SAML - Azure Active Directory

Related Video: Configure Single Sign-On

KACE Cloud MDM subscribers can use Azure Active Directory Server when setting up single sign-on (SSO). Configuring SSO to use Azure AD lets users sign in to KACE Cloud using their managed Azure AD accounts.

 


Tip: To set up an identity provider protocol using SAML and ADFS, open both KACE Cloud MDM and your Azure Active Directory Server.

In KACE Cloud MDM:

Select SAML v2.0.

  1. Select the Settings tab in top navigation.
  2. Choose Single Sign-On in left navigation.
  3. Select the SAML v2.0.

1. Copy the redirect URL to configure identity provider.

The following steps outline the process for Azure AD:

  1. In Azure AD, select App registrations in the left panel of the main directory.
  2. Click New registration to register the new KACE Cloud MDM app.
  3. Provide the following:

    • Name: Example: KACE Cloud MDM
    • Support account types: Select the default 'Accounts in this organizational directory only' which corresponds to 'Single tenant' for most scenarios.
    • Redirect URI: [Copied from the KACE Cloud MDM SSO Wizard]

    IMPORTANT: When selecting the Redirect URI, be sure Web is selected from the dropdown to ensure the correct value.

  4. Click Register.

Next, configure the App registrations Application ID URI property.

After you click Register in the previous step, the detail pages of the new application registration will be displayed.

  1. In the left panel, select Expose an API.

  2. Next to the Application ID URI field at top of page, click Set.

  3. In the Set the App ID URI field, replace the URL in the value field with the redirect URL copied from the KACE Cloud MDM SSO Wizard.

    IMPORTANT: BEFORE you click Save you must delete /broker/heliumsso/endpoint from the end of the pasted URI.

  4. Click Save.

 


2. Import configuration URL from identity provider.

The following steps outline the process for Azure AD:

  1. In the new Application Registration detail pages, select Overview in the left panel.
  2. Click Endpoints.
  3. Copy URL from Federation Metadata Document field.
  4. Paste URL into Import from URL field in the KACE Cloud MDM SSO Wizard.
  5. Click Import.

Once imported, the majority of information will be populated in the main SSO configuration screen of KACE Cloud MDM.

Note: The location of the SSO configuration file/URL varies based on identity provider. If you are unable to determine where the file/URL is located within in your identity provider’s UI, please reference their documentation.

 


3. Configure identity provider to send group information.

You can configure your identity provider to send information for values such as security group and distribution list membership.

To configure group information in Azure AD, you need to update the manifest:

  1. Locate and open the KACE Cloud MDM App registration to display details and settings.
  2. Click Manifest in left navigation.
  3. Update the manifest to include group membership claims by changing the value of "groupMembershipClaims" from null to " SecurityGroup". You can also change the value to "All" if you'd like to send security group and distribution list membership information.
  4. When you have updated the manifest, click Save.

 


Step 4. Update SAML settings.

1. Enable the Validating Certificates text box: The certificates field is not visible until the 'Validate signatures of identity provider requests/responses' box is checked.

IMPORTANT: We highly recommend leaving the 'Validate signatures of identity provider requests/responses' box checked to ensure optimal security. The option should only be disabled for troubleshooting purposes.

Note: If the certificate value was included in the FederationMetadata.xml document constructed in Step 1, it should be displayed in the Validating Certificates text box–if not, you will need to manually paste in the appropriate value.

2. Click Save Settings at bottom of page.

 


5. Confirm user attribute mappings.

In KACE Cloud MDM:

At this point in the setup, user attribute mappings will be pre-populated.

Note: User attribute mappings will pre-populate consistently for Azure AD, Okta, and AuthO; however, some providers may use different names for common attributes. When using a different identity provider, please confirm naming conventions for common attributes and add manually.

