IOS Mobile SSO: Using the UPN attribute with the built-in UEM Certificate Authority.

You may have run into a situation where the usernames in UEM might not match the usernames in Workspace ONE Access or they might match multiple users in Workspace ONE Access.

When configuring IOS Mobile SSO and using the built-in certificate authority, a SCEP certificate is provisioned to the device which will be used by Workspace ONE Access. If you look at the certificate, you will see the {EnrollmentUser} included as both the common name and the NT Principal Name of the Certificate:

The IOS Mobile SSO adapter will attempt to match this user with an existing “username” in Workspace ONE Access. This will result in a failure if your usernames don’t match or if you have multiple users with the same username (but different domain names).

The solution to this problem has always been to switch to an enterprise certificate authority such as Active Directory Certificate Services and configure the template to use another value such as the UserPrincipalName.

I happen to come across an alternate solution using the built-in certificate authority. If you look at your IOS Mobile SSO profile, it will probably look something like this:

If you change your certificate template to use the Certificate (Cloud Deployment):

Workspace ONE UEM will provision a SCEP Certificate with the UPN Attribute in the SAN along with the correct Extended Key Attributes to facilitate Mobile SSO:

If the User Principal Name is included on the certificate, Workspace ONE Access will match the user based on the UPN.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s