Workspace One UEM allows for a whole number of different ways to authenticate when enrolling new devices. The majority of organisations will always choose to integrate with their on-premise AD through the use of the Could Connector, this component allows for user group sync, integration to on premise certificate authorities and to pull user attributes from Active Directory. All these features allow for a very stream lined enrollment and the ability to integrate with a whole number of different corporate resources.
For a lot of new organisations, that may not already have a large on-premise foot print, cloud directories are far more favourable. They’ll skip the need and high cost for internal equipment when they can easily spin up new tenants on whatever identity/directory service they choose.
An ever increasing solution is Azure Active Directory online only, with no on-premise directory sync (though Azure AD Connect). Leveraging this cloud directory type, allows users to authenticate into Workspace One UEM using SAML, this creates the user within the console and allows the user to enroll their devices.
Setting this up can be complicated and detailed instructions can be hard to find. Don’t worry, the EUCSE’s got your back!
Add Azure Application:
1 .Go to the Azure portal by clicking the following link: https://portal.azure.com.
2. Once logged in, select “Azure Active Directory” on the left-hand side of the portal
3. Select the Enterprise Applications section in the panel on the left and then select the “+New Application” button at the top.
4. Add an application with the option “Application you’re developing”
5. A new pane will appear, select “Ok, take me to App Registrations to register my new application.”
Configure Azure Application
- You will be prompted to name the application, the name itself doesn’t have to be a specific value but just for simplicity’s sake we’ll call it “AirWatch.” For the “Application Type” select “Web App / API” and for the “Sign-On URL” please enter the following URL with your Device Services server included: https://ds_Server_URL/DeviceManagement/Enrollment (not case sensitive)
- Now select “Create” at the bottom of this panel.
- You should now see your application appear under the “App Registrations” panel. At this point, select the application you just created. Two new panels will appear, one of them being the “Settings”. From here, select the “Properties” under the “General” section.
- For the APP ID URI enter: https://ds_Server_URL/ak (the actual URI is not special and can be anything unique as long as it matches the Service Provider (AirWatch) ID in the AirWatch console which we will discuss a little later.)
- Select the “Save” button at the top of the page.
Application Configuration and Federation Metadata
1 – Select the “Reply URLs” option under the properties button
2- The Reply URLshould be set to POST URLs of the mydevice and devicemanagement. These endpoints are located in the XML you receive when clicking Export Service Provider Settings at the bottom of Directory Services Settings in the AirWatch Console (Index 2, 5, and 8).
3 – Just so you don’t have to check that, below are the URL’s you need to include:
- For Self Service Portal: https://DS_DNS_Name/MyDevice/SAML/AssertionService.ashx?binding=HttpPost
- For Device Enrollment: https://DS_DNS_Name/DeviceManagement/SAML/AssertionService.ashx?binding=HttpPost
- For Console Login: https://Console_DNS_Name/AirWatch/SAML/AssertionService.ashx?binding=HttpPost
- New SAML Authentication Enpoint https://DS_DNS_Name/IdentityService/SAML/AssertionService.ashx?binding=HttpPost
Once you have saved the changes to the Azure page, navigate back to the “App Registrations” panel and at the top of this panel select “Endpoints”.
Once on this page, copy the “Federation Metadata Document” url and paste it into a browser. You can right click on the screen and select to “Save As” a xml document.
Workspace One UEM Configuration
- Open your console, go to Groups & Settings -> All Settings -> System -> Enterprise Integration -> Directory Services
- Change “Directory Type” to “none” and save the page at the bottom.
- Scroll back up and enable “Use SAML for Authentication”
- Enable “Use new SAML Authentication Endpoint”
Note: If you would like you could enable Use new SAML Authentication endpoint but you would have to then add the following URL to the “Reply URL’s” on the Azure application: https://DS_DNS_Name/IdentityService/SAML/AssertionService.ashx?binding=HttpPost
5. Under SAML 2.0 you can upload the XML you just saved by selecting Upload next to Import Identity Provider Settings
6. Now scroll to the bottom and save. The imported XML settings will be applied only after saving the Directory Services page.
Directory Services Configuration
1 – Change the “Service Provider (AirWatch) ID” to the same value that you used for the “App ID URI” in the Azure application. This URI should be https://ds_Server_URL/ak if you used the suggested URI from the instructions.
2 – Change the request binding type on request and response to POST and the save the settings page again.
3. Select the User tab at the top and change the user attributes and Base DN as seen in the screenshot below:
- Change the BASE DN to the following: WAAD
- Object Identifier – http://schemas.microsoft.com/identity/claims/objectidentifier
- Username and Email Address – http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
- Display Name and First Name – http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
- Last Name – http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
4. This Completes the Azure AD integration with Workspace One UEM!
SAML Authentication Test
- Get a hold of any device type
- Download the Workspace One Intelligent Hub application
- Select Server Details on the Agent page (if you have AutoDiscovery you can select email instead)
- Enter your environment URL along with your group id where you configured Azure SAML Authentication.
- You should now be re-directed to the Azure logon page. Once here enter in the credentials for a user in Azure.
You can also test this from a computer by navigating to: https://dsyourenvironment.awmdm.com/enroll?GID=GROUPID
You should then be forwarded to a Microsoft login page
Sales Engineer specialising in Unified Endpoint Management (UEM) and the Digital Workspace.