If your company uses Microsoft Azure Active Directory (AD) you can configure Mobile Locker to use as an Identity Provider using SAML 2.0.
Single Sign-On SAML Protocol
For more technical information, read Microsoft's article.
- You need to be a Mobile Locker administrator.
- You need to be an Azure Active Directory administrator.
- Each user's email address in Azure Active Directory needs to match their email address in Mobile Locker.
Log in to https://portal.azure.com/.
Navigate to Azure > Enterprise Applications
Click New application.
Click Non-gallery application.
Enter Mobile Locker in the name field, then click Add at the bottom of the screen.
On the next screen, click Set up single sign on.
Select SAML as the single sign on method. You'll be taken to a screen like this:
Click Edit next to Step 2: User Attributes & Claims.
Under Required Claim, click the value in the Value column to edit it.
Change the Source attribute from user.userprincipalname to user.mail. Then click Save.
Return to the SAML-based Sign-on screen:
Double-check Step 2 that Unique User Identifier is user.mail.
Scroll down the page so Step 4: Set up Mobile Locker is visible.
Click the Copy icon next to Azure AD Identifier.
You'll proceed to paste several values from Azure into Mobile Locker, and then several values from Mobile Locker into Azure.
Open a new browser tab.
Log in to Mobile Locker as an administrator and navigate to Edit Team > SAML Services > New Service.
For Provider, Select Microsoft Azure AD.
For IDP Entity ID, paste the Azure AD Identifier from your clipboard. It starts with https://sts.windows.net/.
For IDP Login URL, paste the Login URL from Azure. It starts with https://login.microsoftonline.com/.
For IDP Logout URL, paste the Logout URL from Azure. It will probably be https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0
Back in Azure, scroll up to Step 3 SAML Signing Certificate. Click "download" next to Certificate (base64).
Save the file to your computer and open it in a text editor. It will look something like this:
Copy the contents of that file to your clipboard.
Switch back to your Mobile Locker tab and paste the certificate text into the IDP x509 Certificate text area.
For now, leave Create accounts for new users when they log in unchecked.
You'll be returned to the SAML Providers list and you will see an azure (PRODUCTION) entry.
Making sure to get the entire content of the field, copy the SP Entity ID field to your clipboard.
Switch to Azure. Scroll up to Step 1 Basic SAML Configuration. Click the Edit button.
Switching back and forth between Mobile Locker and Azure, paste the URLs into the fields shown below:
When you've pasted all of the values, click the Save button in Azure.
You should be returned to the Steps screen. In Step 2 User Attributes & Claims, double-check that "name" is mapped to "user.userprincipalname".
At this point, Mobile Locker should be connected to Azure Active Directory. In Mobile Locker. right click the SP Login Endpoint URL and Open Link in Incognito Window.
In the Incognito Window, enter your email address, then click Next.
Enter your Microsoft password. Click Sign in.
If you see the Stay signed in? screen, click Yes.
Azure may prompt you to grant Mobile Locker access to your account. Allow it.
You'll now be authenticated from Azure to Mobile Locker and you'll be logged in to the Mobile Locker website!
In Azure, navigate to the Properties screen for Mobile Locker and review and/or modify your settings.
You can use this image as the Logo.
If you are going to require User assignment, click Users and Groups and assign the users who are are allowed to use Mobile Locker.
Review and configure the other settings in Azure according to your requirements and company policies.
Congratulations, you're done!
Updated about a year ago