Citrix XenMobile MDM – SAML authentication limitations


For everyone trying to integrate Citrix XenMobile MDM with (ADFS)/SAML

Some limitations:

– When using SAML for authentication there is no ‘Two Factor’  auth. for enrollment possible anymore

– When using SAML – SAML is only used for device enrollment.. one time. (their is no re-authentication in a specific period)

  • (continuing authentication is based on certificates and SCEP)
  • updated to the AD based user or group account will not propagate. For that to happen, the user has to authenticate again to SAML/ADFS
  • This will not be the case, since the device is already registered. (this is a one-time process)

– It is not possible to use a ‘SAML’ generated user account to log in to the Admin Console
So: Administrators should be basic accounts in the tooling (local) database itself

– It is not possible to use the Self Help Portal
An end-user cannot login to the Self Help Portal – when his/her account is generated by means of SAML

– The Claim rules for MDM are a B*tch, there not well documented.

Using LDAP is the recommended approach if one of above is mandatory

TIP: You can use a ‘Send Group Membership as Claim Rule’ to populate Groups in the MDM database