Re: Azure Active Directory (SAML Federation) integ... - Page 2

DeanVassallo · ‎03-08-2017

Has anyone had success following these instructions: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-saas-airwatch-tutorial

We have Azure AD Premium P1 and AirWatch Green. The objective is for users to be able to self-enroll through the AirWatch Agent by authenticating with their Azure AD credentials. After configuration, the AirWatch Agent does redirect to the Azure AD sign in page, but after inputting known good credentials it yields the error message ' Authentication response does not contain 'uid' nor configure username attribute.'

My sense is that the instructions are not correct. I have located a previously dated version of the instructions sourced from AirWatch (as opposed to Microsoft Azure) which vary slightly (https://support.air-watch.com/articles/115001665828). I've tested this configuration to no avail. This source also states ' Note added November 2016: Due to issues with the AirWatch app in Azure this method may not work correctly. Please contact AirWatch support for a workaround.'

I have a ticket open but not optimistic about finding a resolution. Anyone have this functioning in their environment? Thanks.

GaryCutri · ‎05-09-2017

Hi,

We had a customer with this exact same issue and I have spent the last few weeks investigating. Today we got everything working once we added the ' Reply URL' in the AirWatch Azure App (Second Step - Configure App Settings).

Note: Replace enrol.telstra.com with your hosted or dedicated AirWatch URL

SignOn URL: https://enrol.telstra.com/Enroll?gid=<enter your org group id>

Identifier (Optional): AirWatch

Reply URL: https://enrol.telstra.com/DeviceManagement/SAML/AssertionService.ashx?binding=HttpPost

As per the other posts here the AirWatch and Microsoft Documentation is missing (or unclear on the following):

- Airwatch Directory Services > User Tab > User search filter = (&(objectCategory=person)(http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name={EnrollmentUser}))

- The AirWatch App in Azure no longer displays ' Download Certificate' > The Download metadata gives you a federation.xml which you upload into AirWatch SAML 2.0 (Import Identity Provider Settings). Note: The certificate and settings don't appear until you press Save.

- I have found customers are unclear that ' Use Azure for Identification' is configured via the ' AirWatch by VMware' app in Azure and ' Use SAML for Authentication' is configured with the ' AirWatch' app in Azure.

- The AirWatch and Microsoft guides now have steps that state you need to create basic accounts. Using the settings above during testing the accounts are Dynamically Provisioned into AirWatch (i.e. account are automatically added and there is no need to create basic accounts)

- Ensure you have setup the Windows Auto-Discovery Configuration in AirWatch to point enterpriseenrollment.yourdomain.com to enterpriseenrollment.awmdm.com (an SSL Certificate with the common name enterpriseenrollment.yourdomain.com is also required)

Thanks,

Gary Cutri

GaryCutri · ‎05-14-2017

To give a more detailed reply I have edited my post from above and provided additional info regarding Microsoft Business Store app deployments (i.e. the next part everyone is getting stuck trying to resolve).

Notes for URLs Below: in the URL below dsXXX equals your tenant ID.For Australian Customers on Telstra’s TMDM replace dsXXX.awmdm.com with enrol.telstra.com.Shared SaaS AirWatch environments such CN500 the URL is ds500.airwatchportals.com.Contact AirWatch Support or service provider if you are unsure of the correct URL.

Settings for AirWatch App in Azure

SignOn URL: https://dsxxx.awmdm.com/Enroll?gid= (e.g. https://dsxxx.awmdm.com/Enroll?gid=msoft )
Identifier (Optional): AirWatch
Reply URL: https://dsxxx.awmdm.com/DeviceManagement/SAML/AssertionService.ashx?binding=HttpPost

The AirWatch and Microsoft Documentation is missing (or unclear on the following):

- I have found customers are unclear that the AirWatch option ' Use Azure for Identification' is configured via the ' AirWatch by VMware' app in Azure and ' Use SAML for Authentication' is configured with the ' AirWatch' app in Azure.

- “A valid Azure subscription” = You must have a Premium Azure AD subscription to integrate Azure AD with AirWatch.Ensure “Intune” is also disabled for users enrolling into AirWatch

- All Current Documentation is missing AirWatch Directory Services > User Tab > User search filter = (&(objectCategory=person)(http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name={EnrollmentUser}))

- The AirWatch App in Azure no longer displays ' Download Certificate' > The Download metadata gives you a federation.xml which you upload into AirWatch SAML 2.0 (Import Identity Provider Settings). Note: The certificate and settings don't appear in AirWatch until you press Save.

