The Workspace ONE Access integration enables biometric authentication via SAML 2.0 before accessing virtual desktops, applications, and resources.
Integration type
Productivity
Overview
1Kosmos integrates with VMware Workspace ONE Access as a SAML 2.0 identity provider, enabling biometric authentication via the 1Kosmos mobile app before accessing virtual desktops, applications, and resources. Workspace ONE Access acts as the SAML service provider and brokers authentication to all downstream applications in its catalog.
What we solve
Enterprises using VMware Workspace ONE Access need to provide secure, passwordless access to virtual desktops, apps, and an application catalog while reducing phishing and password compromise. This integration configures 1Kosmos as a SAML 2.0 identity provider so users authenticate biometrically and Workspace ONE can broker that verified session to downstream resources (optionally paired with Horizon True SSO).
This configuration is performed in the Workspace ONE Access admin console under Integration → Identity Providers. Administrators add 1Kosmos as a third-party SAML IdP by providing the 1Kosmos metadata URL or uploading the metadata XML. After the IdP is saved, it is assigned to the default access policy in Workspace ONE Access to take effect for all users.
For VMware Horizon environments, True SSO can be combined with the 1Kosmos SAML integration, allowing users to authenticate once through 1Kosmos and receive seamless certificate-based login to their Horizon desktops without re-entering credentials on the Windows login screen.
Prerequisites
Active 1Kosmos tenant: Administrator access to the AdminX portal. Contact 1kosmos.com/contact if not yet provisioned.
VMware Workspace ONE Access administrator access: System administrator access to the Workspace ONE Access console with permissions to configure Identity Providers and Access Policies.
User directory configured: A user directory (Active Directory, LDAP, or local) must be configured in Workspace ONE Access, and users must have accounts in both 1Kosmos and Workspace ONE Access with matching email addresses.
1Kosmos mobile app installed: Users must have the app on iOS or Android with biometrics enrolled before testing.
Configuration values
Values to collect from 1Kosmos AdminX (IdP) for VMware Workspace ONE:
Field | Where to find it |
|---|---|
SAML Metadata URL | AdminX → Settings → IdP Configuration → Metadata URL |
SSO URL | AdminX → Settings → IdP Configuration → Single SignOn Service URL |
IdP Entity ID | AdminX → Settings → IdP Configuration → Core Configuration |
Signing Certificate (PEM) | AdminX → Settings → IdP Configuration → View Certificate → Public Key |
VMware Workspace ONE Access SP values for AdminX:
Field | Pattern |
|---|---|
SP Entity ID | https://[wso-hostname]/SAAS/API/1.0/GET/metadata/sp.xml |
ACS URL | https://[wso-hostname]/SAAS/auth/saml/response |
Integration steps
Step 1: Collect Workspace ONE Access SP metadata
Log in to the Workspace ONE Access console as a System Administrator.
Navigate to the Catalog → Web Apps tab and click Settings.
Click SAML Metadata in the left pane. Right-click the Identity Provider (IdP) metadata link to get the entityID and SingleSignOnService Location values. Download the Signing Certificate.
Note the SP metadata URL at
https://[wso-hostname]/SAAS/API/1.0/GET/metadata/sp.xmland the ACS URLhttps://[wso-hostname]/SAAS/auth/saml/response.
Step 2: Add 1Kosmos as a SAML IdP in Workspace ONE Access
In the Workspace ONE Access console, navigate to Integration → Identity Providers.
Click ADD and select SAML IDP.
Enter a name for the identity provider (e.g., "1Kosmos").
Set Binding Protocol to HTTP POST.
In the SAML Metadata field, enter the 1Kosmos Metadata URL and click Process IdP Metadata. The system populates the IdP entity ID, SSO URL, and certificate automatically.
Under Users, select the directories whose users should authenticate with this identity provider.
Under Authentication Methods, enter an authentication method name (e.g., "1Kosmos Auth") and select the SAML context class. Click Save.
Step 3: Update the default access policy
Navigate to Resources → Policies in the Workspace ONE Access console.
Click Edit Default Access Policy.
In the policy configuration, set the authentication method to the 1Kosmos Auth method created in Step 2. Click Save.
Step 4: Add Workspace ONE as a SAML application in AdminX
Log in to the AdminX portal and navigate to Applications → Add Application.
Select SAML 2.0 Generic and click Add integration. Enter "VMware Workspace ONE" as the Application Name and your Workspace ONE Access URL as the Application Access URL.
Set NameID Format to
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddressand NameID Value to email. Add claims for email and userPrincipalName. Enable Assertion signing.Enter the Workspace ONE SP Entity ID and ACS URL. Click Save.
Step 5: Test the integration
Navigate to the Workspace ONE Access login URL. Select 1Kosmos as the identity provider option. You are redirected to 1Kosmos. Authenticate biometrically and confirm you are returned to your Workspace ONE application catalog.
Attribute mappings
Source (1Kosmos) | Target (Workspace ONE) | Description |
|---|---|---|
user.email | email / NameID | Primary identifier for user account lookup in Workspace ONE |
user.upn | userPrincipalName | UPN for Active Directory user resolution |
Integration notes
VMware was acquired by Broadcom in 2023. Workspace ONE Access may appear under Broadcom's product portfolio in some contexts.
The integration described here applies to the Workspace ONE Access product regardless of current branding. For Horizon True SSO, additional configuration on the Horizon Connection Server is required to enable certificate-based login after SAML authentication.
Enabling True SSO allows users to bypass the Windows login screen on their virtual desktops after biometric authentication in 1Kosmos, providing a fully seamless experience.
