VMware Workspace ONE UEM 1811
Previously, Administrators could bypass the SAML authentication flow and access the UEM Console by entering their Active Directory credentials. This gap has been addressed. Workspace ONE UEM 1811 enforced SAML authentication flow if it was configured at the Organization Group where the Administrator’s account exists.
Now, however, in order to truly support SAML authentication in a multi-domain setup, the ObjectGUID attribute must be configured on the Identity Provider settings page. The same attribute must be mapped to the Object Identifier user attribute in the Workspace ONE UEM Directory Services settings page at Groups & Settings > All Settings > System > Enterprise Integration > Directory Services > User > Advanced.
This attribute will allow Workspace ONE UEM to uniquely identify Administrators, even in a multi-domain configuration and enable their secure access to the console. Since updating the ObjectGUID attribute in the Identity Provider setting is a manual step, the following warning will be displayed to the Administrator on every successful login until the attribute is set and returned as part of the SAML response.
Below is the user attribute mapping on the Workspace ONE UEM user settings page for Directory Services:
Below is a typical custom attribute mapping setting for an Identity Provider. We’ve used VMware Identity Manager (vIDM) as an example here.
Below is a sample SAML response received from the Identity Provider:
This issue has been resolved with the release of Workspace ONE UEM 1904. Customers experiencing this issue should upgrade to Workspace ONE UEM 1904 and set the ObjectGUID user attribute in the IDP and within the Console in Groups & Settings > All Settings > System > Enterprise Integration > Directory Services > User.