cocorico-1
Contributor
Contributor

Azure AD (SAML integration) with airwatch - hybrid mode

Hello, 

Is it possible to use Azure AD with a SAML integration with Airwatch (which is in Hybrid mode, I have an On Premise AD too) ?

I have some authentications errors when I try to reach an Azure AD domain from a laptop.

Here is my configuration on Airwatch: 

In Directory Services, as I have my internal AD, in Server Tab I have: 

Directory type: LDAP - AD 

Use SAML for authentication: enabled

Enable SAML for : Enrollment/Self Service Portal

Use new SAML authentication endpoint: enabled 

-- in SAML 2.0

Service Provider ID: Airwatch

Identity Provider ID: url with AAD tenant

-- In Request 

Request binding type: POST

Authentication response security : None

Identity Provider SSO URL: https://login.microsoftonline.com/mytenant/saml2

NameID Format: email address

-- In Response: 
Response Binding Type: POST

Authentication response security : None

--In Certificate: 
Azure AD integration: Enabled

Directory ID: my tenant

Use AD for identity Services: Enabled


In User tab: 
I have my domain & my Base DN configured, and :
User Object Class: person

User search filter: (&(ObjectCategory=person)(sAMAccountName={EnrollmentUser}))

No custom attributes

My questions : should I put None in Directory Type like Ive read in some documentation? Should I write custom attributes and a new Base DN to fit with AAD? 

Thank you for your help

0 Kudos
3 Replies
ogushia
Enthusiast
Enthusiast

Hi,
I think you don't have to set Directory Type to None.
Your case may fit [Hybrid Azure AD Model using Azure AD Connect] of following techzone document.
https://techzone.vmware.com/enrolling-windows-10-devices-using-azure-ad-workspace-one-uem-operationa...

0 Kudos
cocorico-1
Contributor
Contributor

Hi , thx for reply ! 

finally we create another OG which is configured to reach our Azure AD. 

But we stil have a problem when we try to enroll a PC throught Access Work or School setting in Windows 10, with our AAD account : 

 

"The resource principal named <mdm url> was not found in the tenant named xxxx. This can happen if the application has not been installed by the admin of the tenant or consented to by any user in the tenant. you might have sent your authentication request to the wrong tenant"

 

Anyone ever had this issue? 

 

Thanks! 

0 Kudos
psiwi
Enthusiast
Enthusiast

Hi,

I have successfully setup a Azsure AD with SAML integration by using the blog by Charlie Hodge here:

https://blog.eucse.com/azure-saml-into-workspace-one-uem/#:~:text=An%20ever%20increasing%20solution%...

 

This should be enough to guide you.

 

0 Kudos