Skip to main content
Skip table of contents

Set up Workspace One connector

This article describes how to set up a Workspace One connector between the VMWare Workspace One ecosystem and Identity Manager Operator. Workspace One is a Mobile Device Management (MDM) solution. The connector forwards notifications from the Workspace One application and exports certificates to the VMWare Escrow Gateway.


In this article, <SMARTIDHOME> refers to /home/nexus, but this can be different depending on the setup.


  • The Smart ID version must include SCIM export (applicable for versions from 22.04.x and later).

Step-by-step instruction

Subscribe to Workspace One admin events

  1. Read the official documentation

  2. Target URL: Enter /api/events.

  3. Username and Password: This part is optional. The credentials can be verified by Identity Manager Operator if the idm-operator.test-connection.enabled flag is defined as true in the config/idm-operator.yaml file. 

  4. Format: Make sure to select JSON.

  5. Select the events you want to subscribe to.


The endpoint /api/events on the Workspace One connector must be secured from the outside when mutual TLS is configured between the connector and Identity Manager Operator.

Event Routing configuration

The Workspace One connector is a Spring Boot application that uses the .yaml format within its configuration files.

The "idm-operator.payload.routing" section defines how to route an event from the Workspace One to the Identity Manager Operator API endpoint URL. This URL consists of parameters that need to be adapted according to your configuration (for example, the process definition key, task ID, tenant ID, etc.)

Configure the routing in the config/idm-operator.yaml file.

Export certificates to the VMWare Escrow Gateway

The actual export and provisioning of certificates to the VMWare Escrow Gateway is configured via SCIM export in Smart ID Identity Manager. The SCIM export definition will be used to send the certificates to the Workspace One connector, which will forward them to the Escrow Gateway.

  1. Configure the "escrow-gateway" section in config/escrow-gateway.yaml in the Workspace One connector.

  2. Log in to Identity Manager Admin and open Export Definitions. You can create a new pre-defined export definition for Workspace One if it is not configured already. For more information, see Set up data export to external data source from Identity Manager.

  3. Make sure that the SCIM export definition includes these properties:

    • the Connection string must end with "/api/scim/v2"

    • the Resource must be "/Certificates"

  4. Configure the Certificates section to set up the mutual TLS between the connector and Identity Manager Operator.

  5. Set up the field mappings of the SCIM export. 


Internal field

External field













This is an example of the result after field mapping:

JSON example
  "device_uuid": "cbe7ecc8-45c5-4156-b212-c563209c2839",
  "user_uuid": "3780e878-6955-4d2b-af96-c60837d7cb77",
  "smime_certificates": {
    "signing": [
        "pkcs12": "p12 encoded in base64",
        "password": "w9TDX3WE"
    "encryption": [
        "pkcs12": "p12 encoded in base64",
        "password": "79iUnpCK"
    "archived": [
        "pkcs12": "p12 encoded in base64",
        "password": "kwGcDX0K"

Set up Workspace One


  1. Open the environment file <SMARTIDHOME>/compose/smartid.env for editing. 

  2. Set the properties for the following three variables to fit your deployment:

    # -- Workspace One connector properties
  3. Update the docker/compose/identitymanager/workspace-one-connector/docker-compose.yml

Tomcat (stand-alone)

  • Adapt the config files in the WEB-INF/classes/config folder.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.