SAML-authenticated enrolment flow

When you configure SAML as the authentication method, when a user hits the enrollment URL and click Enroll, the user is first authenticated via the identity provider before proceeding with the enrollment process.

Enrollment flow for a fresh login
When a user visits the enrollment URL for the first time before single sign-on authentication, then initial enrollment flow is as follows:
  1. On the enrollment page, when the user clicks Sign in, the user is redirected to the SAML service for login.

    If Okta is configured as the SAML service, user is redirected to Okta Sign in page as follows.


    Okta Sign In page
  2. With the corporate's identity service credentials to the SAML service, the user is authenticated. After the user logs in to the SAML service, the enrollment page appears:
    Enrollment page
  3. Provide the necessary information and click Enroll to begin the MDM enrollment process and access the corporate resources.
Enrollment flow when the session times out
When the logged in session times out for a user, the enrollment flow is same that of a fresh log in.
Note: By default, the session times out after 15 minutes.
Enrollment flow when the user has already authenticated via SAML
When the user has already logged in with SAML authentication, the user can continue to enroll without the need for any further authentication, as SAML is the single sign-on (SSO) authentication that allows the users to log in once and access multiple applications without needing to enter credentials for each application.