Integrate Azure Active Directory (AAD) with Workspace ONE (Airwatch\WS1)

Hi There -
I’m looking to sync some AAD accounts over to WS1 for admin access.
The ask is:
UEM Admins have an account in AAD, we want to use the same AAD accounts and password to login to WS1 (Airwatch).

The UEM Admin accounts would be assigned a group in AAD then have that group synced to WS1(Airwatch).

How do I integrate the two (WS1 and Azure AAD).
We are not using OnPrem AD. AAD accounts only.

You can configure SSO between Azure AD and WSO1 (using SAML).

We generally create an OG for admin accounts and setup SSO at that level so that it is only leveraged for admin access.

https://kb.vmware.com/s/article/50104947

1 Like

I’ve followed both VMWare and Microsoft’s version of the integration:
VMware: VMware Knowledge Base
Microsoft: Tutorial: Azure Active Directory integration with AirWatch | Microsoft Docs

Both do not address the required Reply URL portion, and I receive an error.

By default (follow the two vendor instructions, it would leave SAML REPLY URL as blank, with same error. I’ve tried many permutations of the reply url - all fail with same error.

Permutations of Reply URL tried:
Pointed to Console (CN) - DeviceManagement and Identity Managment
https://cnZZZ.awmdm.com/DeviceManagement/~SAML/AssertionService.ashx?binding=HttpPost
https://cnZZZ.awmdm.com/DeviceManagement/SAML/AssertionService.ashx?binding=HttpPost
https://cnZZZ.awmdm.com/IdentityService/~SAML/AssertionService.ashx?binding=HttpPost
https://cnZZZ.awmdm.com/IdentityService/SAML/AssertionService.ashx?binding=HttpPost

Pointed to Device Services (DS) - DeviceManagement and Identity Managment
https://dsZZZ.awmdm.com/DeviceManagement/~SAML/AssertionService.ashx?binding=HttpPost
https://dsZZZ.awmdm.com/DeviceManagement/SAML/AssertionService.ashx?binding=HttpPost
https://dsZZZ.awmdm.com/IdentityService/~SAML/AssertionService.ashx?binding=HttpPost
https://dSZZZ.awmdm.com/IdentityService/SAML/AssertionService.ashx?binding=HttpPost

Remember the endgoal is: Allow AAD IDs (userID\password) to logon to WS1, as WS1 Admins.

Soo… what is the syntax for SAML Reply URL?

This is what I’m using
.awmdm.com/AirWatch/SAML/AssertionService.ashx?binding=HttpPost

Note: The above reply URL is for auth to WSO (AirWatch portal) if you look through the metadata there are other endpoints that need to be added if you’re enabling federation for other services

If I try to hit it directly from the browser here is the response.

The SAML response is missing form variables SAMLResponse and RelayState, required by the SAML protocol.

In WSO if you “Export Service Provider Settings” it should give you an XML with all the endpoints for various services.