, so make sure that you complete each step before going to the next step.

Prerequisites

Before you can perform the procedures in this tutorial, you must satisfy the following requirements. For more information, see the VMware Identity Manager Documentation.

Check whether you have the following components installed and configured:

  • Workspace ONE Access tenant with administrator access
  • Salesforce environment – you can use an existing environment or follow steps in this tutorial to create a new Salesforce development environment

Configuring the Salesforce Developer Environment

In this activity, create a Salesforce developer account and configure the Salesforce domain.

If you have an existing Salesforce environment and want to use that for the exercises, skip to the next chapter: Configuring SSO Settings in Salesforce.

1. Create Salesforce Developer Account

  1. To create a Salesforce developer account, navigate to https://developer.salesforce.com/signup.
  2. Enter the required information and click Sign me up. After you create the account, you will receive an email to verify the email account and set your Salesforce password.
  3. When the account has been created successfully, you are logged in to the Salesforce console.

3. Deploy the Domain

Perform the following steps to make the domain publicly available.

  1. Refresh your screen until you see confirmation that your Domain is Ready for Testing, which means  the domain name is registered (vmwareeuc-dev-ed.my.salesforce.com).
  2. Click Log in.
  3. Click Deploy to Users.

4. Confirm the Domain is Deployed

Confirm that the domain has been deployed. You have completed the first configuration step in your Salesforce development environment.

Logging In to the Workspace ONE Access Console

To perform most of the steps in this exercise, you must first log in to the Workspace ONE Access console.

1. Launch Google Chrome (If Needed)

If Google Chrome is not already open, launch Google Chrome by double-clicking the icon from the desktop.

2. Open a New Browser Tab

Click the Tab space to open a new tab.

4. Login to Your Workspace ONE Access Tenant

  1. Enter the Username, for example, Administrator.
  2. Enter the Password, for example, VMware1!.
  3. Click Sign In.

Downloading the Workspace ONE Access SAML Metadata

In this activity, you retrieve the SAML metadata and SAML signing certificate associated with Workspace ONE Access. Salesforce requires both of these SAML components for the SSO configuration and to set up Workspace ONE Access as its identity provider (IdP).

The SAML metadata describes the capabilities and requirements of the Workspace ONE Access, and resides as an XML file on the Workspace ONE Access tenant.

1. Navigate to Settings

In the Workspace ONE Access administration console:

  1. Click Catalog.
  2. Click Settings.

 

2. Download the Identity Provider (IdP) SAML Metadata

  1. Click SAML Metadata.
  2. Right-click Identity Provider (IdP) metadata and save locally as vidm-idp.xml.

Configuring SSO in Salesforce

In this activity, you configure Salesforce for SSO by defining Workspace ONE Access as the SAML identity provider for the application. Then, you download the SAML metadata for the Salesforce SSO configuration. You will use the file in a later activity to configure the Salesforce app in Workspace ONE Access.

If SAML is already enabled in your environment, skip to the next exercise.

1. Navigate to Single Sign-On Settings

In the Salesforce environment:

  1. Enter Single Sign-On in the search text box.
  2. Select Single Sign-On Settings.
  3. Click Edit.

2. Enable SAML Settings

  1. Select the SAML Enabled check box.
  2. Click Save.

3. Configure SAML Single Sign-On Settings

Click New from Metadata File.

4. Upload SAML Metadata File

Upload the IdP metadata file.

  1. Click Choose File and select the file previously downloaded from Workspace ONE Access. For example, vidm-idp.xml.
  2. Click Create.

5. Configure SSO Settings

 

  1. Enter a Name, for example, ws1. The profile Name is defined based on your Workspace ONE Access tenant URL; you can change this Name.
  2. The API Name by default uses the same profile name. For example, ws1. You can also change the API name, however this name must be unique across all Salesforce data.
  3. Add your registered Salesforce Domain URL to Entity ID. For example, https://vmwareeuc-dev-ed.my.salesforce.com.
  4. For SAML Identity Type, ensure Assertion contains the User's salesforce username is selected.
  5. For SAML Identity Location, ensure Identity is in the NameIdentifier element of the Subject statement is selected.
  6. Enter your Workspace ONE Access logout URL to the Identity Provider Single Logout URL. For example,  https://ws1.vidmpreview.com/SAAS/auth/logout.
  7. For Single Logout Request Binding, select HTTP POST.
  8. Click Save.

6. Download Salesforce SSO Metadata

Click Download Metadata.

An XML file with the following format will be downloaded: SAMLSP-XXXXXXXXXXX.xml.

Adding Salesforce to the Workspace ONE Application Catalog

In this activity, you add Salesforce as an application to the Workspace ONE catalog for seamless access. This enables the end user to authenticate directly into the Workspace ONE app catalog and perform an IdP-initiated login to the Salesforce instance federated with Workspace ONE Access.

