Configuring VMware Identity Manager for Salesforce – Part 1

Now we’ll look at configuring SAML integration between VMware Identity Manager and Salesforce for Workspace ONE.

Definition:  Security Assertion Markup Language (SAML). It is an open standard which enables SSO for many different services and platforms. Authenticating with SAML allows a user to log in once per session.

Here are the defining components of SAML:

  • Service provider (i.e. an application.)
  • Identity provider (who is authenticated, and what authentication methods are used.)
  • End user who is accessing over SAML.



  1. User starts the SAML Application
  2. Service Provider (SP) sends a request to the Identity Provider (IdP) for authentication
  3. If the user is not authenticated, the IdP requests authentication from the user. (I.e. username and password)
  4. The IdP then sends response to the SP with a token for that user.


To go through this guide, you’ll need the following. So load up, and let’s get poppin’

  1. A Salesforce login. First create a trial Salesforce developer account
  2. A VMware Identity Manager tenant at your disposal.


Now SAML can be explained as a way of making two parts speak the same language.

So what we are going to do now is:

Export the SAML Metadata from VMware Identity Manager

  1. Log on to your VMware Identity Manager-tenant (URL:
  2. 2017-04-10_10-28-36.png
  3. Right-click “Identity Provider (IdP) metadata” and choose “Save link as..chrome_2017-04-10_10-30-17.png
  4. Save the metadata file (idp.xml).


Add application from the catalog


Import the SAML Metadata File to Salesforce

  1. Now let’s start off by navigating to
  2. Enter your Salesforce username and password and hit “Login”.
  3. Type in “single” to find the SSO setting we will be configuring.
  4. Choose “Edit” and Select “SAML Enabled” to enable SSO with the SAML protocol.2017-04-10_15-28-55.png
  5. Choose “New from Metadate File”

  6. Now we upload the idp.xml that we downloaded from our VMware Identity Manager tenant. Hit “Create” and the SAML SSO settings will populate.2017-04-10_15-34-15.png
  7. Now we need to update the SAML Settings.  First off Select “Assertion contains the Federation ID from the User object.” and hit “Save”.2017-04-10_15-37-53.png
  8. Hit “Download Metadata”.2017-04-10_15-40-48.png
  9. Save the file it’ll be a .xml with a name similar to SAMLSP-XXDXXXXXXXXQ.xml.


Register your domain on Salesforce

Now that we’ve downloaded the SAML metadata file, we need to register our domain.

In the search box on the left, we will enter “my domain” and click “My Domain”.



  1. In the field “Choose Your Domain Name”, enter a domain name.
  2. To confirm that it is available, hit “Check Availability.”
  3. Finish with hitting “Register Domain.”


Now we wait for an e-mail from Salesforce, that the domain is ready.



And after a few minutes:


Now we return to “My Domain”, and edit the authentication configuration.

  1. In the search box on the left enter “my domain” and click “My Domain“.
  2. Next to “Authentication Configuration, hit “Edit“. 2017-04-10_16-06-53.png


That concludes part one!

If there are any topics or areas you’d like me to focus on, don’t hesitate to let me know! As always you can reach me at @UlvBjornsson, via the comments or by connecting with me on LinkedIn.



Installing VMware Enterprise Systems Connector

Things change fast, very fast. So VMware AirWatch 9.1 is out and so is the new installer which serves as the unified connector for Workspace ONE; AirWatch, and Identity Manager.

So if you were used to installing the ACC (AirWatch Cloud Connector) or the Linux appliance vIDM (VMware Identity Manager Connector), you should know that these two products have now been tied into one and have been branded VMware Enterprise Systems Connector.

Which I think is great, as editing a Linux appliance and bash, sudo, cat, vi. Yeah, it was fun.

I’ll walk you through the installation of the VMware Enterprise Systems Connector and enterprise integration.

So we’ve navigated to the Workspace ONE-tenant (VMware Identity Manager-tenant) which tells us that we need to download a Connector to configure it.


You can find the download by logging into your AirWatch-tenant and navigating to Systems > Enterprise Integration > VMware Enterprise Systems Connector



Just as before when downloading the installers, it asks for a password. Store it somewhere, you’ll be using this for the installation later.






Get it on the server, run it.


So one change is that there is a new dependency, which is .NET Framework 4.6.2 we can use the installer to get it or you can grab it from Microsoft from here.


download from here



and install

Next, it informs us we require JRE, let’s run through it as well.



And that’s it.

Very straightforward, make sure to verify it by hitting “Test Connection”.



Setting up AirWatch for Integration with Identity Manager: Part 2

Configure AirWatch settings in VMware Identity Manager to integrate AirWatch with VMware Identity Manager and enable the AirWatch feature integration options. The AirWatch API key and the certificate are added for VMware Identity Manager authorization with AirWatch.

Now if you are just jumping into this series, you need to know that you require to have this in place to complete the steps outlined here. If you haven’t you can check out Part 1.

  • AirWatch server URL that the admin uses to log in to the AirWatch admin console.
  • AirWatch admin API key that is used to make API requests from VMware Identity Manager to the AirWatch server to setup integration.
  • AirWatch certificate file used to make API calls and the certificate password. The certificate file must be in the .p12 file format.
  • AirWatch enrolled user API key.
  • AirWatch group ID for your tenant, which is the tenant identifier in AirWatch.


Read More »

Setting up AirWatch for Intergation with Identity Manager: Part 1

First off ensure you have this in place:

  • The organization group in AirWatch that you are configuring VMware Identity Manager is organization type: Customer.
  • REST API admin key for communication with VMware Identtiy Manager service and a REST enrolled user API key for AirWatch Cloud Connector password authentication are made at the same organization group where VMware Identity Manager is configured.
  • API Admin account settings and the admin auth certificate from AirWatch added to the AirWatch settings in the VMware Identity Manager admin console.
  • Active Directory user accounts set up at the asme organization group where  VMware Identity Manager is configured.
  • If end users are placed into a child organization group from where VMware Identity Manager is configured after registration and enrollment, User Group mapping in the AirWatch enrollment configuration must be used to filter users and their respective devices to the appropriate organization group.

You can find these in your AirWatch Admin console:

  • REST admin API key for communication: System -> Advanced -> API -> REST API
  • API Admin account for VMware Identity Manager and the admin auth certificate that is exported form AirWatch and added to the AirWatch settings in VMware Identity Manager.
  • REST enrolled user API key used for AirWatch Cloud Connector password authentication.


Read More »

Integrating AirWatch with Active Directory

We are going to connect your AirWatch environment with your Active Directory. We will be using the Directory Services page to configure the settings that let you integrate your AirWatch server with your organization’s domain controller (the server hosting your directory services system).

The scenario outlined in this tutorial assumes that you already have the following items:

  • Active Directory
  • AirWatch

Read More »

Installing and configuring the AirWatch Cloud Connector


First we will install the AirWatch Cloud Connector (ACC) by enabling it in the AirWatch Admin Console and then we download and run the installer file onto the server that will host the service.

Installing the AirWatch Cloud Connector (ACC) includes the following tasks:

  • Enable the ACC in the AirWatch Admin Console
  • Generate the certificate that will be used for communication between the ACC and the AirWatch environment.
  • Configure the ACC with the services we will be using.
  • Download the ACC installer and install it.
  • Verify that the installation was successful, and that communications pass between the AirWatch SaaS to the ACC, and the ACC to the AirWatch SaaS.

AirWatch Cloud (1).jpg

Read More »