If you use SAML SSO to log into the Workspace ONE UEM (AirWatch) console, you may see this warning after upgrading to 1904. First – don’t panic! Everything still functions!
Now that we’re calm, let’s find out what it is and how to address it. On the menu today:
- What is this strange warning and why/when is it displayed?
- How to configure the UEM Console SSO in order to make it go away
- If you are missing the objectGUID attribute – how to add it for
- VIDM Connector (direct VIDM integration)
- ACC (AD Basic integration)
What is it?
If you read the WS1 UEM 1904 Release Notes, you will see this:
We now offer SAML authentication for multi-domain configurations.
WS1 UEM 1904 Release Notes
Administrators (only) can now use the SAML authentication in multi-domain environments for Workspace ONE UEM, expanding the utility of the already trustworthy authentication protocol beyond single-domain configurations. Support for multi-domain environments is enabled by default, and there is no system setting required.
Now that the same user name can exist in multiple domains, we need an additional properly unique identifier, which is what objectGUID was made for!
If you only have one domain and your SSO is not configured to send objectGUID along with the SAML metadata, you will still be able to log in (clever engineers have provided a fallback), but will see the above warning.
You can safely ignore it in this case, but let’s rather address this annoyance and streamline the WS1 UEM Console security along the way. The fix (in the simplest form) takes <5 minutes.
Fixing the problem – providing the attribute via SAML
I will show how to fix in the VMware Identity Manager, but the logic is just the same if you use another SSO solution.
First, I open my WS1 VIDM Admin Console and go to the Catalog section. There I find the SaaS application that performs the SSO into the UEM Console , go to Configuration tab and expand Advanced Properties.
There I find Custom Attribute Mapping and add objectGUID (case sensitive) mapped to an attribute from my directory. If you already sync objectGUID explicitly, you should choose ${user.objectGUID}, alternatively, it may exist as ${user.ExternalId}. Read below to see what to do if you have none of that available.
Try SSO into the UEM console once again, and you shall see that pesky warning no more! Job done! But what if the required attribute is nowhere to be found? I will show how to do this for direct VIDM Connector and indirect ACC Connector (AD Basic) sync. If you use a 3rd party solution, your mileage may vary extensively here.
Adding the attribute to sync (VIDM Connector)
If you are using the VIDM Connector and want to add a new attribute to sync, follow this two-step procedure:
Then go to Identity and Access Management -> [Manage] -> Directories, choose your directory and click Sync Settings
Now you can go back to your web app and specify objectGUID there for SSO.
Adding the attribute to sync (AirWatch Cloud Connector)
In my case the directory was first synced to UEM Console via ACC and then went to VIDM. Usually, in this case objectGUID will be sent to VIDM as externalId, but it my case it was missing (no wonder given that this is a test/demo setup).
This can be solved directly in the UEM Console. Go to the OG, where VIDM integration is configured, Settings -> System -> Enterprise Integration -> VIDM Configuration and edit the Mapping attributes. Assign either externalId or objectGUID to UserObjectIdentifier and you are done!
Summary
So, now you know how
- What is this strange warning and why/when it is displayed
- How to configure the UEM Console SSO in order to make it go away
- If you are missing the objectGUID attribute – how to add it for
- VIDM Connector (direct VIDM integration)
- ACC (AD Basic integration)
[Update]: Official VMware KB on MyWorkspaceONE.com
Have you experienced this situation yourself? Is this useful? Leave a note!
Arsen Bandurian: Technical Blog 
Leave a Reply