KACE SAML AZURE and Windows Hello
Morning,
I have successfully configured SAML in KACE SMA to use Azure. However this only works if I log into my Windows machine using a password. If I log in to Windows using Face or PIN, KACE SAML fails.
Any ideas?
Thanks.
Answers (2)
Oh I went thru this too. Support got me squared away but I think its something related to ether the:
IdP SLO Binding = urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
(check both remote and local settings)
or in Local IdP Metadata check these settings:
NameIDFormat: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
I "think" one of those items (or checkboxes) did it for us. The claim is different with hello vs password, we had to reduce the filter by changing one of those parms. If this doesnt work just open a support tix, that's what we did and they sorted it.
Comments:
-
@ericweintraub
I used your check boxes and now SAML works using Hello (face and PIN) to log into Windows!
Many thanks. - Darkplace 3 years ago
@Darkplace currently Kace SAML support does not integrate with Microsoft Windows Hello for Business to support PINS and Facial Recognition. I would suggest if this feature is something the community at large is needing, putting in a Uservoice request might be a good idea. Customer Feedback for Quest KACE (uservoice.com)
-J
Comments:
-
I am fairly sure that isnt true. I logon to KACE most days without entering username or password, simply thru SAML with Windows Hello (usually face but sometimes fingerprint). The way it works is when you unlock your windows desktop with Hello and then you need to do Azure SSO you send over a claim, that claim is totally different if you unlocked the machine with a password vs using a Windows Hello option (pin,face,finger). KACE's default settings dont allow for this other type of claim but using the checkboxes above you can get around that and make it work. It doesnt mean when you logon to the KACE appliance it will force a use of Windows Hello but rather it will accept the more secure claim it provides (its more secure since its not a semi-static password hash but instead a short lived unique token issued thanks to a PKI exchange at time of unlock that uses certs stored in the TPM). Good read up about that here: https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-primary-refresh-token - ericweintraub 3 years ago
-
Thanks @ericweintraub then the real ask is for better in product documentation or a KB. That should be easier to remedy. Thanks :) - JMorano 3 years ago
Are you using regular WinHello or Business Windows hello?
https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-overview
Is this working fine with other SAML tools in your environment?
I'm asking because the KACE SMA should have little to none interaction with SAML , other than receiving orders, I wonder if there's something with WinHello and SAML here causing the issue?
(The KACE SMA is asking for password, because SMAL hasn't received the authorization from Windows Hello). - Channeler 3 years ago