Authentication Integrations for Enrollments

SimpleMDM supports the ability to configure SAML authentication for device enrollments. Admins are encouraged to configure SAML authentication as a security mechanism to protect their enrollments. This ensures that only users with valid credentials from an organization's identity provider can enroll.

To locate these settings, navigate to Devices > Enrollments, click the enrollment profile name, then click the 'Authentication' tab.

To create a new enrollment authentication configuration, click the dropdown list shown at the top of that screen and select 'New Enrollment Authentication'. In the 'Name' field, provide a name that will be used to refer to the auth configuration within the SimpleMDM interface.

General Setup - SAML Authentication

  1. In the 'Authentication Type' field, select "SAML".
  2. In your SAML identity provider settings, enter the 'Consumer URL' and 'SAML Audience' value from SimpleMDM in the appropriate fields. For example, the Consumer URL may correspond with a field labeled 'ACS URL' or a similarly named field, and SAML Audience may need to be entered in a 'Entity ID' or similarly named field. This can vary depending on your provider.
  3. In SimpleMDM, enter the URL provided by your identity provider in the 'SAML Target URL' field. Copy and paste the certificate/fingerprint from your IdP to the 'X.509 fingerprint or certificate' field.

Username Custom Attribute

SAML authentication configurations support the 'Username custom attribute' field. This allows you to store the username from authenticated devices into a custom attribute field in SimpleMDM. This can be helpful for identifying the users of newly enrolled devices. For example, you could use this attribute to populate device names via the 'New device name format' field, which is located on the 'Settings' tab of the Enrollments page.

Example use:

  1. Under Configs > Attributes, create a new attribute named {{username}} (or something similar).
  2. In the Authentication configuration settings, specify "{{username}}" in the 'Username custom attribute' field.

After enrollment, the 'username' attribute should be populated under the device's Settings tab in SimpleMDM.

SAML attributes can be mapped from your identity provider to SimpleMDM custom attributes as well. You will need to configure your IdP to send these attributes values to MDM. The attribute created in SimpleMDM should match the SAML attribute naming convention - ex. 'email_address' <> 'email_address'. Once you have configured your Authentication settings and set up the attributes on both sides, click 'Test Configuration'. A window will display the attributes that are available and allow you to map them. These attributes can then be selected in the 'Username custom attribute' dropdown list.

Was this article helpful?
Still have a question or want to share what you have learned? Visit our Community Discord to get help and collaborate with others.