A few days ago I mentioned in an article with the shocking news that not everyone had Active
Directory for their user accounts. I talked about Just-In-Time Provisioning into Identity Manager
using Google Cloud Identity as the IDP. Now, this is great for getting user accounts into VMware Identity Manager but without an AD/LDAP directory to sync to our Enterprise Systems Connector with Workspace ONE UEM doesn’t have a way to get user accounts automatically.

Well that’s not technically true.

A while ago myself and a colleague had this exact scenario – a customer only used Google Cloud Directory and needed to get accounts into  Identity Manager and Workspace ONE UEM. What we discovered was that we were able to also JIT user accounts into Workspace ONE UEM during enrollment. This meant we didn’t have to manually create accounts in Identity Manager or Workspace ONE UEM because we couldn’t use the Enterprise Systems Connector due to not having an LDAP source.

Here’s how we did it.

Because JIT works by using the SAML assertion to create a user account on the fly, we need to enable SAML authentication using Identity Manager on Workspace ONE UEM. If you’re piecing the steps together at home, this means that we first need to get the accounts into Identity Manager before we can authenticate using SAML into Workspace ONE. Make sense?

The steps required to get this whole shebang working are:

  1. A configured Google Cloud Directory
  2. Add Google Cloud Directory as a 3rd Party IDP in Identity Manager
  3. Configure SAML authentication in Workspace ONE UEM
  4. Sit back and stroke your beard because this whole process is pretty cool.
You can technically replace Google Cloud Directory with any other 3rd Party IDP in Step One. Luckily I’ve also documented how to get through Step Two in another article, Step 3 is what we’ll cover here and Step 4, well, I’m not sure. Hopefully you have a beard otherwise I can’t help there.
Anyway, back to the real stuff.
The very first thing we need to is go to our Identity Manager tenant and download our Identity Provider settings .xml file.
We can get this from Catalog -> Web Apps -> Settings -> SAML Metadata
Some browsers will just display the .xml in the browser, but just download save the file somewhere you can access again easily.
Now, we need to go to our Workspace ONE UEM Console. Once we’ve logged in we need to adjust our ‘Directory Settings’.
Go to Settings, then System -> Enterprise Integration -> Directory Settings
On this page, we need to ‘Skip Wizard and Configure Manually’ we need to set the Directory Type to ‘None’ and set ‘Use SAML for Authentication’ to Enabled.
Depending on your use case work out what you want to use SAML for, and use the New SAML Authentication Endpoint.
Under the SAML 2.0 heading, most of these settings of these are contained in the idp.xml file we downloaded above. Locate the idp.xml file and upload it and click Save, and your Settings should now look like below.

The only thing I changed on this page, is the Response Binding Type is POST, and set Validate Response Signatures.

That’s pretty much it from a Workspace ONE UEM space. The certificate is contained in the idp.xml which you’ll see if you scroll down. Make sure you save the configuration.

Now we need to add the AirWatch Application to our Identity Manager tenant.

Go to the Identity Manager Admin Portal, go to the Catalog and make sure you’re on the Web Apps page. Select ‘New’ and search for Airwatch.

Once you click Next, you’ll see a fair bit of the configuration is prefilled. We just need to scroll down to ‘Applications Parameters’ and fill those out.
AWServerName = The Device Services Server URL of the Workspace ONE UEM Environment
ac = The GroupID (in Workspace ONE UEM) where you have the SAML configuration enabled
audience = This is just a value that needs to match the Service Provider (AirWatch) ID in the Workspace ONE UEM SAML Configuration.

You should assign it to the default_access_policy_set and assign it to ALL USERS (and automatic), and we’re done!