- The AirWatch and Microsoft guides now have steps that state you need to create basic accounts. Using the settings above during testing the accounts are Dynamically Provisioned into AirWatch (i.e. accounts are automatically added and there is no need to create basic accounts)

- Ensure you have setup the Windows Auto-Discovery Configuration in AirWatch or External DNS to point CNAME enterpriseenrollment.yourdomainname.com to enterpriseenrollment.awmdm.com (an SSL Certificate with the common name enterpriseenrollment.yourdomain.com is also required)

Extra Info: Deploying Microsoft Business Store Apps via AirWatch

Before you can deploy apps to Microsoft Devices (Using Auto Deploy) via AirWatch using the Microsoft Business App Store follow the AirWatch Microsoft MAM Guide (e.g. Create Store Admin Account, Set Account as Global Admin, Purchase Apps and Ensure ' AirWatch By VMware' app is activated in the store).Once you have completed the steps in the MAM guide you need to contact AirWatch Support to run a script to enable the “Import from BSP” (For Windows Desktop and Windows Phone) option that allows you to import or sync apps from the Microsoft Business Store into AirWatch.In order for Microsoft Business Store “Online” app versions to be imported your AirWatch Environment needs a Content Delivery Network (CDN), without a CDN you can still use the BSP import option to import “offline” versions of apps (Note: not all apps can be purchased as offline version in the Microsoft Store). To confirm you need to follow MAM Guide, Contact AirWatch to enable the BSP feature and then in AirWatch > Apps & Books > List View > Public Tab > Add Application > Select Platform = Windows Desktop or Windows Phone > Under Source select ' Import from BSP' > Press Next > A list of apps will appear > Press Finish > Wait a few minutes for the apps to Sync > Once Edit and or or Assignment appears the apps are ready to be assigned using the ' Auto Deploy' option.

Thanks,

Gary Cutri
gcutri@mobilenetwork.com.au

anonymousmigrat · ‎08-17-2017

Hello,

I've ran into some issues while attempting to configure sso.
Once I input my email on 'https://dsxxx.awmdm.com/MyDevice/Login', I am redirected to my azure tenant's sign on page.
After inputing my credentials I am redirected to 'https://dsxxx.awmdm.com/IdentityService/SAML/AssertionService.ashx?binding=HttpPost'
A sentence appears at the top of the screen stating 'Authentication response does not contain ' uid' nor configured username attribute'.
Anyone ever encounter this issue?

SpotJr · ‎09-15-2017

Hello, I've also run into some issues while attempting to configure SSO using the information that Gary Cutri provided.

(Thanks Gary! You are the only source of information I've found for the ' new' azure portal method of doing the airwatch SAML integration)...

I launch the AirWatch agent and enter my email address - the server name and group are automatically populated and I'm redirected to the following page ' https://dsXXX.awmdm.com/DeviceManagement/Enrollment/complete-samlAuthentication' and the following error message appears: Please enter the characters shown in the image below. ?? Unexpected Error Occured'

(the incorrect spelling of occurred as occured is actually what appears in the error message)

When I double check my AirWatch console, the Azure user was not automatically created...

Has anyone else received this error?

If so, were you able to get past it, and how?

Thanks - Walter

pilgrimm99 · ‎04-23-2018

Hi Walter. I know this is an older thread but were you able to resolve this error. I am having the same issue, among others.
Cheers

RezaDaniels · ‎10-12-2018

Hi guys
I have tried a number of things and cant seem to get SAML authentication working.
I tried all online guides and recommendations in this thread but still receive any error.
i get redirected to Azure AD, insert credentials and then receive this error message.
Message: AADSTS50011: The reply url specified in the request does not match the reply urls configured for the application: 'AirWatch'.
Root cause: The reply URL (ACS URL) sent in the SAML request doesn’t match the expected pattern https://domain/DeviceManagement/SAML/AssertionService.ashx?binding=HttpPost for the application configured in Azure AD.?
The Reply URL within the Azure Airwatch application is configured with the URL above.
is there anything else i can try.

PeterMohr · ‎01-04-2019

Hi Reza,

Did you try to set the Reply URLs with powershell ? The UI can only handle 1 URL, but with powershell you can set to anything you'd like:

#Connect-AzureAD
$sp = Get-AzureADServicePrincipal -SearchString ' AirWatch'
$app = Get-AzureADApplication -SearchString ' AirWatch'

$AWConsoleURL = ' https://awcs.conscia.mobi/'
$AWDeviceServiceURL = ' https://awds.conscia.mobi/'
$AWReplyURLs = @($AWConsoleURL, $AWDeviceServiceURL)

Set-AzureADApplication -ObjectId $app.ObjectId -ReplyUrls $AWReplyUrls
Set-AzureADServicePrincipal -ObjectId $sp.ObjectId -ReplyUrls $AWReplyUrls

#check
$sp = Get-AzureADServicePrincipal -SearchString ' AirWatch'
$app = Get-AzureADApplication -SearchString ' AirWatch'
$sp.ReplyUrls
$app.ReplyUrls

GregRStar21 · ‎08-29-2019

Hi guys,

I got this implemented and working now.

jatinhisys · ‎05-27-2020

Hi Dean,

Need Help on this. I getting error

Sharing my config

Still It is not working for me

praneet1 · ‎11-26-2022

Hello,

I am able to hit the sign in page, but unable to sign in the user. Its showing this error - AADSTS50011 : The reply url 'https://ds***.awmdm.com/IdentityService/SAML/binding=HttpPost' specified in the request does not match the reply URLs configured for the application 'AirWatch' . Make sure the reply URL sent in request matches one added to your application in Azure portal.

Can anyone please help. Its urgent.

All

Azure Active Directory (SAML Federation) integration with AirWatch

Enterprise Integration