 


6. Assign user roles.

The following steps outline the process for Azure AD:

Assigning user roles:

  1. Click Add Role Assignment.
  2. In the Role dropdown, select Device Administrator or Device User.
  3. To locate Description in Azure AD:
    1. Select Users and groups in the left panel of the main directory.
    2. Select All groups.
    3. Locate group, then open to see details.
    4. Copy the Display name of the group and paste into the Description field in the KACE Cloud MDM SSO Wizard.

  4. To locate Attribute Name in Azure AD: 

    Copy the following URL http://schemas.microsoft.com/ws/2008/06/identity/claims/groups and paste into the Attribute Name field in the KACE Cloud MDM SSO Wizard.

  5. To locate Attribute Value in Azure AD:
    1. Follow the same instructions used to locate the Description, then:

    2. Copy the Object ID of the group (shown in screenshot above) and paste into the Attribute Value field in the KACE Cloud MDM SSO Wizard.

    3. Click Save Settings.

Note: The locations and definitions for these values vary based on identity provider.

 


7.Enable and test single sign-on.

After completing Steps 1 through 5, enable and test single sign-on for end users at their next login:

  • Check Enable single sign-on at the top of SSO Wizard page, then click Save Settings.

Warning: Before checking the 'Immediately redirect to identity provider' box, it's important to test the success of single sign-on setup.

  1. Open a new incognito window or private browser to ensure login data is clear.
  2. Go to the KACE Cloud portal but do not log in.
  3. Click Log in using your company credentials to sign in to SSO.

  4. You will be directed to a KACE Cloud Microsoft login page.
    • Log in using your identity provider credentials.

Single sign-on has been successfully set up if you are taken directly to the Users landing page in KACE Cloud MDM:

Once the setup of single sign-on has been successfully tested, users can be redirected to the identity provider's login screen.

 


Troubleshooting

Problem Solution
Single Sign-On button not visible on KACE Cloud MDM portal. Confirm that Enable single sign-on is checked on the SSO Settings page.
Error message on Microsoft login page: "AADSTS70001: Application with identifier ### was not found in the directory ###" Azure AD App ID URI does not match KACE Cloud MDM identifier. Revisit Step 1 and confirm that the App ID URI is copied correctly, and ensure that the end of the URL has been removed: /broker/heliumsso/endpoint.
Update password request on Microsoft login page. If you have created a brand new Azure AD account, Azure will prompt you to reset your password the first time it is used.
Error message on Microsoft login page: "AADSTS50011: The reply address ### does not match the reply addresses configured for the application: ###" Update the Azure AD app registration Reply URLs to include the reply address indicated in the error message. This property can be found in Azure AD under App registrations > KACE Cloud > Settings > Reply URLs.
Error message on KACE Cloud MDM portal.

The identity provider successfully validated the username and password, but KACE Cloud MDM did not accept the user. This may be because the user is not in the Azure AD group being assigned a device admin role.

To troubleshoot:

  • Confirm the identity provider group to which the user is assigned.
  • Confirm the identity provider was configured to include to include group information. Example: for Azure AD, confirm the app registration was configured to include "SecurityGroups".
  • Confirm that the identity provider group has had its role mapped correctly.
Single Sign-On misconfiguration or identity provider error

As part of SSO, most companies will redirect their users to their identity provider's sign-in page. In the case of a misconfiguration or identity provider error, a device admin can bypass SSO by adding ?nosso=1 to the end of their product portal URL to turn off redirection and go directly to the KACE Cloud MDM login screen. Example: https://yourcompany.kacecloud.com?nosso=1

An "invalidFederatedIdentityActionMessage" error message is displayed on KACE Cloud MDM portal. The identity provider used a certificate to sign the SAML request/responses which does not match one of the certificates listed in the "Validating certificates" field of the KACE Cloud single sign-on configuration. Ensure that the list of Validating Certificates matches the list of certificates currently being used by your identity provider. Enable the Refresh SAML validating certificates every day using the federation metadata document field to have KACE Cloud automatically keep the Validating Certificates field up to date by attempting to retrieve the most current signing certificate information from the URL provided in the Federation metadata document URL field each day.