ZENworks Mobile Management 3.0 introduced support for the SAML protocol as a means to authenticate end users. ZENworks Mobile Management can use SAML for authentication at the following times:
Prior to downloading the MDM profile on initial enrollment of iOS devices
When performing initial enrollment of the MDM application for Android
To grant access to the User Self-Administration Portal
To grant access to the web-based Managed Applications list
The purpose of this solution is to show you how you can configure ZENworks Mobile Management as a Service Provider that uses the NetIQ Access Manager as a SAML Identity Provider. The benefits of using SAML for ZENworks Mobile Management authentication include:
Allows you to leverage any existing advanced authentication methods you have in place through Access Manager that are supported by the mobile devices
Provides a common end user experience for the user to authenticate
The diagram below shows the basic flow of information that occurs when ZENworks Mobile Management is configured to use SAML.
The rest of this solution provides instructions on how to setup a simple scenario that can be used to test how SAML works in conjunction with a NetIQ Access Manager server that has been configured as a SAML2 Identity Provider.
Configure NetIQ Access Manager to Authenticate users against Active Directory
For the purposes of this solution, I have used the NetIQ Access Manager 4.0.1 Linux Appliance installed on a Microsoft Hyper-V host. The selection of this environment was based solely on the fact that it was the easiest thing to install and configure in my environment. Certainly if you are already utilizing NetIQ Access Manager in your environment you may use that existing IDP. But in my personal experience I found that I couldn’t explain SAML to my team without having done it once myself. This section of the document describes the steps I took once I had installed the Access Manager appliance.
Open a web browser and browse to the Access Manager admin console at https://<server>:8443/nps
Login as admin with the password you configured during the install.
Ensure that SAML 2.0 is configured for the Identity Server.
From the console select Devices > Identity Servers > IDP-Cluster
Ensure that under Enabled Protocols the SAML 2.0 protocol is enabled.
Configure Active Directory as your authentication source.
Select the Local tab.
In the Name field, enter a descriptive name.
In the Admin name field, enter the full dn, in LDAP format) of a user with Domain Admin privileges in Active Directory.
Enter the user’s password twice.
For the Directory type, select Active Directory.
Under Server replicas, click New.
Enter a name for the replica.
Enter the IP address or DNS name of your Active Directory server.
(optional) If the LDAP server is configured to allow SSL, check the Use secure LDAP connections checkbox.
(optional) If you chose to use secure connections, click Auto import trusted root to import the Trusted Root certificate into the database so that Identity Manager can establish the session.
Under Search Contexts enter the LDAP path of the container or parent container where the user’s that you want to authenticate exist.
(optional) In the Scope dropdown select Subtree if you want users in the child containers of the selected container to be able to authenticate.
Click OK to save the changes. The configure should look something like the screen shot below:
Configure Active Directory to be the default User store for authentication.
Click the Defaults sub tab of local.
In the User Store dropdown select the Active Directory user store you added.
Click Apply to save the change.
Configure ZENworks Mobile Management
Now that the Access Manager server is configured to act as a SAML IDP you can configure ZENworks Mobile Management to trust it as an IDP. To do this:
View the SAML IDP metadata and save it to a file.
In a separate browser tab, browse to https://<server>/nidp/saml2/metadata
Save the contents of the page displayed to a file called idpmetadata.xml
Close the browser tab.
Configure the ZENworks Mobile Management server to recognize the SAML server as a trusted IDP.
In another browser tab, open the ZENworks Mobile Management admin console at https://<server>/dashboard.
In the SAML Display Name field, enter a descriptive name.
Click the Browse button next to XML Metdata and select the idpmetadata.xml file that you downloaded from the SAML server.
Click the Export button next to Export Metadata field, this will be used during configuration of the Service Provider definition in Access Manager.
In the SAML domain field, enter the domain portion of your user’s email addresses as listed in Active Directory. For instance if your users are email@example.com then the SAML Domain value would be email.com. this should end up with the form looking something like this:
Click Save Changes. You have now successfully configured ZENworks Mobile Management to use SAML authentication for the email.com domain.
Configure a Service Provider Definition in Access Manager
The final step is to configure the Access Manager server to recognize the ZENworks Mobile Management server as a Service Provider. To do this:
Go back to the browser tab that has the Access Manager console open.
On the SAML 2.0 tab select the Trusted Providers subtab.
Click New > Service provider.
In the Provider Type dropdown, select General.
In the Source dropdown, select Metadata Text.
In the Name field, enter ZENworks Mobile Management.
In the Text field, past the contents of the metadata.xml file that you exported from the ZMM dashboard.
At the certificate verification screen, click Finish.
Click the ZENworks Mobile Management link to view the details of the Service Provider.
Configure the IDP to return the email address as an identifier after successful authentication.
In the Attribute set dropdown, select OIOSAML.
In the Available list, highlight Ldap Attribute: sn [LDAP Attribute Profile], Ldap Attribute: cn [LDAP Attribute Profile], and Ldap Attribute: mail [LDAP Attribute Profile]
Click the Authentication Response subtab.
In the Bindings dropdown, select Post.
In the Name Identifier list, uncheck all of the boxes except – E-mail and Use proxied requests.
In the Value dropdown next to E-mail, select Ldap Attribute:mail [LDAP Attribute Profile]. This should end up looking like the dialog below:
Make the new change active on the Identity Provider.
Select Devices > Identity Servers.
Click the checkbox in front of the server.
Select Actions > Update Servers.
Select to update all configuration.
Test Enrollment via SAML
With the changes to both the SAML IDP and the ZMM server complete you are ready to test the authentication. You can do this by either using the web enrollment capabilities for iOS by browsing to https://<zmmserver>/mobile/ios or by attempting to enroll the device from either the iOS and Android app. When enrolling make sure that you enter the username and the domain that matches the domain you specified in ZMM (email.com in our example). When the device sends the request it will then be redirected to the Access Manager authentication page, similar to the one shown below:
Once you enter your Active Directory credentials into the IDP authentication page the response is sent to the ZMM server and enrollment should complete successfully. You can now optionally go to the User object in ZMM and specify the LDAP server and ActiveSync server if you want to utilize LDAP group memberships or have corporate email provisioned to the device.
Hope you find this useful if you are new to SAML like I was. Next time we'll cover how the upcoming version of ZENworks Mobile Management 3.1 can be used to automatically provision Wifi and E-mail authentication certificates in conjunction with Active Directory Certificate Services.