If you are using Samsung Knox Mobile Enrollment to enroll Samsung Android devices into Microsoft Intune, you probably sign in to the Samsung Knox portal with a Samsung account. And probably colleagues also have a Samsung account for which they have to remember a username and password, which needs to be administered by you and the other admins. But it’s also possible to connect Samsung Knox to Azure Active Directory (Azure AD) to get a single sign-on (SSO) experience when using the Azure AD account to sign in to Knox.
In this article, I show how we can configure Samsung Knox and Azure AD to provide our admins (and ourselves) a better sign-on experience.
If you enable Azure AD as a sign-in method, you cannot use Samsung Account to sign into Knox services.
At the moment of writing not all Knox services are supported for Azure AD SSO. Keep an eye on the official documentation for which services are supported.
Configure Azure AD
To connect Samsung Knox to Azure AD, we need to create an Enterprise Application in Azure. First we check our Knox tenant if Azure AD SSO is supported and look up the Reply URL which we need later in our Azure Enterprise Application.
- Sign-in to the Samsung Knox portal
- Click on the avatar on the top right corner to access your account settings
If the tenant supports Azure AD SSO, on the left you’ll find a tab Active Directory SSO settings. Op the Azure AD SSO settings tab and copy the Reply URL for later use.
- Sign in to the Azure portal
- Open the service Enterprise Applications
- Click New Application
- Search for Samsung Knox
- Select Samsung Knox and Business Services
- Click create
- Open the tab Single sign-on
- Click SAML
- Click Edit next to Basic SAML Configuration
- Enter the Reply URL which we found in the Knox portal
- As Sign on URL enter https://www2.samsungknox.com/en/sso/login/ad
- Click Save
- On the Single sign-on tab, under SAML Signing Certificate copy the App Federation Metadata URL and save it for one of the next steps
- Browse to the Users and Groups tab
- Click Add user/group
- Click None selected
- Select the users (or at least your own account) to who you want to provide access to the Knox portal
- Click Assign
- Open the Samsung Knox portal
- Paste the App federation metadata URL
- Click Connect to AD SSO
- Authenticate with your Azure AD account
- When authentication is successful, the connection is verified
- A warning is shown, read this carefully!
- Click Continue
The AAD SSO Connection is set up! Your Knox admins should now be able to sign-in to Knox with their Azure AD account.
Unfortunately, automatic user provisioning isn’t supported. This means, you still need to create (sub) admins in the Knox portal and the invited sub-admins must click the Sign up button in the invitation email to complete their registration. And the admins need to be added to the users of the Enterprise Application.
Although Samsung Knox is shown under all apps of the user in Office, the user needs to provide his UPN. So actually we don’t get a real single sign-on experience. But we don’t have to remember an extra password, so it’s still a step forward.
I have no idea how you got this working (or where you found that Sign on URL?) The current documentation says it should be https://accounts.samsung.com but that doesn’t work. Your URL does seem to work but I cannot connect the instances because I get https://central.samsungknox.com/?errorCode=AZURE_AD_LOGIN_EXCEPTION which redirects to my account not having permission. Are you logging into the Azure side with the same account on the Samsung side? It’s very confusing as to the account setup on the Samsung side.
I figured it out finally. When you initiate the “Connect to AD SSO” step you need to be logging into Azure with the same account as you’re working in Samsung with (for example if your super admin is email@example.com then when you get the log into Azure prompt it needs to be firstname.lastname@example.org. My issue was I was trying to log in with a different user.