02/25/2021 Update: Blog updated to support Certificate Authentication to Workspace ONE UEM
The AirWatch Provisioning App within Workspace ONE is still relatively new and although it has it quirks, it can still be useful in certain use cases.
So what is the AirWatch Provisioning App used for?
The app is designed for the use cases where there is no on premise ldap server that can be used with the Workspace ONE UEM Cloud Connector to synchronize users. This app can be used when users are created in Workspace ONE Identity via SCIM or JIT. Workspace ONE Identity will then create the users in Workspace ONE UEM.
Lets first discuss some important information about using the AirWatch Provisioning App in Workspace ONE:
- Currently, Workspace ONE will only provision at the top level (Customer) Organization Group (OG) in Workspace UEM.
- An LDAP Server can NOT be configured at the top level OG in Workspace ONE UEM (unless the users exist in the directory that will be created – but if this is the case, you shouldn’t be using the provisioning adapter)
- Workspace ONE Access needs to be configured as a SAML Provider at the top level OG.
- If you are using JIT to create users in Workspace ONE Identity, you MUST send a valid GUID to Workspace ONE has part of the SAML attributes. This is required if you plan on using the Workspace ONE Hub native application to enroll your device. This GUID will be mapped to the External ID and provisioned to Workspace ONE UEM. See https://www.uuidgenerator.net/ as an example.
- If you are using JIT to create users in Workspace ONE Identity, you need to use a web browser to log into Workspace ONE initially before using the Workspace ONE Hub native app. This limitation is because the user needs to exist in UEM at the time of enrollment.
Step 1: Export your Workspace ONE IDP Metadata
- Log into Workspace ONE Identity and go to Catalog -> Settings
- Click on SAML Metadata
- Download your “Identity Provider (IdP) metadata”
Step 2: Configure UEM to use SAML Authentication
- Log into Workspace ONE UEM
- Go to Group & Settings -> All Settings -> System -> Enterprise Integration -> Directory Services
- Ensure Directory Type is set to “None”
- Enable “Use SAML for Authentication”
- Under Enable SAML Authentication for*, check Self-Service Portal and Enrollment.
- Enable “Use New SAML Authentication Endpoint”
- In the SAML 2.0 section, click upload to Import Identity Provider Settings
- Select the metadata you downloaded in Step 1.
- Scroll down and click save.
Step 3: Add AirWatch Provision App in Workspace ONE Identity
- In Workspace ONE Identity, go to Catalog-> New
- Browse from the Catalog and select “AirWatch Provisioning”
- Click Next
- Edit the Single Sign-On URL and Recipient URL with your UEM server
- Keep the “default_access_policy_set” and Click Next
- Click Save
- Select the AirWatch Provisioning App and Click Edit
- Click Next
- On the Configuration Tab, enable “Setup Provisioning”
- Click Next
- Click the slider to enable Certificate Auth (Note: This assumes you’ve already enabled Workspace ONE UEM with Workspace ONE Access -> Identity Access Management -> Setup -> VMware Workspace ONE UEM
- Enter your top level OG Group ID
- Click Test Connection and validate connectivity.
- Click Enable Provisioning and Click Next
- Verify the mapping are correct. If you are using JIT, make sure all these attributes have come over in the SAML assertion.
- Under Group Provisioning, add any groups you want to provision to UEM.
- Click Next
- Click Save
Step 4: Entitle Users to the AirWatch Provisioning App
You have the option of entitling users individually or using a group. If you are using JIT you might want to consider using a dynamic group.
- Click the Assign button on the AirWatch Provisioning App
- Search for the user and/or group
- Under “Deployment Type” you MUST Select Automatic. If you leave the default “User Activated” it will never get provisioned to the user.
Step 5: Create a Dynamic Group (Optional)
If you are using JIT to create users into Workspace ONE, it easier to create a dynamic group and assign that group to the provisioning adapter.
- Click on “Users & Groups”
- Click on Groups
- Click Add Group
- Provide a group name and Click Next
- Do not select any users and Click Next
- Under Group Rules, you can either choose based on the JIT Directory that was created or the domain you chose for the JIT Users
- Click Next
- Click Next to exclude users
- Click Create Group
- If you receive the error “Error not provisioned” in the assignment screen and you hover over the error message and see “Failed to validate attributes while trying to provision user” this means that the values for the attributes you used in Attribute Mappings of the provisioning adapter configuration are either null or missing. Please make sure you create the user in Workspace ONE Identity with all the necessary attributes to create the account in Workspace ONE UEM. This includes the External ID. Please see the note at the beginning of the blog regarding the External ID
- While trying to enroll your device with the HUB application application you receive a generic error like “An Error has occurred”. See the note about External ID.
- When trying to provision the Mobile SSO profile you receive an error that the PrincipalName contains an invalid value.
- This means that you have probably created the Workspace ONE UEM account with an email as the Username. When the Mobile SSO certificate payload was created, it uses the username as the principal name on the certificate. Unfortunately you can not have the “@” character in the principle name. You have two choices to resolve this issue:
a) In the AIrWatch Provisioning Adapter mappings, use another attribute to represent the username that does not contain the @ sign. You might need to adjust the values being imported into Workspace ONE identity (whether by JIT or via the connector). Please make sure the username and the prefix of the UPN remain the same.
b) Use a lookup in Workspace ONE UEM to parse the prefix of the email address and use that in the certificate payload:
Group & Settings -> All Settings -> Devices & Users -> General -> Lookup Fields
Add Custom Field
Create a Name such as EmailNickName and use a regex such as “.+?(?=@)”
- You can then use “EmailNickName” in your Certificate Payload