Hi,
We had a customer with this exact same issue and I have spent the last few weeks investigating. Today we got everything working once we added the ' Reply URL' in the AirWatch Azure App (Second Step - Configure App Settings).
Note: Replace enrol.telstra.com with your hosted or dedicated AirWatch URL
SignOn URL: https://enrol.telstra.com/Enroll?gid=<enter your org group id>
Identifier (Optional): AirWatch
Reply URL: https://enrol.telstra.com/DeviceManagement/SAML/AssertionService.ashx?binding=HttpPost
As per the other posts here the AirWatch and Microsoft Documentation is missing (or unclear on the following):
- Airwatch Directory Services > User Tab > User search filter = (&(objectCategory=person)(http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name={EnrollmentUser}))
- The AirWatch App in Azure no longer displays ' Download Certificate' > The Download metadata gives you a federation.xml which you upload into AirWatch SAML 2.0 (Import Identity Provider Settings). Note: The certificate and settings don't appear until you press Save.
- I have found customers are unclear that ' Use Azure for Identification' is configured via the ' AirWatch by VMware' app in Azure and ' Use SAML for Authentication' is configured with the ' AirWatch' app in Azure.
- The AirWatch and Microsoft guides now have steps that state you need to create basic accounts. Using the settings above during testing the accounts are Dynamically Provisioned into AirWatch (i.e. account are automatically added and there is no need to create basic accounts)
- Ensure you have setup the Windows Auto-Discovery Configuration in AirWatch to point enterpriseenrollment.yourdomain.com to enterpriseenrollment.awmdm.com (an SSL Certificate with the common name enterpriseenrollment.yourdomain.com is also required)
Thanks,
Gary Cutri
Hello, I've also run into some issues while attempting to configure SSO using the information that Gary Cutri provided.
(Thanks Gary! You are the only source of information I've found for the ' new' azure portal method of doing the airwatch SAML integration)...
I launch the AirWatch agent and enter my email address - the server name and group are automatically populated and I'm redirected to the following page ' https://dsXXX.awmdm.com/DeviceManagement/Enrollment/complete-samlAuthentication' and the following error message appears: Please enter the characters shown in the image below. ?? Unexpected Error Occured'
(the incorrect spelling of occurred as occured is actually what appears in the error message)
When I double check my AirWatch console, the Azure user was not automatically created...
Has anyone else received this error?
If so, were you able to get past it, and how?
Thanks - Walter
Hi guys,
I got this implemented and working now.
Hi Dean,
Need Help on this. I getting error
Sharing my config
Still It is not working for me
Hello,
I am able to hit the sign in page, but unable to sign in the user. Its showing this error - AADSTS50011 : The reply url 'https://ds***.awmdm.com/IdentityService/SAML/binding=HttpPost' specified in the request does not match the reply URLs configured for the application 'AirWatch' . Make sure the reply URL sent in request matches one added to your application in Azure portal.
Can anyone please help. Its urgent.