Does AirWatch support Service Provider- initiated SSO?
Yes, AirWatch supports Service Provider initiated SSO only. AirWatch does not support IdP initiated SSO.
What SAML versions does AirWatch support?
What is the assertion consumer URL & Service Provider ID?
Service Provider ID is part of the Enrollment SAML configuration.
Assertion service is: /SAML/AssertionService.ashx?binding=HttpPost (or HttpArtifact) under the DeviceServices (for enrollment) and MyDevice (for Self Service Portal) application roots. These are part of the exported metadata. IdP initiated should use the appropriate consumer URL depending on the source of the authentication request.
Can logout URLs be configured in the AirWatch Admin Console?
At this time, when the user logs out of the SSP, they are logged off the SSP only and not logged out of the IdP.
Does AirWatch support the collection of multiple user attributes for SAML authenticated users?
AirWatch supports the collection of multiple user attributes by using AD/LDAP integration to perform user syncs for SAML authenticated users. The unique identifier attribute for the SAML authenticated user should exist in your Directory to allow AirWatch to find the user and perform the sync.
Does Active Directory need to be integrated to use SAML?
No. SAML can be configured without AD integration on the console. However, 'Directory' type authentication must be enabled in enrollment configurations. The users pulled in via SAML will be of 'Directory' type.
If AD is not being integrated on the console, can attributes other than the username be pulled in?
Yes. However, the IdP must be configured to send out multiple attributes and these must be mapped accordingly in the 'User' tab of the Directory Services configuration section.
Can you bulk import SAML users?
Yes. When filling out the bulk user template, make sure the 'User Type' is set to 'Directory'.