To troubleshoot provisioning and authentication errors for a directory provisioned from your identity provider to VMware Identity Services, review logs and audit events in the identity provider, VMware Identity Services, and Workspace ONE services such as Workspace ONE Access and Workspace ONE UEM.

Review Identity Provider Provisioning Logs

For provisioning errors, first review the provisioning logs in the identity provider to see if there were errors in provisioning users or groups to VMware Identity Services, and resolve the errors.

For example, in the Azure Active Directory admin console, you can find the provisioning logs on the provisioning app's Provisioning page.

Select Manage - Provisioning, then click the View provisioning logs link.

In the Provisioning Logs page, click on a user to see details.
The Provisioning log details pane shows details about the user.

Review VMware Identity Services Provisioning Logs

Review audit events logged in VMware Identity Services to see if there were errors in provisioning users from VMware Identity Services to Workspace ONE services such as Workspace ONE Access and Workspace ONE UEM.

  1. In the Workspace ONE console, select Accounts > End User Management.
  2. Click View on the provisioned directory card.
  3. View the event logs for a specific user or group, or for the directory.
    • To view the event logs for a user, select the Users tab, find the user, click the expand icon next to the user name, and select the Events tab.
    • To view the event logs for a group, select the Groups tab, find the group, click the expand icon next to the group name, and select the Events tab.
    • To view the event logs for the directory, click the Events tab on the directory page, select an event, and click the View Details link.
For example:
The directory's Event page shows an update event, and a View Details link next to it.

Provisioning errors appear in the Users and Groups tabs.

Review Workspace ONE UEM Logs

Use the following troubleshooting resources for Workspace ONE UEM:

  • Provisioning logs and initial configuration logs in the following folder:

    C:\AirWatch\Logs\AW_Core_Api

  • For configuration errors:
    • Use the following GET API for the configuration:

      Workspace_ONE_UEM_URL/api/system/provisioning/config/locationgroupuuid

    • Check the errors in the core API logs.
  • For provisioning issues, check the core API logs and look for errors or exceptions from the SCIM APIs.

Review Workspace ONE Access Audit Events

Review audit events in Workspace ONE Access for authentication failures.

  1. In the Workspace ONE Access console, select Monitor > Reports.
  2. Select Audit Events from the drop-down menu.
  3. Specify a user, select the type of event, specify a time frame, and click Show.

    For authentication failures, see the LOGIN and LOGIN_ERROR events.

Common Issues

  • Users cannot authenticate when Azure AD is configured as the third-party identity provider using OpenID Connect

    Verify that you copied the correct values from the OpenID Connect app in Azure AD to step 5, Configure OpenID Connect, in the VMware Identity Services wizard. Specifically, check the Client Secret and the Application (client) ID values. See Step 5: Configure Authentication.

  • Deleting a user in Azure AD does not delete the user from VMware Identity Services

    When you delete a user in Azure AD, the account is suspended for a specific period of time before being deleted. The user is deactivated in VMware Identity Services for that period of time. The username of the deleted user is also modified in Azure AD, and the changes are reflected in VMware Identity Services. See How Azure AD Users Are Deleted for more information.

  • Deleting user and group attribute values in Azure AD does not delete the values in VMware Identity Services

    In Azure AD, when you delete a user or group attribute value that was already synced to VMware Identity Services, the value is not deleted in VMware Identity Services and Workspace ONE services. Azure AD does not propagate null values.

    As a workaround, instead of clearing the value completely, enter a space character.

  • When VMware Identity Services is integrated with Okta, you cannot specify group attribute mappings in Okta to synchronize to VMware Identity Services. You can only map user attributes.
  • When you integrate a third-party identity provider with VMware Identity Services using the OpenID Connect protocol, the login_hint feature does not work. If the relying party sends a login_hint, VMware Identity Services does not pass it to the identity provider.
  • If you make any changes in VMware Identity Services to groups provisioned from Azure AD, for example, if you delete a user or group, and you want to restore the data, you might need to restart provisioning in the Azure AD admin center. See Known issues for provisioning in Azure Active Directory in the Microsoft documentation for more information.
  • Deleting an attribute mapping in Azure AD or Okta does not remove the attribute from users in VMware Identity Services

    When you delete an attribute mapping from the provisioning app in Azure AD or Okta, the changes are not propagated to VMware Identity Services. The attribute is not deleted for users in VMware Identity Services and Workspace ONE services.