Product Documentation

Configuring a SAML Service Provider

Dec 21, 2015

Device Manager supports configuration of your own Security Assertion Markup Language (SAML) service and identity provider and SAML-based infrastructure to authenticate users and their mobile devices. With your own SAML configuration, you do not need to pre-provision user account information in Device Manager, such as user names, group association, or other directory attributes. SAML implementations allow network administrators to provide single sign on access to servers, web sites, and apps.

SAML Use Cases

  • Initial Registration of Mobile Device
    • The Device Manager agent should be able to register the device with the Device Manager server using the SAML token. No pre-provisioning of the user name, group association, or other directory attributes in the Device Manager server should be required.
  • Ongoing Authentication and Authorization for Policy Updates and Device Controls
    • Once the mobile device manager (MDM) agent registers the device and receives the initial policy updates, the mobile device must be able to re-authenticate with the IDP server each time the SAML token expires to receive policy updates and allow for security actions, such as lock, revoke, wipe devices, and so on, including know when the user has changed groups that might impact MDM policies, or proper authorization.
  • Single Sign-On With Other SAML-Enabled Applications
    • After the mobile device registers with the SAML token, other SAML-enabled applications should be able to authenticate the user without prompting for the corporate credential to provide a single sign-on user experience. It needs to be determined whether all SAML-enabled applications, including popular ones, such as SF.com, Google Apps, Microsoft365, Box.net, and so on can be supported or only applications that are managed by Device Manager or written to the App SDK.
  • Decommissioning Devices and Removing Users
    • When a user is removed from the corporate directory; for example, the user leaves the organization, there must be a mechanism to deactivate users and decommission the devices in the Device Manager server.

SAML Test Requirements

  • Establish a "relying party trust" between the iDP server and the Device Manager Service Provider server, including required certificates for the trust relationship.
  • Develop claim attribute mapping with User ID, Group Membership, Email Address, and other directory attributes.
  • Device Manager agent requests the SAML token from the customer iDP server and redirects back to Device Manager server for mobile device registration.
  • SAML token on mobile device is presented to Device Manager server for device registration; Device Manager server validates the SAML token and extracts directory attributes; the device is registered and the user identity is created properly.
  • Device configuration appears as expected in the Device Manager console; for example, as the software inventory.
  • All reports list devices and inventory properly.
  • Lock and revoke device using the Device Manager console security commands.
  • Change the users group association from Group A to Group B. Push out different Device Manager policy updates to the devices for Group A and Group B. Verify that device gets the proper (Group B) policy updates.
  • Access other SAML-enabled applications using HTML-based mobile apps to determine if user is prompted for corporate directory credentials to issue a separate SAML token.
  • Access other SAML-enabled application using native mobile apps to determine if user is prompted for corporate directory credentials to issue a separate SAML token.
  • Remove user from directory, ensure device state is changed to inactive, and user is removed automatically.
  • User is able to reactivate by re-registering the device using the same SAML-based process for initial registration.

To add a SAML service provider

  1. Click Edit.
  2. In the Service Provider Configuration dialog box, click the General tab and then enter the following information:
    • Entity ID. Enter the ID of the SAML Service Providers Entity ID (globally unique name given to a SAML entity). An entity ID is typically rooted in the organization's Primary DNS Domai.n
      • Base URL. URL of the SAML Service Provider.
      • Organization name. The name of your company (optional).
      • Organization Description. Description of your company (optional).
      • Organization URL. The URL of your company (optional).
  3. On the Main Parameters tab, select the following options:
    • Supported Bindings
      • SAML Redirect. Select if your SAML server has implemented a URL redirect binding.
    • General
      • Sent SAML Request must be signed.
      • Reserved Assertion must be signed.
      • Received assertion must be encrypted.
      • Passive mode enabled (annonymous connection).
  4. On the Contacts tab, you can enter the email addresses for the technical, support, and administrative contacts in your organization.
  5. On the Certificates tab, you can enter upload a certificate for the SAML connection, as well as the Keystore password for SAML server authentication.
  6. Click Save.

To configure a SAML identity provider

  1. In the Identity Providers tab, click New.
  2. In the General dialog box for the SAML Identity Provider, enter the following information:
    • Metadata URL. Web address used to access the SAML service provider metadata.
    • User domain. Domain under which the SAML metadata URL resides.
  3. Click Create.