Walkthrough: Workplace Join with a Windows Device
This topic demonstrates how to use Workplace Join to connect your Windows device with your workplace and how to access a web application by using Single Sign-On. You must complete the steps in the Set up the lab environment for AD FS in Windows Server 2012 R2 section before you can try out this walkthrough.
In this walkthrough, you access a company web application before you join your device to the workplace. The webpage displays the claims that were included in your security token. Notice that the list of claims does not include any information about your device. You might also observe that you do not have Single Sign-On.
Log on to Client1 with your Microsoft account.
Open Internet Explorer and browse to your generic claims app, https://webserv1.contoso.com/claimapp.
Log on to the webpage by using a company domain account: roberth@contoso.com, password: P@ssword.
The webpage lists all the claims in your security token. Only user claims are present in your security token.
Close Internet Explorer.
Open Internet Explorer and navigate to the same claims app, https://webserv1.contoso.com/claimapp.
Notice that you are prompted to enter your credentials again. You are not connected to the workplace from a device with Workplace Join and therefore do not have Single Sign-On.
Important
For Workplace Join to succeed, the client computer (Client1) must trust the SSL certificate that was used to configure Active Directory Federation Services (AD FS) in Step 2: Configure the Federation Server with Device Registration Service (ADFS1). It must also be able to validate revocation information for the certificate. If you have any issues with Workplace Join, you can view the event log on Client1.
To see the event log, open Event Viewer, expand Applications and Services Logs, expand Microsoft, expand Windows, and then click Workplace Join.
Log on to Client1 with your Microsoft account.
On the Start screen, open the Charms bar, and then select the Settings charm. Select Change PC Settings.
On the PC Settings page, select Network, and then click Workplace.
In the Enter your UserID to get workplace access or turn on device management box, type roberth@contoso.com, and then click Join.
When you are prompted for credentials, type roberth@contoso.com, and password: P@ssword. Click OK.
You should now see the message: "This device has joined your workplace network."
In this part of the demonstration, you access a company web application from your device that is connected with Workplace Join. The webpage displays the claims that were included in your security token. Notice that the list of claims includes both device and user information. You might also observe that you now have Single Sign-On.
Log on to Client1 with your Microsoft account.
Open Internet Explorer and browse to your generic claims app, https://webserv1.contoso.com/claimapp.
Log on to the webpage by using a company domain account: roberth@contoso.com, password: P@ssword.
The webpage lists claims in your security token. Your token contains both user and device claims.
Close Internet Explorer.
Open Internet Explorer and navigate to the same claims app, https://webserv1.contoso.com/claimapp.
Notice that you are not prompted to enter your credentials again. You are connected from a device with Workplace Join and therefore have Single Sign-On.
Join to Workplace from Any Device for SSO and Seamless Second Factor Authentication Across Company Applications Set up the lab environment for AD FS in Windows Server 2012 R2 Walkthrough: Workplace Join with an iOS Device