Azure Active Directory (SAML Federation) integrati...

DeanVassallo · ‎03-08-2017

Has anyone had success following these instructions: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-saas-airwatch-tutorial

We have Azure AD Premium P1 and AirWatch Green. The objective is for users to be able to self-enroll through the AirWatch Agent by authenticating with their Azure AD credentials. After configuration, the AirWatch Agent does redirect to the Azure AD sign in page, but after inputting known good credentials it yields the error message ' Authentication response does not contain 'uid' nor configure username attribute.'

My sense is that the instructions are not correct. I have located a previously dated version of the instructions sourced from AirWatch (as opposed to Microsoft Azure) which vary slightly (https://support.air-watch.com/articles/115001665828). I've tested this configuration to no avail. This source also states ' Note added November 2016: Due to issues with the AirWatch app in Azure this method may not work correctly. Please contact AirWatch support for a workaround.'

I have a ticket open but not optimistic about finding a resolution. Anyone have this functioning in their environment? Thanks.

janfondo · ‎03-10-2017

Hi Dean,

I'm experiencing the exact same issue.
Also looking for support on this. However if I find a fix I will share.

Gr

Jan

DeanVassallo · ‎03-10-2017

Hi Jan, I spent 3 days and many tens of hours on the phone with tier 3 and the team that writes custom enterprise integrations. They were unable to solve the problem, but I was able to glean enough information from watching them try and write the custom SAML connector that I was able to figure it out on my own. I have submitted my solution to them so they can update their documentation which is both missing information and contains incorrect information (same for the kbase article from Azure AD). I am in transit at the moment but I will post my solution as soon as I get to my office. Hope it will help you!

janfondo · ‎03-10-2017

Hi Dean,

Much obliged! I'm looking forward to seeing the Solution and will let you know if it works.

Thanks

Jan

DeanVassallo · ‎03-10-2017

For any variables or settings that I did not include, assume that it should not be set or refer to the (https://docs.microsoft.com/en-us/azure/active-directory/active-directory-saas-airwatch-tutorial). This also assumes that everything is working on your Azure AD side: correct connector installed, users have Azure AD Premium P1 license assigned, and user or group in which user is contained is ' assigned' the AirWatch App.

Directory Services

Server Tab
• Sign in URL: https://dsXXX.awmdm.com/DeviceManagement (where XXX equals your tenant ID)
• Directory Type: None
• Use SAML for federation: Enabled
• Use New SAML Authentication Endpoint: Disabled

After importing federation.xml and saving

Under Request Section
• POST
• NameID Format: Email Address

Under Response Section
• POST

User Tab
• Base DN = WAAD
• User Object Class = person
• User search filter = (&(objectCategory=person)(http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name={EnrollmentUser}))

Under Custom Attributes

• Object Identifer: http://schemas.microsoft.com/identity/claims/objectidentifier
• Username: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
• Display Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
• First Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
• Last Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
• Email Address: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

janfondo · ‎03-13-2017

Hi Dean,

This didn't work for me. I'm getting a ' something went wrong configuring federation services' when completing the AirWatch App on Azure.
So basically no information at all about where this error occurs.

Did you encounter this error before?

Gr

Jan

DeanVassallo · ‎03-13-2017

Hi Jan,

Can you confirm that you exported federation.xml file and imported it into the appropriate place on the Airwatch side?

janfondo · ‎03-13-2017

Hi Dean,

That's the strange thing; this document describes a certificate and mentions no xml:

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-saas-airwatch-tutorial

I've downloaded the XML and uploaded it to the metadata field in AW.

Gr

Jan

janfondo · ‎03-13-2017

Hi Dean,

I looked at the app and noticed it said configured. So I just tested on my device.
The redirect to azure is working however when logging in I'm seeing: bad request.

Sounds familiar?

Gr

Jan

DeanVassallo · ‎03-13-2017

Ok, so you're on the right track. Things to check: 1) Does the user your testing with have Azure AD Premium P1, 2) Have you assigned them access to the Airwatch App in Azure AD, 3) Finally double check these configurations are the Airwatch side specifically:

Under Response Section

• POST

User Tab

• Base DN = WAAD (literally, this is the base DN for all Azure AD)

• User Object Class = person

• User search filter = (&(objectCategory=person)(http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name={EnrollmentUser}))

janfondo · ‎03-13-2017

Hi Dean,

Yes all is in place. I'm still getting the error:

The client has requested access to a resource which is not listed in the requested permissions in the clients application registration.

Shall I sent you some credentials to my UAT environment so you can check the settings?

Gr

Jan

DeanVassallo · ‎03-13-2017

How are you testing? Enrollment through the agent (OS X or Windows) or are you testing against a URL like mydevice or enroll URLS?

janfondo · ‎03-14-2017

Hi Dean,

I'm testing with the Agent via device URL and OU.

Gr

Jan

janfondo · ‎03-28-2017

Hi Dean,

It's working!

Thanks!

Jan

RezaDaniels · ‎04-05-2017

Hi

Jan B. can you please advise what you did to get this to work.

i have made all the necessary changes and i still get an error, ' bad request'

my sign on url in Azure AirWatch app is configured with the following https://deviceserver/Enroll?gid=GroupID.

another challenge is that the user's samaccountname and email address is not the same.
samaccountname = u123456@domain.co.za
emailaddress = johndoe@domain.co.za

Within AirWatch console i have the following configured.

User search filter: (&(objectCategory=person)(http://schemas.xmlsoap.org/ws/2005/05/identity/claims/samaccountname={EnrollmentUser}))

i exported the AirWatch service provider settings and imported it into ADFS during the process of creating a relying party trust.

is there anything else i can try.

janfondo · ‎04-05-2017

Hello Reza,

In the Azure portal, are you using the classic view or the newer console?

gr

Jan

RezaDaniels · ‎04-05-2017

Hi Jan B

it is the new azure console, i cant seem to which to classic

janfondo · ‎04-05-2017

Hi Reza,

Alright. That's great. Please check the following:

On the Azure AD portal in the Airwatch App - check the single sign on settings.

- Sign on URL - https://dsxxx.awmdm.com/DeviceManagement
- User Identifier: user:userprinciplename

Also change your User Search Filter to: • User search filter = (&(objectCategory=person)(http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name={EnrollmentUser}))

Can you try that?

RezaDaniels · ‎04-05-2017

Hi Jan

i made the changes to the above but i am still getting an bad request error.

This is the error message i am getting.

AADSTS65005: Invalid resource. The client has requested access to a resource which is not listed in the requested permissions in the client's application registration. Client app ID: edd3e09c-720f-4e77-8dfe-06927cbe1308. Resource value from request: . Resource app ID: 00000002-0000-0000-c000-000000000000. List of valid resources from app registration.

RezaDaniels · ‎04-06-2017

Hi Guys

Any ideas on what i can try next, or any log files i can look at to troubleshoot further.

All

Azure Active Directory (SAML Federation) integration with AirWatch

Enterprise Integration