VMware Workspace ONE Community
almostIT
Enthusiast
Enthusiast

SaaS UEM admin accounts

SaaS UEM version 22.9.0.0 (2209) 

We have integrated on-premise AD and SAML enabled for enrollment, admins. 

However; when I try to use an AD account for admin access, and not a "Cloud Services Admin" account, it fails and says...

"Your Workspace ONE UEM account has been locked. Please reset your password to unlock your account or contact your IT Administrator."

It's not locked. 

The cloud services accounts work fine, but I'd like to have admins, without those accounts, work in sub-organizational groups and those users come from integrated AD. 

I get the feeling VMware doesn't want AD accounts used for admins. 

"This tenant is enabled with Workspace ONE Cloud Admin Hub. Administrators created in UEM will only have access to UEM. Add the administrator in Cloud Services to enable access to Workspace ONE services."

Reply
0 Kudos
3 Replies
psiwi1
Enthusiast
Enthusiast

Ensure Admin is also selected in your SAML integration

psiwi1_0-1667345353261.png

 

Reply
0 Kudos
almostIT
Enthusiast
Enthusiast

psiwi1 - I already had that checked.

My on premise AD is replicating an "admins" group to Azure. Which is then synced with WS1 UEM. The same "admins" group is set within UEM for that role.

The login behavior for an admin is inconsistent. Sometimes it will be short, and only prompt me for a username and password, then fail. Other times it'll go through the entire 2 factor authentication process (which is more the expectation) but in the end fails to login. I keep clearing the browser cache to see if that's messing with the login process, but it doesn't make a difference.

Other accounts work fine. The enrollment part works fine for users. I just cannot seem to get the admin users to login this way, it's really bizarre.

I would have thought if enrollment works, the admin part would work too, so long as the user/groups were set within UEM for the "admin role", but it's just not the case.

Reply
0 Kudos
almostIT
Enthusiast
Enthusiast

Alright. I'm onto something.

Apparently when I'm on the login screen for cn700.awmdm.com, I can't use just my email. I have to add in my domain name as well.

my.domain.com\my.adminaccount@my.domain.com <--like this

This works, I even got the 2fa prompts. Not what I expected. But it's something.

After login I do get a, "The 'objectGUID' attribute, which is required to securely authenticate administrators into the Console, is missing from your Identity Provider SAML response."

Suppose I'll have to fix that. I'll update with the final configuration if I find one that works FLAWLESSLY.

 

Reply
0 Kudos