Integrating User Authentication with Workspace ONE Access to VMware Cloud Web Security

What is VMware Cloud Web Security (CWS) ?

VMware Cloud Web Security is a cloud hosted Proxy Service within the VMware VeloCloud SASE Points of presence. It offers multiple Security Features and helps organisations to protect their sensitive data. For more Information on the CWS please have a look on the VMware website:

If you integrate Workspace ONE Access and Cloud Web Security , you can use Groups for you Ruleset on CWS and also you add an Additional Laver of security. Also in the Web Logs you can see the Users that are trying to browse to Vulnerable Webservices or that get blocked to this. In total you get really gerat insights to you web traffic.

So let us start to enable the Authentication and Configure the existing Workspace ONE Access now.

Configuration on Workspace ONE Access

Login to Workspace ONE Access , go to “Catalog” and Add a new App with the Click to “NEW”

Give it a Name and Click to “NEXT”

On the Single Sign-On Screen configure the following things:

Authentication TypeSAML 2.0
Single Sign-On URL
Recipient URL
Application ID
Username FormatEmail Address
Username Value ${}
Advanced Properties:
Custom Attribute Mapping
Name: groups
Format: Basic
Value: ${groupNames}
Show in User PortalNo (users do not need to see the Icon in portal as it is used once the user accesses CWS anyway)

After the SSO Settings select the Access Policy. I highly recommend on using something that is doing SSO as the user has already access to the Network (like via Tunnel) so MFA would really hurt the user much.

Once done click to “SAVE & ASSIGN”:

Now select the User Group that should be able to use CWS and click to “SAVE”

As we need the Signing Cert , Coppy out the from the Settings in Catalog the SAML Metadata that is shown under Signing Certificate. this will be required later on the CWS Certificates Page.

This is now all the Configuration needed on Workspace ONE Access. Now lets configure it on VMware Cloud Web Security

Configuration on Cloud Web Security

Login to VMware Velocloud Orchestrator (New UI) and Select Clout Web Security. Once there go to Authentication:

Enable the Signle Sign On settings and set the following Values.

SAML Server Internet Accessible?Yes
SAML ProviderWorkspace ONE Access
SAML 2.0 Endpoint
Service Identifier (Issuer)

NOTE: the URL for Access needs to match with your Workspace ONE Access Tenant, so just replace the “” with your real URL.

Once done add the Signing Cert to the Certificate Section:

This is the content that you copied out from the Metadata Section on Workspace ONE Access:

Just a Reminder , here is where you get the Signing Cert:

Once done Click to “Save Changes”

When you now hit the CWS , Authentication will happen , depending on the Settings it will do SSO, MFA etc.

and the User has Access.

Also you can then see the User ID in the Web Log and use Groups for your Ruleset:

This helps you to use groups for Cloud Web Security and add an additional Layer of Security to your users while browsing the Web.

Written by
Website | + posts

vExpert, blogger and VMware champion. Worked 10 years as a VMware & Microsoft consultant for a partner before joining VMware in 2017.

Leave a Reply

Your email address will not be published. Required fields are marked *.

You may use these <abbr title="HyperText Markup Language">HTML</abbr> tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

This site uses Akismet to reduce spam. Learn how your comment data is processed.

BCF Shop Theme By aThemeArt.