WS1 UEM 1904: Fixing the ObjectGUID warning and improving SAML SSO security

If you use SAML SSO to log into the Workspace ONE UEM (AirWatch) console, you may see this warning after upgrading to 1904. First – don’t panic! Everything still functions!

Now that we’re calm, let’s find out what it is and how to address it. On the menu today:

  • What is this strange warning and why/when is it displayed?
  • How to configure the UEM Console SSO in order to make it go away
  • If you are missing the objectGUID attribute – how to add it for
    • VIDM Connector (direct VIDM integration)
    • ACC (AD Basic integration)

What is it?

If you read the WS1 UEM 1904 Release Notes, you will see this:

We now offer SAML authentication for multi-domain configurations.
Administrators (only) can now use the SAML authentication in multi-domain environments for Workspace ONE UEM, expanding the utility of the already trustworthy authentication protocol beyond single-domain configurations. Support for multi-domain environments is enabled by default, and there is no system setting required.

WS1 UEM 1904 Release Notes

Now that the same user name can exist in multiple domains, we need an additional properly unique identifier, which is what objectGUID was made for!

If you only have one domain and your SSO is not configured to send objectGUID along with the SAML metadata, you will still be able to log in (clever engineers have provided a fallback), but will see the above warning.

You can safely ignore it in this case, but let’s rather address this annoyance and streamline the WS1 UEM Console security along the way. The fix (in the simplest form) takes <5 minutes.

Fixing the problem – providing the attribute via SAML

I will show how to fix in the VMware Identity Manager, but the logic is just the same if you use another SSO solution.

First, I open my WS1 VIDM Admin Console and go to the Catalog section. There I find the SaaS application that performs the SSO into the UEM Console , go to Configuration tab and expand Advanced Properties.

Configuration -> Advanced Properties

There I find Custom Attribute Mapping and add objectGUID (case sensitive) mapped to an attribute from my directory. If you already sync objectGUID explicitly, you should choose ${user.objectGUID}, alternatively, it may exist as ${user.ExternalId}. Read below to see what to do if you have none of that available.

Try SSO into the UEM console once again, and you shall see that pesky warning no more! Job done! But what if the required attribute is nowhere to be found? I will show how to do this for direct VIDM Connector and indirect ACC Connector (AD Basic) sync. If you use a 3rd party solution, your mileage may vary extensively here.

Adding the attribute to sync (VIDM Connector)

If you are using the VIDM Connector and want to add a new attribute to sync, follow this two-step procedure:

First, go to Identity and Access Management -> [Setup] -> User Attributes, scroll down to Other Attributes and add objectGUID there.

Then go to Identity and Access Management -> [Manage] -> Directories, choose your directory and click Sync Settings
In Sync Settings choose Mapped Attributes and map objectGUID to one of the attributes that are available in your directory.

Now you can go back to your web app and specify objectGUID there for SSO.

Adding the attribute to sync (AirWatch Cloud Connector)

In my case the directory was first synced to UEM Console via ACC and then went to VIDM. Usually, in this case objectGUID will be sent to VIDM as externalId, but it my case it was missing (no wonder given that this is a test/demo setup).

This can be solved directly in the UEM Console. Go to the OG, where VIDM integration is configured, Settings -> System -> Enterprise Integration -> VIDM Configuration and edit the Mapping attributes. Assign either externalId or objectGUID to UserObjectIdentifier and you are done!

Summary

So, now you know how

  • What is this strange warning and why/when it is displayed
  • How to configure the UEM Console SSO in order to make it go away
  • If you are missing the objectGUID attribute – how to add it for
    • VIDM Connector (direct VIDM integration)
    • ACC (AD Basic integration)

[Update]: Official VMware KB on MyWorkspaceONE.com

Have you experienced this situation yourself? Is this useful? Leave a note!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Blog at WordPress.com.

Up ↑

<span>%d</span> bloggers like this: