This article provides a resolution for an issue where users attempting to enroll a device into AirWatch are redirected to Okta and then receive an error after entering their Okta credentials:
SAML Authentication Timeout
- AirWatch
- Okta Users
- Okta Administrators
- Okta Classic Engine
The issue may occur due to an incorrect configuration of URLs or Attribute Statements in AirWatch's SAML settings. The misconfiguration prevents successful authentication via Okta during device enrollment.
Follow these steps to resolve the issue:
- Refer to AirWatch's documentation to review the listed URLs. Only one URL -
https://<DeviceServicesURL>/IdentityService/SAML/AssertionService.ashx?binding=HttpPost(where DeviceServicesURL is the unique Airwatch enrollment address) - is applicable. This URL requires the "Use new SAML Authentication endpoint" option to be enabled in AirWatch's SAML settings. -
Update the Attribute Statement in the SAML settings. The recommended Attribute Statement from AirWatch might be
sAMAccountName|${user.UserName}. However, since there is no Okta attribute named "UserName", this needs to be changed. -
If the AirWatch username convention is the same as Okta's, use
sAMAccountName|${user.login}as the Attribute Statement. -
If the username convention in AirWatch does not match with Okta's, replace “login” with the Okta attribute that corresponds to the AirWatch username.
-
If the AirWatch username does not match an Okta attribute, create and populate a custom Okta attribute to facilitate this.