1. Create New SaaS Application

In the Workspace ONE Access administration console:

  1. Click Catalog.
  2. Click New.

2. Select Salesforce Template

  1. Enter Salesforce in the text box.
  2. Select the Salesforce template.
  3. Click Next.

3. Configure URL/XML Settings

  1. Select URL/XML.
  2. Copy and paste the content of the Salesforce XML metadata file that you previously downloaded from Salesforce into the URL/XML text box.
  3. Click Next.

4. Configure Access Policies for the Application

For this exercise, use the default_access_policy_set.

Click Next.

5. Save the Application Configuration

Salesforce is now configured as an application on the Workspace ONE Catalog.

Click Save & Assign to configure the groups of users that will have permission to this application on the Catalog.

6. Assign Users to Salesforce

  1. Enter ALL USERS in the search box and select All Users.
  2. Select Automatic for Deployment Type.
  3. Click Save.

7. Complete Salesforce Configuration

The following steps complete the Salesforce configuration.

  1. Click Catalog.
  2. Select the Salesforce application.
  3. Click Edit.

8. Configure Username Settings

The following configuration ensures that the Workspace ONE Access service sends SAML assertions with subject statements that the application service provider recognizes. For Salesforce, the user e-mail address is used.

  1. Click Configuration.
  2. Select Email Address as the Username Format.
  3. Enter ${user.email} as the Username Value.
  4. Click Summary.

9. Save the Configuration

Click Save.

This concludes the configuration of the Salesforce Application, which now is available for All Users through the Workspace ONE App Catalog.

Testing Salesforce SSO through Workspace ONE Catalog

In this activity, you test SSO to Salesforce through the Workspace ONE catalog.

Before you log in to Salesforce using the Workspace ONE Catalog, make sure that the email address for the user account in Salesforce matches the email address for the user in Workspace ONE Access.

Note: The user account in Workspace ONE Access can be either a local account or Active Directory. However, it is important that the email addresses match between the accounts.

1. Log In to Workspace ONE

From your web browser open a New Incognito Window and navigate to the Workspace ONE portal.

  1. Enter the Username for the account you have in Workspace ONE Access (not the email address).
  2. Enter the Password.
  3. Click Sign in.

2. Open the Salesforce Application

Now, test authenticating into Salesforce through the Workspace ONE catalog.

Click Open and you should be redirected directly to Salesforce through SSO.

3. Confirm Successful SSO Access to Salesforce

Upon successful authentication with Workspace ONE Access, you are granted access to Salesforce through the Workspace ONE catalog.

Summary and Additional Resources

Conclusion

This tutorial provided steps to create and configure a Salesforce developer environment, and integrate Salesforce with Workspace ONE Access to enable single sign-on access to Salesforce.

 

Terminology Used in This Tutorial

The following terms are used in this tutorial:

application store A user interface (UI) framework that provides access to a self-service catalog, public examples of which include the Apple App Store, the Google Play Store, and the Microsoft Store.
auto-enrollment Auto-enrollment simplifies the enrollment process by automatically enrolling registered devices following the Out-of-Box-Experience.
catalog A user interface (UI) that displays a personalized set of virtual desktops and applications to users and administrators. These resources are available to be launched upon selection.
cloud Asset of securely accessed, network-based services and applications. A cloud can also host data storage. Clouds can be private or public, as well as hybrid, which is both private and public.
device enrollment The process of installing the mobile device management agent on an authorized device. This allows access to VMware products with application stores, such as Workspace ONE Access (formerly VMware Identity Manager).
identity provider (IdP) A mechanism used in a single-sign-on (SSO) framework to automatically give a user access to a resource based on their authentication to a different resource.
mobile device management
(MDM) agent
Software installed on an authorized device to monitor, manage, and secure end-user access to enterprise resources.
one-touch login A mechanism that provides single sign-on (SSO) from an authorized device to enterprise resources.
service provider (SP)
A host that offers resources, tools, and applications to users and devices.
virtual desktop The user interface of a virtual machine that is made available to an end user.
virtual machine A software-based computer, running an operating system or application environment, that is located in the data center and backed by the resources of a physical computer.

For more information, see the VMware Glossary.

Additional Resources

For more information about Workspace ONE, explore the VMware Workspace ONE Activity Path. The activity path provides step-by-step guidance to help you level-up in your Workspace ONE knowledge. You will find everything from beginner to advanced curated assets in the form of articles, videos, and labs.

Additionally, you can check out the VMware Workspace ONE and VMware Horizon Reference Architecture which provides a framework and guidance for architecting an integrated digital workspace using VMware Workspace ONE and VMware Horizon. 

 

About the Author

This tutorial was written by:

  • Andreano Lanusse, End-User-Computing Staff Architect, Technical Marketing, VMware.

Feedback

The purpose of this tutorial is to assist you. Your feedback is valuable. To comment on this tutorial, contact VMware End-User-Computing Technical Marketing at euc_tech_content_feedback@vmware.com.