Authentication Integrations for Enrollments

SimpleMDM supports the ability to configure LDAP and SAML authentication for device enrollments. To locate these settings, navigate to Devices > Enrollments, click the enrollment profile name, then click the 'Authentication' tab.

To create a new enrollment authentication configuration, click the dropdown list shown at the top of that screen and select 'New Enrollment Authentication'. In the 'Name' field, provide a name that will be used to refer to the auth configuration within the SimpleMDM interface.

General Setup - LDAP Authentication

1. In the 'Authentication Type' field, select "LDAP".
2. In the 'Message' field, enter the message you would like to display to users when they are prompted to authenticate via LDAP during enrollment.
3. In the 'LDAP URI' field, enter the URI from your LDAP service.
4. In the 'Username DN Template' field, enter the username and domain name format template with attributes required by your LDAP service.

For more details on what to enter for Steps 3 and 4, you may need to refer to your LDAP provider's documentation.

For a more in-depth explanation on what LDAP is and how to use it, refer to this article.

General Setup - SAML Authentication

1. In the 'Authentication Type' field, select "SAML".
2. In your SAML identity provider settings, enter the 'Consumer URL' and 'SAML Audience' value from SimpleMDM in the appropriate fields. For example, the Consumer URL may correspond with a field labeled 'ACS URL' or a similarly named field, and SAML Audience may need to be entered in a 'Entity ID' or similarly named field. This can vary depending on your provider.
3. In SimpleMDM, enter the URL provided by your identity provider in the 'SAML Target URL' field. Copy and paste the certificate/fingerprint from your IdP to the 'X.509 fingerprint or certificate' field.

Username Custom Attribute

Both LDAP and SAML authentication configurations support the 'Username custom attribute' field. This allows you to store the username from authenticated devices into a custom attribute field in SimpleMDM. This can be helpful for identifying the users of newly enrolled devices. For example, you could use this attribute to populate device names via the 'New device name format' field, which is located on the 'Settings' tab of the Enrollments page.

Example use:

1. Under Configs > Attributes, create a new attribute named {{username}} (or something similar).
2. In the Authentication configuration settings, specify "{{username}}" in the 'Username custom attribute' field.

After enrollment, the 'username' attribute should be populated under the device's Settings tab in SimpleMDM.

SAML attributes can be mapped from your identity provider to SimpleMDM custom attributes as well. You will need to configure your IdP to send these attributes values to MDM. The attribute created in SimpleMDM should match the SAML attribute naming convention - ex. 'email_address' <> 'email_address'. Once you have configured your Authentication settings and set up the attributes on both sides, click 'Test Configuration'. A window will display the attributes that are available and allow you to map them. These attributes can then be selected in the 'Username custom attribute' dropdown list.